Managing user roles and access control
Last updated
Last updated
Role-Based Access Control (RBAC) is a powerful security mechanism implemented in the AppSec Portal, ensuring a robust and flexible approach to managing user roles and access privileges. RBAC enables organizations to assign specific roles and permissions to users based on their responsibilities and requirements within the application security ecosystem.
A role represents a predefined set of permissions assigned to users. For example, if a user has a role with access to specific products, they can read and edit those product settings (including Auto Validator and Deduplicator rules that affect such products).
To learn how to create and edit users in the Portal, see the User management page.
The AppSec Portal comes equipped with two built-in roles that serve as the foundation for managing user access and permissions:
| Built-in role | Permissions | Notes |
|---|---|---|
superuser |
| Highest-level role, automatically created during the deployment process of the Portal. As the superuser, this role possesses all permissions available within the platform. |
default | No permissions | Built-in role that comes with no permissions assigned. When a user is initially added to the AppSec Portal without any explicitly assigned role, they are automatically assigned the default role. Users with the default role have limited access within the platform. They only can view global settings but cannot modify them. |
While the built-in roles, such as the superuser and default roles, provide a starting point, custom roles enable finer-grained control over user privileges and align access with specific job responsibilities. Here are some reasons why organizations should consider creating custom roles:
Granular access control: custom roles allow to define precisely which actions and functionalities each user should have access to within the AppSec Portal. By creating roles that align with specific responsibilities, organizations can grant users the appropriate level of access needed to perform their tasks effectively, while preventing unauthorized access to sensitive features or data.
Security and compliance: custom roles enable organizations to enforce security and compliance measures by limiting access to critical functionality. By assigning permissions based on the principle of least privilege, organizations can mitigate the risk of unauthorized actions, minimize potential vulnerabilities, and adhere to industry-specific regulations or internal security policies.
Workflow optimization: custom roles can be designed to streamline workflows and promote collaboration. By creating roles that match different job functions, teams can efficiently manage their tasks and focus on their specific responsibilities within the application security process.
For instructions on creating and editing roles in the AppSec Portal, refer to the "Creating and editing roles" guide. It provides step-by-step instructions for customizing roles, assigning permissions, and modifying existing roles.
The Portal supports the assignment of multiple roles to users, offering a flexible and versatile approach to user access and permissions.
Here's how it works in the AppSec Portal:
Unlimited users and roles: the Portal has no limitations on the number of users that can be added to the system. Organizations can onboard as many users as needed, ensuring that each individual has a dedicated account within the platform. Similarly, there is no restriction on the number of roles that can be created.
Role combinations: users can be assigned any combination of roles within the Portal. This means that a single user can have multiple roles assigned to them simultaneously.
Permissions play a crucial role in determining the actions and functionalities that users can perform within the platform.
These permissions can be assigned to roles, allowing to fine-tune user access. Here are the available permissions within the AppSec Portal:
| Permission | Description |
|---|---|
Can manage roles and users | Users with this permission have administrative privileges over user management within the Portal. They can create custom roles, modify existing roles, create new user accounts, and assign or remove roles for other users (i.e have access to tab "Users and Roles"). |
Can manage global settings | |
Can edit product settings | Roles with this permission have the ability to modify the settings of specific products ("Can manage all product type", "Has access to products with types" and "Has access to products" permissions determine which products are available for the role). These settings include configurations such as the product type, Jira project keys, and product-related tags. |
Can manage all product type | This permission grants the role full control over all product types and their settings providing comprehensive access to manage and configure any product available on the platform. |
Has access to products with types | This permission allows administrators to specify the product types to which a role has access. |
Has access to products | Allows administrators to specify individual products to which a role has access. |
Role-based permissions enable precise control over user interactions with rules in the Auto Validator and Deduplicator, ensuring efficient triage and depuplication of vulnerability findings.
The table below highlights the differences in management and access based on product availability in the AppSec Portal:
| Permission level | Role visibility | Role editing | Adding/removing affected products from roles |
|---|---|---|---|
No access (no available product types/products affecting this rule for the role) | Role is hidden | N/A | N/A |
Partial access (at least one product in this rule is available for the role) | Role is viewable | Restricted | Allowed (only products that are specifically assigned to the role) |
Full access (all products in a rule are available for the role) | Role is viewable | Allowed | Allowed |
