As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Manage Users

Owned by Kyle Pippin (Unlicensed)
Last updated: May 19, 2022 by Daniel ColonVersion comment
9 min read

You will learn

How to create users, manage user role permissions, groups, application roles, and team roles. Additionally how to create per-user API keys, set per-user notification settings, view user activity history, import LDAP users and prune LDAP users.

Prerequisites

Audience: IT Professional or End User
Difficulty: Intermediate
Time needed: Approximately 30 minutes
Tools required: N/A

 

This is the landing page for User Administration in ThreadFix. ThreadFix will display a searchable list of existing ThreadFix users. Clicking on a user’s name will display the User Details for that user. This view allows an administrator to create and edit users in a single-user or small team environment, applying necessary roles and permissions while creating the user. In larger environments, it is advisable to leverage the role-based access control system to assign permissions, by using multiple roles and team permissions.

Create a New User

To create a new user, click the Create User button in the left column. This will bring up a modal dialog. If you select Local for the User Type, you must provide a Username and Password (12-character minimum, alphanumeric and symbol characters allowed).  For SAML or LDAP user types, you simply need to provide a Username and Display Name

LDAP and SAML users do not have to be created in this way as they will have accounts with the default permission set as described here.  The only reason to create an LDAP or SAML user explicitly in this way is to provide that user account with a different permission set from the default permissions for that authentication mechanism.  In that case, the Username field must contain the exact username as their LDAP or SAML user account.

User Details

You are now able to view the details for the user you just created. At the top of the list, under User Details, are the user name and display name information that you just entered. Beneath those fields, a dropdown sets the Global Role for this user. The default global role for a newly created user allows for no access to the system ("No Global Access"). Select a role for your new user from the Global Role dropdown, and click the Save Changes button.

 

Any role selected as the Global Role will provide the access specified in that role across the entire ThreadFix application.  The pre-defined roles available in ThreadFix are:

  • User: The User role is intended to be modified by the ThreadFix Administrator to tailor the role permissions to meet the needs of a given project. The default permissions for this role are quite limited.

  • Administrator: All system functionality is accessible. This is the default role in a single-user ThreadFix installation.

Both of these roles are modifiable by a ThreadFix user with appropriate permissions.

There are also two constants in the system. Although they appear in the Global Role dropdown, their permissions are not modifiable. They are:

  • No Global Access: All system functionality is restricted.

  • Read Access: System is available to display data, but modifications to the system (e.g., uploading a scan) are restricted.

API Keys

This section allows for the generation of a per-user API key. The API key provides authentication when a user is working with ThreadFix from the command-line and in other instances where the ThreadFix API comes into play, such as scripting, and any plug-ins that require API access, for example. ThreadFix uses the user’s assigned roles to authorize actions for the key. To create an API key, click the Add New Key button.



A dialog will appear, allowing you to add notes to the key. These notes are comments that appear along with the key in the API Keys list. Click the Create Key button the system will generate a new key.

 

You can delete the key, or edit its notes, by clicking the Edit/Delete button.

Groups

This section will display any groups in which the user is a member. To add the currently displayed user to a group, click in the text entry field and begin to type a group name. The field will display a drop-down menu of the groups available to this user. Select a group name from the drop-down menu, and click Add Group

ThreadFix will add the group name to the group list. To remove the user from a group, click the Remove button. The system will prompt you to confirm the action, and remove the group name from the list.

 

Pen Test Teams

The Pen Test Teams section will display any groups in which the user is a member.

To add the currently displayed user to a Pen Test Team, click in the text entry field and begin to type a Pen Test Team name. The field will display a drop-down list of the Pen Test Teams available to this user. Select a name from the drop-down list, and click Add Pen Test Team. ThreadFix will add the name to the Pen Test Team list.

 If desired, to remove the user from a group click the Remove button. The system will prompt to confirm the action and remove the name from the list.

History

The History section is a log of the user’s activity. The view presented here differs from the global history view in that this view is a record of this particular user’s activity. Only the teams, applications and scans that the user has permissions for will appear here.

Login History

The Login History section is a log of the when the selected user has logged into the ThreadFix with the user's name along with the date and time they logged in. This view differs from the global history view in that it is specific to the user that you have selected.


 

The Login History Records can be limited by number or set to unlimited in System Settings under Login Settings, Limit Login Records. More information about Login Setting can be found here

Team Roles

Roles are a predefined set of permissions, applied to users at the System, Team, Group and Application levels. This role-based access control system provides tremendous flexibility and fine-grained control over the management of your applications. Adding a Team Role for a user makes the user a member of that team and defines the actions that the user is authorized to perform within that team’s context.


To add a Team Role to this user, click the Add Team Role button. This opens a modal dialog. Choose the team from the dropdown menu, and then select the team role you would like to assign to your user.


Click Save Map, and the new team role will be displayed under the section:

In this example, the user has the User role for DG Test Team’s applications, but has the Administrator role for applications that are under DG Test Team 2. By creating multiple, tiered roles for your users, groups and teams, you can customize ThreadFix to meet the needs of any remediation or secure development project.

Application Roles

Application Roles are the application-level permissions assigned to users working with a particular application. Assigning an Application Role to a user is like adding a Team Role. First, click the Add Application Role button.

This brings up a modal dialog. Select the team that contains the application in which you are giving this user a role. When you select the team, the list of applications updates to show only the applications that are associated with that team.

Click Save Map. This closes the modal and adds the Application Role to the user’s details.


Notification Settings

Notifications are real-time events reported by the system, letting users and administrators see what other users are doing. The available toggle options next to each action dictate whether that particular action generates a notification to the user.


The ThreadFix role-based authentication controls govern the display of Notifications, so only the teams, groups, and applications the user has permissions for will appear in the list.

The Notification Settings area of the user’s details provides a mechanism for limiting the display of notifications for that user. ThreadFix displays all notifications by default, but custom notifications can be set for each user. The events that trigger notifications are:

  • Application Notifications

    • Create, Edit, Delete, Set Tags, Upload Scan, Delete Scan

  • Vulnerability Notifications

    • Open Vulnerability From Scan Deletion, Create Vulnerability From Scan Upload, Create Vulnerability Manually, Close Vulnerability From Findings Merge, Close Vulnerability From Scan Deletion, Close Vulnerability From Scan Upload, Close Vulnerability Manually, Reopen Vulnerability From Scan Upload, Reopen Vulnerability Manually, Mark Vulnerability False Positive, Unmark Vulnerability False Positive, Create Vulnerability Comment, Other Vulnerability

  • Defect Notifications

    • Submit Defect, Update Defect Status, Close Defect, Appeared in Scan After Defect Closed

  • Policy Notifications

    • Policy Failing, Policy Passing

To turn off a notification, just click the Off button next to the name of the notification.

When you are finished with modifications of the user’s notifications, click the Save Notification Settings button to save your changes to the user’s account.

In order for users to view event notifications, they must have the 'Manage Audit History' permission at the global, team or app level (they will see event notifications specific to the scope of their permission).

Import LDAP Users

As of version 2.8.2, disabled LDAP accounts will not be imported into ThreadFix's user list.

The Import LDAP Users button allows you to import all LDAP users who are members of the Search Base that you have defined in the LDAP Settings. You can also, optionally, import all the groups they belong to.

After clicking the button, you will be presented with the Import LDAP Users modal. Choose the domain, if you have more than one, and whether or not you also want to import all of the LDAP groups that the users belong to, then click the blue Import LDAP Users button.

ThreadFix will import the LDAP users (and their groups, if selected), and the page will refresh to show the newly-added users.

Prune LDAP Users

As of version 2.8.2, disabled LDAP accounts will also be removed from ThreadFix's user list. In earlier versions, they will persist.

The Prune LDAP Users button allows you to delete ThreadFix users who meet either of the following...

  1. Their account has been deleted from the LDAP server.

  2. Their account is no longer within the currently configured Search Base, whether they were moved to another OU on the LDAP server or you changed your Search Base.

  3. Their account is disabled (as of version 2.8.2)

 

After clicking the button...

  1. Select the domain from the drop-down menu.

  2. Click OK when prompted to confirm (or Cancel if you change your mind).

  3. A green banner will indicate the number of deleted users (if you clicked OK).

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.