Permissions

Users have different functionality available to them, depending on their system-wide permissions and on the role they have as a member of a particular Product or Product Type.

System-wide permissions

  • Administrators (aka super users) have no limitations in the system. They can change all settings, manage users and have read and write access to all data.
  • Staff users can add Product Types, and have access to data according to their role in a Product or Product Type. There is the parameter AUTHORIZATION_STAFF_OVERRIDE in the settings to give all staff users full access to all Products and Product Types.
  • Guest users have limited functionality available. They cannot add Product Types but have access to data according to their role in a Product or Product Type

Product and Product Type permissions

Users can be assigned as members to Products and Product Types, giving them one out of five predefined roles. The role defines what kind of access a user has to functions for interacting with data of that Product or Product Type:

Product / Product Type roles:

ReaderWriterMaintainerOwnerAPI Importer
Add Product Type 1)
View Product Typexxxxx
Remove yourself as a memberxxxx
Manage Product Type membersxx
Edit Product Typexx
Add Productxx
Add Product Type member as Ownerx
Delete Product Typex
View Productxxxxx
Remove yourself as a memberxxxx
Manage Product membersxx
Edit Productxx
Add Product member as Ownerx
Delete Productx
View Engagementxxxxx
Add Engagementxxx
Edit Engagementxxx
Risk Acceptancexxx
Delete Engagementxx
View Testxxxxx
Add Testxxx
Edit Testxxx
Delete Testxx
View Findingxxxxx
Add Findingxxx
Edit Findingxxx
(Re-)Import Scan Resultxxxx
Delete Findingxx
View Finding Groupxxxxx
Add Finding Groupxxx
Edit Finding Groupxxx
Delete Finding Groupxxx
View Endpointxxxxx
Add Endpointxxx
Edit Endpointxxx
Delete Endpointxx
Edit Benchmarkxxx
Delete Benchmarkxx
View Componentsxxxxx
View Note Historyxxxx
Add Notexxx
Edit Notexxx
Delete Note(x) 2)xx

1) Every staff user and administrator can add Product Types. Guest users are not allowed to add Product Types.

2) Every user is allowed to delete his own notes.

The role of a user within a Product Type is inherited by all Products of that Product Type, unless the user is explicitly defined as a member of a Product with a different role. In that case, if a user doesn’t have a certain right for the Product Type, it is then checked if he has the right for the Product.

A Product Type needs to have at least one owner. The last owner cannot be removed.

Global permissions

Users can be assigned a global role in the Edit User dialog. A global role gives a user access to all Product Types and Products, including the underlying data, with permissions according to the respective role.

A use case for a global role could be the Chief Information Security Officer of a company who needs an overview of all systems. If he gets the global role Reader, he can see the findings for all products and also all metrics.

Since global roles give users access to all data, only superusers are allowed to edit it.

Groups

If you have a number of users who should all have the same permissions for some Products or Product Types, you can put them together in a group. The group defines the roles for Products and Product Types that are applied to all members of the group.

The membership of a group itself has a role that determines what permissions the member has to manage the group:

ReaderMaintainerOwner
Add Group 1)
View Groupxxx
Remove yourself as a memberxxx
Manage Group membersxx
Edit Groupxx
Add Group member as Ownerx
Delete Groupx

1) Every staff user and administrator can add groups. Guest users are not allowed to add groups.

The permissions to manage the roles of Products and Product types for a group is defined by the role of the user in the respective Product or Product Type.

Groups can have a global role too. This global role gives all members of the group access to all Product Types and Products, including the underlying data, with permissions according to the respective role.