📙 You will learn
How to create and edit user roles, assigning roles to users or groups, and what each user Role Permission enables.
Prerequisites
Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: N/A
The following video provides a brief overview of Roles and Permissions.
| Widget Connector | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Create New Roles
To edit or create roles, click Global from the Navigation sidebar, then click Identity Management and select the Manage Roles Tab. The only roles shown in a new installation will be Administrator and User. To create a new role, click the Create Role button.
A modal dialog appears with a place to name the new role. In the example. Click on each permission to grant or remove. For limited roles, use the Select None button as a starting point, and grant the desired permissions. Likewise, for a role with broad permissions, use the Select All button, then toggle off the permissions that role should not have. For example a Quality Assurance role, might want to have user and group management disallowed, global system management and other permissions that the QA user won’t need.
To finish, click the Create Role button. The role will appear in the Roles List and a success message displayed.
Editing Roles
To edit a role, first select the role to edit from the Role List. This will expose the Role Details. The Permissions list appears as it did in the creation dialog.
Toggle the preferred permissions to be granted or removed from the role and click the Save Changes button. ThreadFix stores the edited role and displays a success message.
Assigning Roles to Users or Groups
The Manage Roles tab allows assigning roles to users and/or groups.
Type the name of the user/group in the respective User or Groups field, select the desired user/group, and click the Add User or Add Group button, as applicable.
When all roles have been assigned as desired, click the Save Changes button. ThreadFix stores the edited permission and displays a success message.
Role Permission Details
Below is a summary for the function each Role Permission enables, grouped by category:
Table of contents
tocTeams and Applications | |
|---|---|
Create Teams | Allows user to create or delete teams. |
Edit Teams | Allows user to edit teams. |
Delete Teams | Allows user to delete teams. |
Create Applications | Allows user to add applications to teams |
Edit Applications | Allows user to edit details and add documents to existing applications. Allows user to change the following properties of the application:
|
Delete Applications | Allows user to delete applications. |
Manage Files for Applications | Allows user to add files to applications. |
Manage Application Versions | Allows user to create, edit, or delete ThreadFix application versions. |
Submit Service Requests | Allows user to create a service request with Denim Group to perform an application scan and audit for an application. |
Scans | |
|---|---|
Manage Scan Agents | Allows user to create and modify configurations for scan agents such as Security AppScan Standard, Burp Suite, and OWASP Zed Attack Proxy. Also allows user to initiate or schedule scans and to modify scans already scheduled. This role must also be applied Globally for any user whose API key will be used to configure the scanagent.jar. |
Upload Scans | Allows user to upload scans from scan agents into ThreadFix for vulnerability tracking and reporting. |
Delete Scans | Allows user to delete scans in ThreadFix. |
Manage Remote Provider Scans | Allows user to orchestrate Remote Provider scans. |
Manage FPR Filter Templates | Allows user to set and delete a global FPR filter template. |
Manage Scan Metadata Keys | Allows user to set keys allowed for Scan Metadata. |
Manage Scan Metadata | Allows user to set Metadata on Scans. |
Manage Pen Test Findings | Allows user to create, edit, and delete Pen Test Findings for any Pen Test Team they belong to. |
Manage Pen Tests | Allows user to start or finalize and submit Pen Tests for any Pen Test Teams they belong to. |
Delete Pen Tests | Allows user to delete or cancel Pen Tests for any Pen Test Teams they belong to. |
Vulnerabilities | |
|---|---|
Comment on Vulnerabilities | Allows user to submit comments on vulnerabilities. |
Attach Documents To Vulnerabilities | Allows user to upload and attach documents to vulnerabilities. |
Modify Vulnerabilities | Allows user to close vulnerabilities. |
Manage Vulnerability Types | Allows user to create or edit filters for sorting vulnerabilities. |
Update Vulnerability Exploitable Status | Allows user to mark or unmark vulnerabilities as exploitable. |
Update Vulnerability False Positive Status | Allows user to mark or unmark vulnerabilities as false positives. |
Update Vulnerability Contested Status | Allows user to mark or unmark vulnerabilities as contested. |
Update Vulnerability Verified Status | Allows user to mark or unmark vulnerabilities as verified. |
Tag Vulnerabilities | Allows user to add or remove tags from vulnerabilities. |
Defect Trackers | |
|---|---|
Manage Defect Trackers | Allows user to create new defect tracker configurations or edit existing configurations. This permission is not required to submit vulnerabilities to an application's designated defect tracker. User must have "Manage Applications" permission to designate a defect tracker for an application. |
Submit Defects | Allows user to submit bugs to the defect tracker assigned to an application. User must have "Manage Applications" permission to assign a defect tracker to an application. |
Manage GRC Tools | Allows user to create and edit Governance, Risk, and Compliance (GRC) Tools. |
Reporting | |
|---|---|
Manage Tags | Allows user to create or edit tags for categorizing applications. User must have "Manage Applications" permission to assign tags to an application. |
Generate Reports | Allows user to view graphs and reports summarizing vulnerability information and to export those reports as PDF, PNG, or CSV files. |
Generate Report Files | Allows user to export reports. |
Manage Email Reports | Allows user to manage and schedule email reports. |
Manage Policies | Allows user to create or delete policies and attach them to applications, as well as configure notifications and email alerts that are triggered when a policy’s status changes. |
Update Statistics | Allows user to update application, team, and global statistics. |
Manage CI/CD | Allows user to access the CI/CD Policies page to manage pass criteria and automated defect reporting. |
Administration | |
|---|---|
Manage Users | Allows user to edit display name, password, role, and permissions for all users. Also allows user to create new user profiles. |
Manage API Keys | Allows user to create and manage API keys for interfacing with ThreadFix. This permission applies to managing API keys for other users. All users can create an API key for their own account. |
Create API Keys* | Allows user to create their own API keys for interfacing with ThreadFix. |