If you have upgraded to Carbon Black App Control from pre-8.0.0 versions of Bit9 Platform or Parity, whatever permissions you provided to console users remain in place, as do any AD role mappings.

However, there are significant enhancements in your control of user privileges, and these have resulted in changes to the user interface for managing users.

  • Roles instead of Groups – In 8.x versions, instead of assigning a user to one group, you can assign one or more roles to the user. Roles are defined using the same list of permissions previously used for groups, but because you can assign more than one role to a user, you can define role-based permission sets, and add or remove them from users as needed.
  • Policy-Specific Permissions – In 8.x versions, you can restrict access to certain features according to the policy a computer is in. For example, you might want to assign some management tasks to a group of users but only for computers used by the sales team. By putting all of the sales team’s computers in one policy, you can then set up a user role specific to that policy.
  • Users without Roles – Prior to 8.x versions, there was a named user group called Unauthorized. Users could be assigned to this group to indicate that they had no access to the console, and users were automatically assigned to the group if AD mapping was enabled and the user did not match the mapping rule for any other group. In this release, instead of being assigned to the Unauthorized group, users with no console access have no assigned roles (they appear in the table of accounts with “<Unassigned>” in the User Roles column).
  • Conversion of Previous AD Mapping Rules – Although there are no default AD mapping rules for new installations of App Control, upgrades from previous releases convert the old mappings into new, role-based mappings that assign the same privileges that users had before.
  • Stop Evaluation of Mapping Rules – Another AD-mapping-related change is the addition of a “stop evaluation” rule. Because you can assign more than one role to a user, evaluation of a user against AD mapping rules does not necessarily stop when a match is found. However, you might want to assign only one role to users matching certain AD characteristics, and prevent those users from having access to other features. In that case, you can put that rule at the top of the mapping rules list and check the Stop evaluation box. This box is checked for all of your pre-8.0.0 group assignments since there could be only one group per user.
  • View Effective User Permissions – So that you can see the permissions a user has without having to click back and forth between the Edit User Account page and the (possibly multiple) Edit User Role pages, the Edit User Account page for each user shows both the roles a user has and the user’s effective permissions. The effective permissions list is the combination of all permissions provided by all of the roles the user has.
  • Unified Management Unified Management of multiple servers was introduced in version 8.0.0, and new user roles have been added for it. Only the built-in admin account has these privileges immediately after upgrade. You can log in as admin to assign these privileges to other users, either individually or by changing your AD mapping rules.