Permissions

Users have different functionality available to them, depending on their system-wide permissions and on the role they have as a member of a particular Product or Product Type.

System-wide permissions

  • Administrators (aka super users) have no limitations in the system. They can change all settings, manage users and have read and write access to all data.
  • Staff users can add Product Types, and have access to data according to their role in a Product or Product Type. There is the parameter AUTHORIZATION_STAFF_OVERRIDE in the settings to give all staff users full access to all Products and Product Types.
  • Guest users have limited functionality available. They cannot add Product Types but have access to data according to their role in a Product or Product Type

Product and Product Type permissions

Users can be assigned as members to Products and Product Types, giving them one out of five predefined roles. The roles define what kind of access a user has to functions for interacting with data of that Product or Product Type:

Product / Product Type roles:

ReaderWriterMaintainerOwnerAPI Importer
Add Product Type 1)
View Product Typexxxxx
Remove yourself as a memberxxxx
Manage Product Type membersxx
Edit Product Typexx
Add Productxx
Add Product Type member as Ownerx
Delete Product Typex
View Productxxxxx
Remove yourself as a memberxxxx
Manage Product membersxx
Edit Productxx
Add Product member as Ownerx
Delete Productx
View Engagementxxxxx
Add Engagementxxx
Edit Engagementxxx
Risk Acceptancexxx
Delete Engagementxx
View Testxxxxx
Add Testxxx
Edit Testxxx
Delete Testxx
View Findingxxxxx
Add Findingxxx
Edit Findingxxx
(Re-)Import Scan Resultxxxx
Delete Findingxx
View Finding Groupxxxxx
Add Finding Groupxxx
Edit Finding Groupxxx
Delete Finding Groupxxx
View Endpointxxxxx
Add Endpointxxx
Edit Endpointxxx
Delete Endpointxx
Edit Benchmarkxxx
Delete Benchmarkxx
View Componentsxxxxx
View Note Historyxxxx
Add Notexxx
Edit Notexxx
Delete Note(x) 2)xx

1) Every staff user and administrator can add Product Types. Guest users are not allowed to add Product Types.

2) Every user is allowed to delete his own notes.

The role of a user within a Product Type is inherited by all Products of that Product Type, unless the user is explicitly defined as a member of a Product with a different role. In that case, if a user doesn’t have a certain right for the Product Type, it is then checked if he has the right for the Product.

A Product Type needs to have at least one owner. The last owner cannot be removed.

Global permissions

Users can be assigned a global role in the Edit User dialog. A global role gives a user access to all Product Types and Products, including the underlying data, with permissions according to the respective role.

A use case for a global role could be the Chief Information Security Officer of a company who needs an overview of all systems. If he gets the global role Reader, he can see the findings for all products and also all metrics.