Prevent unauthorized access to systems

Cyberattacks and other forms of unauthorized access pose a constant threat to IT systems. Fortunately, many tools are available to counter these threats and shield your infrastructure.

Authenticate users and devices

With SCM, digital certificates are used for authentication between all endpoints. For more information about the use of certificates, see Secure data in motion.

Grant access and permissions

The process of granting access rights and permissions is designed to ensure that only authorized users, user groups, devices, and other entities can access a system, application, or network. Commonly used authorization mechanisms include role-based access control (RBAC) and access control lists (ACLs).

In SCM, you control access rights and permissions with RBAC. You can create or import SCM users and assign them to roles in the Puppet Enterprise console. Three default roles are available: comply-admin, comply-operator, and comply-viewer. For role descriptions and their associated permissions, see Default Security Compliance Management roles.

Users must be assigned to a role to log in to SCM. In addition, the roles grant users permissions to perform specific actions. For example, you can assign permissions that allow users to:

  • Grant password reset tokens to other users who have forgotten their passwords.

  • Edit a local user’s metadata.

  • Deploy Puppet code to specific environments.

  • Edit class parameters in a node group.

You can assign access controls in the PE console as described in User permissions and user roles. Or you can use the RBAC application programming interface (API) as described in RBAC API.

Implement firewalls

Firewalls serve as a barrier between a trusted internal network and untrusted external networks, such as the internet. For SCM, you can find firewall and network port requirements in System requirements.

Implement logging

Logging can be implemented to gather operational and security data for a system, identify performance and security issues, and minimize the risk of data breaches. To help prevent tampering, logging can be centralized. In addition, access can be restricted to comply with data protection and privacy regulations.

SCM uses journals for logging. For instructions about accessing log files, see Logs.