On-premises users and roles for OT monitoring with Defender for IoT

When working with OT networks, Defender for IoT services and data is available from on-premises OT network sensors and the on-premises sensor management consoles, in addition to Azure.

This article provides:

  • A description of the default, privileged users that come with Defender for IoT software installation
  • A reference of the actions available for each on-premises user role, on both OT network sensors and the on-premises management console

Important

Defender for IoT now recommends using Microsoft cloud services or existing IT infrastructure for central monitoring and sensor management, and plans to retire the on-premises management console on January 1st, 2025.

For more information, see Deploy hybrid or air-gapped OT sensor management.

Default privileged on-premises users

By default, each sensor is installed with a default, privileged admin user, with access to advanced tools for troubleshooting and setup, such as the CLI.

When first setting up your sensor, sign in with the admin user, create an initial user with an Admin role, and then use that admin user to create other users with other roles.

For more information, see:

Legacy users

Legacy scenario Description
Sensor versions earlier than 23.2.0 In sensor versions earlier than 23.2.0, the default admin user is named support. The support user is available and supported only on versions earlier than 23.2.0.

Documentation refers to the admin user to match the latest version of the software.
Sensor software versions earlier than 23.1.x In sensor software versions earlier than 23.1.x, the cyberx and cyberx_host privileged users are also in use.

In newly installed versions 23.1.x and higher, the cyberx and cyberx_host users are available, but not enabled by default.

To enable these extra privileged users, such as to use the Defender for IoT CLI, change their passwords. For more information, see Recover privileged access to a sensor.
On-premises management consoles The on-premises management console is installed with privileged support and cyberx users.

When first setting up an on-premises management console, first sign in with the support user, create an initial user with an Admin role, and then use that admin user to create other users with other roles.

Access per privileged user

The following table describes the access available to each privileged user, including legacy users.

Name Connects to Permissions
admin The OT sensor's configuration shell A powerful administrative account with access to:
- All CLI commands
- The ability to manage log files
- Start and stop services

This user has no filesystem access. In legacy software versions, this user is named support.
support The on-premises management console's configuration shell
This user also exists on legacy sensor versions
A powerful administrative account with access to:
- All CLI commands
- The ability to manage log files
- Start and stop services

This user has no filesystem access
cyberx The OT sensor or on-premises management console's terminal (root) Serves as a root user and has unlimited privileges on the appliance.

Used only for the following tasks:
- Changing default passwords
- Troubleshooting
- Filesystem access
cyberx_host The OT sensor's host OS terminal (root) Serves as a root user and has unlimited privileges on the appliance host OS.

Used for:
- Network configuration
- Application container control
- Filesystem access

On-premises user roles

The following roles are available on OT network sensors and on-premises management consoles:

Role Description
Admin Admin users have access to all tools, including system configurations, creating and managing users, and more.
Security Analyst Security Analysts don't have admin-level permissions for configurations, but can perform actions on devices, acknowledge alerts, and use investigation tools.

Security Analysts can access options on the sensor displayed in the Discover and Analyze menus on the sensor, and in the NAVIGATION and ANALYSIS menus on the on-premises management console.
Read-Only Read-only users perform tasks such as viewing alerts and devices on the device map.

Read-Only users can access options displayed in the Discover and Analyze menus on the sensor, in read-only mode, and in the NAVIGATION menu on the on-premises management console.

When first deploying an OT monitoring system, sign in to your sensors and on-premises management console with one of the default, privileged users described above. Create your first Admin user, and then use that user to create other users and assign them to roles.

Permissions applied to each role differ between the sensor and the on-premises management console. For more information, see the tables below for the permissions available for each role, on the sensor and on the on-premises management console.

Role-based permissions for OT network sensors

Permission Read Only Security Analyst Admin
View the dashboard
Control map zoom views - -
View alerts
Manage alerts: acknowledge, learn, and mute -
View events in a timeline
Authorize devices, known scanning devices, programming devices -
Merge and delete devices - -
View investigation data
Manage system settings - -
Manage users - -
Change passwords - - *
DNS servers for reverse lookup - -
Send alert data to partners -
Create alert comments -
View programming change history
Create customized alert rules -
Manage multiple notifications simultaneously -
Manage certificates - -

Note

Admin users can only change passwords for themselves or for other users with the Security Analyst and Read-only roles.

Role-based permissions for the on-premises management console

Permission Read Only Security Analyst Admin
View and filter the enterprise map
Build a site - -
Manage a site (add and edit zones) - -
View and filter device inventory
View and manage alerts: acknowledge, learn, and mute
Generate reports -
View risk assessment reports -
Set alert exclusions -
View or define access groups - -
Manage system settings - -
Manage users - -
Change passwords - - *
Send alert data to partners - -
Manage certificates - -

Note

Admin users can only change passwords for themselves or for other users with the Security Analyst and Read-only roles.

Next steps

For more information, see: