PlexTrac aims to provide the industry leading cybersecurity penetration testing and reporting platform for red team, blue team, and purple team collaboration in order to enhance an organization's security posture. PlexTrac has been praised by users and industry professional alike for its user-friendly interface. In order to provide the most intuitive user experience, PlexTrac's user management interface overwent a complete redesign and received additional workflows that were not present in the legacy version. This includes an overhaul of the user list from the ground up, the introduction of a user details and user authorizations interface, the implementation of user groups, and an audit log of security focused user actions.

1) Create a scalable, user-friendly, and standardized user management experience to replace the current one.

2) Simplify the process of assigning user roles, permissions, and client authorizations into a more streamlined experience.

3) Introduce User Groups, a feature that allows administrators to bulk assign client authorizations to multiple users within a single workflow.

4) Implement an intuitive audit log of security focused user actions for administrator reference.

General user management research began in December 2022. We started with what we knew, the existing UI, originally designed by a single developer before PlexTrac had a dedicated design team, just wasn't cutting it anymore. The team did some brainstorming and ideation based on what clients wanted based on feedback. This was quickly followed up with user interviews to hear about users' firsthand experiences on how it could be improved. This initiative was postponed until Q3 2023 when another round of more focused interviews was conducted.

Some of our larger clients, such as our enterprise customers and MSSP customers, voiced a desire for new features like user groups as well as general UI enhancements. Smaller clients, like our SSPs, were more focused on creating an intuitive experience overall for user management. Some common themes that arose were general improvements to the UI and experience for user management, the introductions of user groups, Improvements to Roles Based Access and Permissions (RBAC), and a more efficient authorization system.

• Implement bulk actions to the user list including bulk authorizations. 

- Morgan, SSP

• Additional functionality during user creation, set authentication type.

- Drew, Enterprise

• Move/Remove default group, authorize to all, checkbox.

"You're going to get fired if you turn that on."

- Kyle, MSSP

"That needs to be buried deep." 

- Joey, MSSP

"If somebody accidentally hits that button we have to fire somebody." 

- Morgan, SSP

• Implement workflow for editing existing users; names, email address, etc.

- Kyle, MSSP

• Improve multi-factor authentication workflow.

"We have to go and turn it off globally, and then turn off their MFA and turn it back on."

- Kyle, MSSP

• User management, “Has been the biggest pain point we’ve had with the platform... It was causing quite a few problems for us... We have well over a thousand people in there right now, we don’t know when people leave, we’ve got potential security violations, it's just horrible."

- Morgan, SSP

• User groups should dictate user roles.

"There would be no need for roles anymore." 

- Joey, MSSP

• Authorize users by adding them to a group, groups can be edited to have certain authorizations which are then applied to any and all users in that group.

- Heather, MSSP

- Drew, Enterprise

- Andy, Enterprise

- Joey, MSSP

• Users should only belong to a single group.

- Heather, MSSP

• Drop a user into a group, get access to these clients.

- Andy, Enterprise

“User group should be something that you are assigned to, and then authorized to multiple projects [clients].”

- Joey, MSSP

• Users should only have one role associated with them.

- Heather, MSSP

• There should be more default roles available out of the box.

"New hire deleted and entire runbook, that is something that we would only want a lead to be able to do."

- Drew, Enterprise

"There are even situations where I want people to have edit permissions but I don't want them to have delete permissions."

- Andy, Enterprise

• Define permissions and their dependencies for out of the box roles and custom roles.

"Maybe an informational tooltip and when hovered it tells me what that permission does."

- Steve, Enterprise

"Like playing a game of whack a mole, which roles give access to do what?"

- Drew, Enterprise

• RBAC "view as" role.

"An impersonation role would be awesome, that would definitely be useful."

- Drew, Enterprise

• Permissions should go in order from least permissive and dangerous to most.

- Joey, MSSP

• Does not look at client level role, only goes by tenant level role.

- Heather, MSSP

"If we have just assigned a role to a user then we are not going to have a reason to come in and need to reassign them to another different role for a specific client."

- Joey, MSSP

"When you get to this authorization it should prepopulate with the role that you've chosen, but you could still change it if you need to."

- Morgan, SSP

• Different levels of access for findings and reports within a client.

- Steve, Enterprise

• Integrate authorization into the user creation workflow.

"After I add this person here, set role here, then I have to go into clients, add them to this client, then the next client, etc. It's time consuming, that's a lot of steps just to add a new user."

- Steve, Enterprise

"There's going to be hundreds and hundreds of clients."

- Joey, MSSP

"Sixteen pages, twenty-five per page, that's a lot of clients."

- Morgan, MSSP

• Bulk authorization and streamlined authorization experience.

"Improving the experience to add people to clients seamlessly, make it more scalable."

- Drew, Enterprise

Internally we knew that there were a few big name customers asking for user groups, however we did not know the full scope of the project or have the developer resources at the ready for such an undertaking. However, our research on general user management clearly indicated a desire for quality of life improvements to the overall user management workflow. After presentation to upper level management and some deliberation, interim improvements to the user management workflow were green lit to address some of the top concerns that came to light during user research. The old user list table is shown below for reference and comparison to the updated UI pictured to the right.

The user list redesign comes with a full feature overhaul. While all of the original functionality remains, some actions have been consolidated and optimized as well as the addition of completely new actions to create a more intuitive experience.

The menus below illustrate actions available for administrators to take on other users. These are reactive and will display all relevant actions for a user depending on the scenario. Default actions include edit authorizations, change authentication provider, reset password, disable, and delete. Additionally, if a user's account is locked, the option to unlock the user will display. If multi-factor authentication is enabled, the option to disable it will be displayed.

Another improvement to the user list comes in the form of bulk actions. While not new to the platform, this component was not being utilized in the user list. There are many actions that can be taken on multiple users at one time which can save our administrator users many hours of time. Select the desired users, click the bulk actions dropdown, and select and action to apply to multiple users.

These include many of the same options available for individual users including edit authorizations, change authentication provider, reset password, disable, and delete. It would also include unlock and enable user when applicable.

Upon selecting an action to be taken, the user will be met with a confirmation modal ensuring the user would like to continue with that action. This appears across the platform when taking consequential actions. 

After the action has been confirmed the user will also see a success or failure notification should something go wrong. 

This feedback creates clear communication to the user resulting in a seamless and intuitive experience as to not leave any questions unanswered. Did it go through? Did it work? etc.

While PlexTrac offers multiple methods for organizations to provide/require multi-factor authentication for their users, its functionality has always been both limited in scope and unintuitive to navigate. Part of this user management user list redesign included a cleaner workflow for changing users' authentication methods as well as additional functionality not previously included. The ability to change a user's authentication method was moved to the actions column and an authentication method column was added, shown below. Also, administrators can now disable a user's MFA, a highly requested functionality that was previously unavailable.

In addition to an improved user interface and additional functionality on the user list page, administrators will now also have the ability to select user or click the edit button from the actions column to open a user details side drawer. The user details side drawer contains many of the same actions available for administrators from the actions column. Additionally users' names and other details can now be edited. Lastly, metadata about the user such as last login is also available.

The user details tab is one of two tabs available in this new side drawer. The other being the authorizations tab where a users' client access can be edited. 

The user details tab is divided into two sections. The upper section contains basic user information such as the user's first name, last name, email address, and metadata about that user. 

The lower section of the user details tab contains the user actions available from the user list. These include the ability to change authentication provider, ability to disable multi-factor authentication, reset password, unlock user, disable or enable user, and delete user. 

The authorization tab, also located within the user details side drawer, opens up a workflow not previously available from the user list section of the administrator dashboard. This functionality was only located within each individual client. In order to add or remove users from a client you would have to go to each of these pages 1 by 1 to remove a user's access.

During user interviews it was discovered that, while this was previously very tedious work, it was also very sensitive work. High salary pen-testers would often end up being the ones managing client/user authorizations and this improved workflow is able to increase efficiency.

This workflow moves from a client focused authorization process, viewing all users authorized to a single client and granting or revoking authorizations that way, to a user focused workflow. This allows for much more intuitive user creation and setup. Now administrators can create new users and add all of their authorizations in one place as opposed to navigating to each client authorizations page all across the platform and adding the desired user authorizations one at a time.

User groups was a big ticket item that was on our radar for a while. There were a few our larger customers asking for a feature catered toward group/bulk user management. This mostly came from the enterprise sector which we had expanded over the period of time that I was with the company. This use case typically centered around larger enterprise companies with internal security teams who may or may not contract out work to SSPs for additional support. A large corporation may wish to create individual user groups for different divisions, branches, etc. of the company that only have access to certain projects or relevant data. Users could then be added and removed from these groups as needed.

User Groups was our solution to that ask. Groups could be created and managed via the administrator dashboard, client authorizations assigned, and users added. This allows administrators to create semi permanent clusters of users that can be managed at the same time rather than managing them all individually as was the case in the past.

Empty

Filled

After groups have been created and added to the group list they can either be edited, allowing any administrator to change that groups users or authorizations, or deleted.

As with the other tables throughout PlexTrac, line items can be bulk selected allowing users to apply bulk actions to those items. Multiple groups can be selected and deleted in a single action if desired.

At PlexTrac, I had the advantage of seeing and working on many platform first features as the company grew and the product expanded to meet additional user needs. One of those was the audit log. As an obligation to our growing client base we decided that it was necessary to create a user friendly audit log for administrator users to track user actions. This feature was planned to come in multiple phases including a minimum viable product focusing solely on security related actions, a fast follow to include more robust filter, search, and export options, and future additions to the types of events to be tracked.

The audit log allows administrator users to identify user actions, known as events, by a user's unique identifier, the event that has taken place or event type, and the date and time that it took place. The audit log is sortable, filterable, and searchable. A CSV file of the audit log can also be generated and exported.

After a few triad conversations and client check-ins it was decided that this feature would fit best in the administrator dashboard with all of the other security and user management related features available to administrator users as its own dedicated page as shown below.

Table filtering options are included for ease of use and enhanced functionality. The audit log can be filtered by date only showing events that occurred between the selected dates. This compounds with the search bar which can also filter results based on user names and emails as well as specific event types. Together administrators are able to narrow down their search during any audit or investigation.