As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.
Manage Users 3.X
You will learn
How to create users, manage user role permissions, groups, application roles, and team roles. Additionally how to create per-user API keys, set per-user notification settings, view user activity history, import LDAP users and prune LDAP users.
Prerequisites
Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 30 minutes
Tools required: N/A
This is the landing page for user administration in ThreadFix. ThreadFix will display a searchable list of existing users. Clicking on a user’s name will display the User Details for that user. This view allows an administrator to create and edit users in a single-user or small-team environment, applying necessary roles and permissions while creating the user.
In larger environments, it is advisable to leverage the role-based access control system to assign permissions by using multiple roles and team permissions.
To configure per-team and per-application permissions for an LDAP or SAML user prior to their first login, create a ThreadFix user corresponding with their LDAP or SAML username and add them to the desired group(s) and/or role(s).
Create a New User
To create a new user, click on Global from the Navigation sidebar, then click on Administration to access the Identity Management page.
From within the Manage Users tab on the Identity Management page, click the Create button.
If Local is selected for the User Type provide a Username, Display Name, and Password. For SAML or LDAP user types, simply provide a Username and Display Name. When the relevant information has been entered, click the Create User button.
LDAP and SAML users do not have to be created in this way as they will have accounts with the default permission set as described in the System Settings guide. The only reason to create an LDAP or SAML user explicitly in this way is to provide that user account with a different permission set from the default permissions for that authentication mechanism. In that case, the Username field must contain the exact username as their LDAP or SAML user account.
User Details
The details for the created user are now viewable. At the top of the list, under User Details, are the user name and display name information that was entered. Beneath those fields, a drop-down list option sets the Global Role for this user. The default global role for a newly created user allows for no access to the system ("No Global Access").
Select a role for the new user from the Global Role drop-down list, and click the Save Changes button.
Any role selected as the Global Role will provide the access specified in that role across the entire ThreadFix application. The pre-defined roles available in ThreadFix are:
User: The User role is intended to be modified by the ThreadFix Administrator to tailor the role permissions to meet the needs of a given project. The default permissions for this role are quite limited.
Administrator: All system functionality is accessible. This is the default role in a single-user ThreadFix installation.
Both of these roles are modifiable by a ThreadFix user with appropriate permissions. There are also two constants in the system. Although they appear in the Global Role drop-down list, their permissions are not modifiable. They are:
No Global Access: All system functionality is restricted.
Read Access: System is available to display data, but modifications to the system (e.g., uploading a scan) are restricted.
API Keys
This section allows for the generation of a per-user API key. The API key provides authentication when a user is working with ThreadFix from the command-line and in other instances where the ThreadFix API comes into play, such as any plug-ins that require API access. ThreadFix uses the user’s assigned roles to authorize actions for the key.
To create an API key, click the Add New Key button.
A modal will appear, allowing the addition of notes to the key. These notes are comments that appear along with the key in the API Keys list. Click the Create Key button, the system will generate a new key.
Clicking the Edit/Delete button allows for deleting the key, or editing its notes.
Groups
User Groups
The Groups section will display any groups in which the user is a member.
To add the currently displayed user to a group, click in the text entry field and begin to type a group name. The field will display a drop-down list of the groups available to this user. Select a group name from the drop-down list, and click Add Group. ThreadFix will add the group name to the group list.
If desired, to remove the user from a group click the Remove button. The system will prompt to confirm the action and remove the name from the list.
Pen Test Teams
The Pen Test Teams section will display any groups in which the user is a member.
To add the currently displayed user to a Pen Test Team, click in the text entry field and begin to type a Pen Test Team name. The field will display a drop-down list of the Pen Test Teams available to this user. Select a name from the drop-down list, and click Add Pen Test Team. ThreadFix will add the name to the Pen Test Team list.
If desired, to remove the user from a group click the Remove button. The system will prompt to confirm the action and remove the name from the list.
User History
The History section is a log of the user’s activity. The view presented here differs from the global history view, this is a record of this particular user’s activity. Only the teams, applications and scans that the user has permissions for will appear here.
Team Roles
Roles are a predefined set of permissions, applied to users at the System, Team, Group and Application levels. This role-based access control system provides tremendous flexibility and fine-grained control over the management of applications. Adding a Team Role for a user makes the user a member of that team and defines the actions that the user is authorized to perform within that team’s context.
To add a Team Role to this user, click the Add Team Role button. This opens a modal dialog.
Choose the desired team from the drop-down menu, and then select the team role to assign to the user. Click the Save Map button, and the new team role will be displayed under the section:
In the following example the user has the User role for Document Example Team’s applications and has the Administrator role. By creating multiple, tiered roles for users, groups, and teams, ThreadFix can be customized to meet the needs of any remediation or secure development project.
Application Roles
Application Roles are the application-level permissions assigned to users working with a particular application. Assigning an Application Role to a user is similar to adding a Team Role.
First, click the Add Application Role button. This brings up a modal dialog.
Select the team that contains the application in which a user will be given a role. When the team is selected, the list of applications updates to show only the applications associated with that team.
Click the Save Map button. This closes the modal and adds the Application Role to the user’s details.
Notification Settings
Notifications are real-time events reported by the system, letting users and administrators see what other users are doing. The available toggle options next to each action dictate whether that particular action generates a notification to the user. The ThreadFix role-based authentication controls govern the display of Notifications, so only the teams, groups, and applications the user has permissions for will appear in the list.
Notifications appear in a drop-down list accessed from the main navigation:
The Notification Settings area of the user’s details provides a mechanism for limiting the display of notifications for that user. ThreadFix displays all notifications by default, but custom notifications can be set for each user. The events that trigger notifications by category are:
Event Notification Triggers |
---|
Application Notifications:
|
Vulnerability Notifications
|
Defect Notifications
|
Policy Notifications
|
To turn off a notification, click the Off button next to the name of the notification.
When finished with modifications of the user’s notification options, click the Save Notification Settings button to save changes to the user’s account.
ThreadFix displays a success message at the top of the interface.
In order for users to view event notifications, they must have the 'Manage Audit History' permission at the global, team or app level. They will see event notifications specific to the scope of their permission.
Import LDAP Users
The Import LDAP Users button allows importing of all LDAP users who are members of the Search Base defined in the LDAP Settings and optionally import all groups they belong to.
To import all LDAP users, click the Import LDAP Users button. After clicking the button, the Import LDAP Users modal will appear.
Choose the domain, if there is more than one, and whether or not to import all of the LDAP groups the users belong to. Then click the Import LDAP Users button.
ThreadFix will import the LDAP users, their groups if selected, and the page will refresh to show the newly-added users.
Prune LDAP Users
The Prune LDAP Users button allows deleting ThreadFix users who meet either of the following conditions:
Their account has been deleted from the LDAP server.
Their account is no longer within the currently configured Search Base, whether they were moved to another Organization Unit on the LDAP server, or the Search Base was changed.
To delete users that meet either condition, click the Prune LDAP Users button.
Select the domain from the drop-down list.
Click the OK button when prompted to confirm or Cancel if if not ready.
A green banner will indicate the number of deleted users if the OK button was clicked.
*Note, in the event there are no LDAP users to delete, a banner informing this result will display. As seen below:
Table of Contents
- 1 You will learn
- 1.1 Prerequisites
- 1.2 Create a New User
- 1.2.1 User Details
- 1.3 API Keys
- 1.4 Groups
- 1.4.1 User Groups
- 1.4.2 Pen Test Teams
- 1.5 User History
- 1.6 Team Roles
- 1.7 Application Roles
- 1.8 Notification Settings
- 1.9 Import LDAP Users
- 1.10 Prune LDAP Users
- 2 Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.