Managing user roles and access control
Role-Based Access Control (RBAC) is a powerful security mechanism implemented in the AppSec Portal, ensuring a robust and flexible approach to managing user roles and access privileges. RBAC enables organizations to assign specific roles and permissions to users based on their responsibilities and requirements within the application security ecosystem.
Roles
A role represents a predefined set of permissions assigned to users. For example, if a user has a role with access to specific products, they can read and edit those product settings (including Auto Validator and Deduplicator rules that affect such products).
To learn how to create and edit users in the Portal, see the User management page.
Built-in roles
The AppSec Portal comes equipped with two built-in roles that serve as the foundation for managing user access and permissions:
Custom roles
While the built-in roles, such as the superuser and default roles, provide a starting point, custom roles enable finer-grained control over user privileges and align access with specific job responsibilities. Here are some reasons why organizations should consider creating custom roles:
Granular access control: custom roles allow to define precisely which actions and functionalities each user should have access to within the AppSec Portal. By creating roles that align with specific responsibilities, organizations can grant users the appropriate level of access needed to perform their tasks effectively, while preventing unauthorized access to sensitive features or data.
Security and compliance: custom roles enable organizations to enforce security and compliance measures by limiting access to critical functionality. By assigning permissions based on the principle of least privilege, organizations can mitigate the risk of unauthorized actions, minimize potential vulnerabilities, and adhere to industry-specific regulations or internal security policies.
Workflow optimization: custom roles can be designed to streamline workflows and promote collaboration. By creating roles that match different job functions, teams can efficiently manage their tasks and focus on their specific responsibilities within the application security process.
For instructions on creating and editing roles in the AppSec Portal, refer to the "Creating and editing roles" guide. It provides step-by-step instructions for customizing roles, assigning permissions, and modifying existing roles.
Multiple role assignment
The Portal supports the assignment of multiple roles to users, offering a flexible and versatile approach to user access and permissions.
Here's how it works in the AppSec Portal:
Unlimited users and roles: the Portal has no limitations on the number of users that can be added to the system. Organizations can onboard as many users as needed, ensuring that each individual has a dedicated account within the platform. Similarly, there is no restriction on the number of roles that can be created.
Role combinations: users can be assigned any combination of roles within the Portal. This means that a single user can have multiple roles assigned to them simultaneously.
Permissions
Permissions play a crucial role in determining the actions and functionalities that users can perform within the platform.
These permissions can be assigned to roles, allowing to fine-tune user access. Here are the available permissions within the AppSec Portal:
RBAC support in Auto Validator and Deduplicator
Role-based permissions enable precise control over user interactions with rules in the Auto Validator and Deduplicator, ensuring efficient triage and depuplication of vulnerability findings.
The table below highlights the differences in management and access based on product availability in the AppSec Portal:
Last updated