Skip to main content

Set Lacework Attributes

This topic describes Lacework attributes and how to set them for different accounts. You configure Lacework attributes in the Identity Provider (IdP) UI.

For each Identity Provider (IdP) that you add, provide the following attributes:

Use the First Name attribute to specify your first name (string data type). Use the Last Name attribute to specify your last name (string data type). Use the Company Name attribute to specify your company name (string data type). Use the Custom User Groups attribute to specify a string of comma-separated custom user group GUIDs (globally unique identifiers).

Lacework Admin Role Accounts Attribute

Lacework Admin Role Accounts adds admin privileges to existing accounts that you specify. You can specify a single account name foo or multiple comma-separated account names foo,bar,baz.

You can also specify a wildcard *.

For example "account1" or "account1,account2" or "". If your organization contains these accounts: foo1, foo2, bar1, bar2, baz - you can specify the attribute as `2,baz`.

This adds admin privileges to foo2, bar2, and baz. But the person does not have any privileges for foo1 and bar1. To add user privileges for those, you could specify the value *1 for the Lacework User Role Accounts attribute.

If you specify admin privileges for an account, you do not need to specify user privileges in the Lacework User Role Accounts attribute. The system ignores accounts that are also in Lacework User Role Accounts and still grants admin privileges to them.

Lacework User Role Accounts Attribute

Lacework User Role Accounts adds user privileges to existing accounts. You can specify a single account name or multiple comma-separated account names. You can also specify a wildcard *. For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz. You specify this attribute as b*.

This adds user privileges to bar1, bar2, and baz. But the person does not have any privileges for foo1 and foo2.

To add user privileges for foo1 as well, you could specify this attribute as foo1,b*. Another example with the same accounts would be to specify the attribute as *.

And to specify Lacework Admin Role Accounts as bar*.

This gives user privileges for all accounts and admin privileges to only bar1 and bar2.

If you specify admin and user privileges for an account, admin privileges will be granted.

Lacework Power User Role Accounts

Lacework Power User Role Accounts adds power user privileges to existing accounts that you specify. Power Users have similar access to Administrators but without access to Settings and Utilities.

You can specify a single account name or multiple comma-separated account names. You can also specify a wildcard *.

For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz. You specify this attribute as b*. This adds Power User privileges to bar1, bar2, and baz. But the person does not have any privileges for foo1 and foo2.

Lacework Organization Admin Role Attribute

Lacework Organization Admin Role provides admin privileges to organization-level settings and admin privileges to all accounts within the organization.

Select true to make the person an organization admin. If the person is an organization admin, you need not set any other Lacework attribute; the system ignores any settings in those attributes.

Select false or undefined if the person should not have admin privileges to organization-level settings or admin privileges to all accounts within the organization. If the person is not an organization admin, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes. You can also specify user privileges to organization-level settings with the Lacework Organization User Role attribute.

Lacework Organization User Role Attribute

Lacework Organization User Role provides user (view-only) privileges to organization-level settings and user privileges to all accounts in the organization.

Select true to make the person an organization user. If the person is an organization user, you can still give account-level admin privileges with the Lacework Admin Role Accounts attribute. The system ignores any settings in the Lacework User Role Accounts attribute.

Select false or undefined if the person should not have any privileges to organization-level settings or user privileges to all accounts in the organization. If the person is not an organization user, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes.

Last updated on