Whitespots Wiki
Login
  • Home
  • πŸ”¦Auditor
    • πŸ“₯Deployment
      • Installation
      • Update
    • 🎯Features
      • πŸš€Run Audit
        • AppSec Portal cooperation
        • Direct use of Auditor
      • βš™οΈSettings
        • AppSec Portal cooperation
        • Direct use of the Auditor
          • Cleaner
          • Docker Credentials
          • Workers
          • Personalization
        • Jobs
          • Technical Jobs
          • Scanner Jobs
          • Job configuration
    • πŸ—’οΈRelease notes
    • 🩼Maintenance
  • πŸ–₯️AppSec Portal
    • πŸ“₯Deployment
      • License obtaining
      • Installation
      • Get started with the AppSec Portal
        • Π‘onfiguration options
      • Update
      • Accessing the AppSec Portal API Endpoints
      • Database transfer guide
      • FAQ: typical errors in deployment process
    • βš™οΈPost install Configuration
    • 🎯Features
      • 🎣Auto Validator
        • Rule creation
        • Rules view
      • Deduplicator
        • βš™οΈBasic deduplicator rules
        • βš™οΈAdvance Deduplicator rules
      • πŸ”¦Vulnerability discovery
        • βœ”οΈAudits
        • βš™οΈAuditor settings
          • Auditor config
          • Sequences
            • Sequences creating
            • Sequences setting
        • πŸ”ŽRun audit
          • Run Audit Manually
          • Scheduled Audit Run
      • 🎯Recommendations
      • Security Metrics
        • Severity Statistics Dashboard
        • WRT (Weighted Risk Trend)
        • How to work with WRT (for team leads)
        • Metrics settings
          • SLA
        • CVSS
          • CVSS Rule
      • Custom Reports
      • πŸ“ˆActive tasks
      • 🧺Asset management
        • How to import repositories from version control
        • Default product
        • Adding a product asset
        • Asset Transfer Between Products
      • πŸ•·οΈFindings view
        • All findings view
        • Grouped findings as a result of
        • Grouping of findings into groups
        • Available bulk actions
        • Viewing specific findings
        • Usable filters and easy sorting
      • πŸ“ŠJira
        • Jira integration configuration
        • Setting up Jira webhook
      • πŸ‘ΎMove from DefectDojo
      • πŸ”¬Scanners
        • πŸ”ŒImporting reports from scanners to AppSec Portal
          • πŸ–οΈManual Import using Report File
          • Importing reports via Terminal using a Report File
          • Importing reports via Lambda Function using a Report File
        • Scanner description
          • Code Scanners
            • Bandit
            • Brakeman
            • Checkov
            • CodeQL
            • ESLint
            • Gemnasium
            • Gosec
            • Hadolint
            • KICS
            • PHPCodeSniffer
            • Retire.js
            • Semgrep
            • SpotBugs
            • Terrascan
          • Secret Scanners
            • Gitleaks
            • Trufflehog3
          • Image and code dependency Scanners
            • Trivy
            • Trivy vulners.com plugin
            • Snyk
          • Web Scanners
            • Arachni Scan
            • Acunetix
            • Burp Enterprise Scan
            • OWASP Zap
          • Infrastructure Scanners
            • AWS Security Hub Scan
              • Importing reports via AWS Lambda Function within AWS Security Hub
            • Prowler
            • Subfinder
            • Nessus
            • Nuclei
          • Mobile Security Scanners
            • MobSFScan
          • Other Scanners
            • Dependency-Track
            • Whitespots Portal
      • πŸ“¦Working with products
        • Product Creation
        • Product options
        • Finding groups
        • Risk assessment
        • Product Asset
    • πŸ› οΈGeneral Portal settings
      • Version Control Integration
      • Profile
      • Managing user roles and access control
        • User management
        • Creating and editing roles
      • SSO settings
        • GitLab SSO
        • Microsoft SSO
        • Okta SSO
      • Scanner settings
        • Auto Closer
        • Group findings by
        • Custom Jira description
        • Custom severity mapping
        • Auditor Job Config
      • Notification settings
        • Integration
        • Criteria & Schedule
        • Status change notification
        • Manage notification schedule
      • Repository Link Configs
      • CWE list
      • Tag screen
    • πŸ—’οΈRelease notes
  • To be described
    • Documentation backlog
Powered by GitBook
On this page
  • Roles
  • Built-in roles
  • Custom roles
  • Multiple role assignment
  • Permissions
  • RBAC support in Auto Validator and Deduplicator

Was this helpful?

  1. AppSec Portal
  2. General Portal settings

Managing user roles and access control

PreviousProfileNextUser management

Last updated 1 year ago

Was this helpful?

Role-Based Access Control (RBAC) is a powerful security mechanism implemented in the AppSec Portal, ensuring a robust and flexible approach to managing user roles and access privileges. RBAC enables organizations to assign specific roles and permissions to users based on their responsibilities and requirements within the application security ecosystem.

Roles

A role represents a predefined set of assigned to users. For example, if a user has a role with access to specific products, they can read and edit those product settings (including Auto Validator and Deduplicator rules that affect such products).

Built-in roles

The AppSec Portal comes equipped with two built-in roles that serve as the foundation for managing user access and permissions:

Built-in role
Permissions
Notes

superuser

  • Create, edit, and delete roles and user accounts

  • Manage global settings

  • Edit product settings

  • Manage all product types

Highest-level role, automatically created during the deployment process of the Portal. As the superuser, this role possesses all permissions available within the platform.

default

No permissions

Built-in role that comes with no permissions assigned. When a user is initially added to the AppSec Portal without any explicitly assigned role, they are automatically assigned the default role. Users with the default role have limited access within the platform. They only can view global settings but cannot modify them.

Custom roles

While the built-in roles, such as the superuser and default roles, provide a starting point, custom roles enable finer-grained control over user privileges and align access with specific job responsibilities. Here are some reasons why organizations should consider creating custom roles:

  1. Granular access control: custom roles allow to define precisely which actions and functionalities each user should have access to within the AppSec Portal. By creating roles that align with specific responsibilities, organizations can grant users the appropriate level of access needed to perform their tasks effectively, while preventing unauthorized access to sensitive features or data.

  2. Security and compliance: custom roles enable organizations to enforce security and compliance measures by limiting access to critical functionality. By assigning permissions based on the principle of least privilege, organizations can mitigate the risk of unauthorized actions, minimize potential vulnerabilities, and adhere to industry-specific regulations or internal security policies.

  3. Workflow optimization: custom roles can be designed to streamline workflows and promote collaboration. By creating roles that match different job functions, teams can efficiently manage their tasks and focus on their specific responsibilities within the application security process.

For instructions on creating and editing roles in the AppSec Portal, refer to the "Creating and editing roles" guide. It provides step-by-step instructions for customizing roles, assigning permissions, and modifying existing roles.

Multiple role assignment

The Portal supports the assignment of multiple roles to users, offering a flexible and versatile approach to user access and permissions.

Here's how it works in the AppSec Portal:

  1. Unlimited users and roles: the Portal has no limitations on the number of users that can be added to the system. Organizations can onboard as many users as needed, ensuring that each individual has a dedicated account within the platform. Similarly, there is no restriction on the number of roles that can be created.

  2. Role combinations: users can be assigned any combination of roles within the Portal. This means that a single user can have multiple roles assigned to them simultaneously.

Permissions

Permissions play a crucial role in determining the actions and functionalities that users can perform within the platform.

These permissions can be assigned to roles, allowing to fine-tune user access. Here are the available permissions within the AppSec Portal:

Permission
Description

Can manage roles and users

Users with this permission have administrative privileges over user management within the Portal. They can create custom roles, modify existing roles, create new user accounts, and assign or remove roles for other users (i.e have access to tab "Users and Roles").

Can manage global settings

Can edit product settings

Can manage all product type

This permission grants the role full control over all product types and their settings providing comprehensive access to manage and configure any product available on the platform.

Has access to products with types

This permission allows administrators to specify the product types to which a role has access.

Has access to products

Allows administrators to specify individual products to which a role has access.

RBAC support in Auto Validator and Deduplicator

The table below highlights the differences in management and access based on product availability in the AppSec Portal:

Permission level
Role visibility
Role editing
Adding/removing affected products from roles

No access (no available product types/products affecting this rule for the role)

Role is hidden

N/A

N/A

Partial access (at least one product in this rule is available for the role)

Role is viewable

Restricted

Allowed (only products that are specifically assigned to the role)

Full access (all products in a rule are available for the role)

Role is viewable

Allowed

Allowed

To learn how to create and edit users in the Portal, see the page.

Roles with this permission can make changes to configuration options that affect the entire platform, such as global settings ("" and "" tab) and integration configurations ("Integrations" tab).

Roles with this permission have the ability to modify the settings of specific products ("Can manage all product type", "Has access to products with types" and "Has access to products" permissions determine which products are available for the role). These include configurations such as the product type, Jira project keys, and product-related tags.

Role-based permissions enable precise control over user interactions with rules in the and , ensuring efficient triage and depuplication of vulnerability findings.

πŸ–₯️
πŸ› οΈ
User management
Auto Validator
Deduplicator
Scanners
Metrics
settings
permissions
Permissions of the superuser role
Products affected by the rule example