Permissions

Users have different functionality available to them, depending on their system-wide permissions and on the role they have as a member of a particular Product or Product Type.

System-wide permissions

  • Administrators (aka superusers) have no limitations in the system. They can change all settings, manage users and have read and write access to all data.
  • Staff users can add Product Types, and have access to data according to their role in a Product or Product Type.
  • Regular users have limited functionality available. They cannot add Product Types but have access to data according to their role in a Product or Product Type

Product and Product Type permissions

Users can be assigned as members to Products and Product Types, giving them one out of five predefined roles. The role defines what kind of access a user has to functions for interacting with data of that Product or Product Type:

Product / Product Type roles:

ReaderWriterMaintainerOwnerAPI Importer
Add Product Type1)1)
View Product Typexxxxx
Remove yourself as a memberxxxx
Manage Product Type membersxx
Edit Product Typexx
Add Productxx
Add Product Type member as Ownerx
Delete Product Typex
View Productxxxxx
Remove yourself as a memberxxxx
Manage Product membersxx
Edit Productxx
Add Product member as Ownerx
Delete Productx
View Engagementxxxxx
Add Engagementxxx
Edit Engagementxxx
Risk Acceptancexxx
Delete Engagementxx
View Testxxxxx
Add Testxxx
Edit Testxxx
Delete Testxx
View Findingxxxxx
Add Findingxxx
Edit Findingxxx
(Re-)Import Scan Resultxxxx
Delete Findingxx
View Finding Groupxxxxx
Add Finding Groupxxx
Edit Finding Groupxxx
Delete Finding Groupxxx
View Endpointxxxxx
Add Endpointxxx
Edit Endpointxxx
Delete Endpointxx
Edit Benchmarkxxx
Delete Benchmarkxx
View Componentsxxxxx
View Note Historyxxxx
Add Notexxxx
Edit Note(x) 2)xxx
Delete Note(x) 2)(x) 2)xx

1) Every superuser can add Product Types. Regular users are not allowed to add Product Types, unless they are Global Owner or Maintainer.

2) Every user is allowed to edit and delete his own notes.

The role of a user within a Product Type is inherited by all Products of that Product Type, unless the user is explicitly defined as a member of a Product with a different role. In that case, if a user doesn’t have a certain right for the Product Type, it is then checked if he has the right for the Product.

A Product Type needs to have at least one owner. The last owner cannot be removed.

Global permissions

Users can be assigned a global role in the Edit User dialog. A global role gives a user access to all Product Types and Products, including the underlying data, with permissions according to the respective role.

A use case for a global role could be the Chief Information Security Officer of a company who needs an overview of all systems. If he gets the global role Reader, he can see the findings for all products and also all metrics.

Since global roles give users access to all data, only superusers are allowed to edit it.

Groups

If you have a number of users who should all have the same permissions for some Products or Product Types, you can put them together in a group. The group defines the roles for Products and Product Types that are applied to all members of the group.

The membership of a group itself has a role that determines what permissions the member has to manage the group:

ReaderMaintainerOwner
Add Group 1)
View Groupxxx
Remove yourself as a memberxxx
Manage Group membersxx
Edit Groupxx
Add Group member as Ownerx
Delete Groupx

1) Every superuser can add groups. Regular users are not allowed to add groups.

The permissions to manage the roles of Products and Product types for a group is defined by the role of the user in the respective Product or Product Type.

Groups can have a global role too. This global role gives all members of the group access to all Product Types and Products, including the underlying data, with permissions according to the respective role.

Configuration permissions

Many configuration dialogues and API endpoints can be enabled for users or groups of users, regardless of their superuser status:

Configuration permissions

3 configurations can still only be changed by superusers:

  • System settings
  • Notifications on system level
  • Configuration permissions for users and groups