As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Manage Roles

You will learn

How to create and edit user roles, assigning roles to users or groups, and what each user Role Permission enables.

Prerequisites

Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: N/A

Roles are pre-defined permission sets, used to authorize user actions in the ThreadFix system. ThreadFix comes with two built-in roles, User and Administrator.

  • The User role, by default, is granted no specific permissions. However, any user/group that is granted this (or any other) role at the global/team/application level will have at least read access from that level downward. I.e., at minimum, they'll be able to view vulnerability details from the allocated level downward, plus whatever other permissions you enable for the role.

  • The default Administrator role has permissions for all actions in the system. (Note: For default LDAP/SAML role information, see here)

There are also two constants in the system, which, although not technically roles, appear in the Global Role dropdowns on both the User Details and Group Details pages. These are No Global Access and Read Access. These constants can be applied to a user to block them from actions in the system or provide read-only access to the system.

In a single-user or small-team environment, users can start working within ThreadFix right away. This is because the default account for a new installation has the Administrator role already. This is why it is important to replace the installation account with your own, with the Administrator role.

In a larger enterprise environment, an administrator can leverage Roles and Groups to create a fine-grained permissions model for their vulnerability management effort.

  • Users/groups without any global, team, nor application role at all can only authenticate to the system.

  • Permissions in ThreadFix are additive, so the highest-level permission granted to a user applies to all functions a user might access in ThreadFix. This grants the ThreadFix administrator a remarkable degree of flexibility in the authorization of users for specific tasks. This should be kept in mind when defining roles and groups.

Create New Roles

  1. To edit or create roles, click Global from the Navigation sidebar, then click Identity Management and select the Manage Roles Tab. The only roles shown in a new installation will be Administrator and User. The only roles shown in a new installation will be Administrator and User. To create a new role, click the Create button.

  2. A modal dialog appears with a place to name your new role. In the example, we have given the role the name "QA". Now, click on each permission you wish to grant or remove. For limited roles, you can use the Select None button as a starting point, and then grant the desired permissions. Likewise, for a role with broad permissions, you can use the Select All button, and then toggle off the permissions you do not wish to grant to that role. For a Quality Assurance role, you might want to disallow user and group management, global system management and other permissions that your QA user won’t need.

     

  3. To finish, click the Create Role button. Your role will appear in the Role List and a success message displayed.

Editing Roles

To edit a role, first select the role from the Role List. This will expose the Role Details. The permissions list appears as it did in the creation dialog.

Toggle the permissions that you wish to grant to or remove from the role and click the Save Changes button. ThreadFix stores the edited role and displays a success message.

Assigning Roles to Users or Groups

The Manage Roles tab also allows you to assign roles to users and/or groups. Type the name of the user/group in the respective field, select the desired user/group, and click the Add User or Add Group button, as applicable. When finished, remember to click the Save Changes button.

Role Permission Details

Below is a summary of what each of the role permissions enables in ThreadFix, as grouped within the UI:

Teams and Applications

Create Teams

Allows user to create or delete teams.

Edit Teams

Allows user to edit teams.

Delete Teams

Allows user to delete teams.

Create Applications

Allows user to add applications to teams.

Edit Applications

Allows user to edit details and add documents to existing applications.

Allows user to change the following properties of the application:

  • URL

    • Unique ID

    • Assigned Team

    • Criticality

    • Application Type

    • Tag

    • Designated WAF

    • Designated Defect Tracker

    • Vulnerability Merging

 

Delete Applications

Allows user to delete applications.

Manage Files for Applications

Allows user to add files to applications.

Manage Application Versions

Allows user to create, edit, or delete ThreadFix application versions.

Submit Service Requests

 

Allows a user to create a service request with Denim Group to perform an application scan and audit for an application.

Scans

Manage Scan Agents

 

Allows user to create and modify configurations for scan agents such as Security AppScan Standard, Burp Suite, and OWASP Zed Attack Proxy. Also allows user to initiate or schedule scans and to modify scans you have already scheduled.  This role must also be applied Globally for any user whose API key will be used to configure the scanagent.jar.

Upload Scans

Allows user to upload scans from scan agents into ThreadFix for vulnerability tracking and reporting.

Delete Scans

Allows user to delete scans in ThreadFix.

Manage Remote Provider Scans

Allows user to orchestrate Remote Provider scans.

Manage FPR Filter Templates

Allows user to set and delete a global FPR filter template.

Manage Scan Metadata Keys

Allows user to set keys allowed for Scan Metadata.

Manage Scan Metadata

Allows user to set Metadata on Scans.

Manage Pen Test Findings

Allows user to create, edit, and delete Pen Test Findings for any Pen Test Team they belong to.

Manage Pen Tests

Allows user to start or finalize and submit Pen Tests for any Pen Test Teams they belong to.

Delete Pen Tests

Allows user to delete or cancel Pen Tests for any Pen Test Teams they belong to.

Vulnerabilities

Comment on Vulnerabilities

Allows user to submit comments on vulnerabilities.

Attach Documents To Vulnerabilities

Allows user to upload and attach documents to vulnerabilities.

Modify Vulnerabilities

Allows user to close vulnerabilities.

Manage Vulnerability Types

Allows user to create or edit filters for sorting vulnerabilities.

Update Vulnerability Exploitable Status

Allows user to mark or unmark vulnerabilities as exploitable.

Update Vulnerability False Positive Status

Allows user to mark or unmark vulnerabilities as false positives.

Update Vulnerability Contested Status

Allows user to mark or unmark vulnerabilities as contested.

Update Vulnerability Verified Status

Allows user to mark or unmark vulnerabilities as verified.

Tag Vulnerabilities

Allows user to add or remove tags from vulnerabilities.

Defect Trackers

Manage Defect Trackers

 

Allows user to create new defect tracker configurations or edit existing configurations. This permission is not required to submit vulnerabilities to an application's designated defect tracker. User must have "Manage Applications" permission to designate a defect tracker for an application.

Submit Defects

 

Allows user to submit bugs to the defect tracker assigned to an application. User must have "Edit Applications" permission to assign a defect tracker to an application.

Manage GRC Tools

Allows user to create and edit GRC (Governance, Risk, and Compliance) Tools.

 

Reporting

Manage Tags

 

Allows user to create or edit tags for categorizing applications. User must have "Manage Applications" permission to assign tags to an application.

Generate Reports

Allows user to view graphs and reports summarizing vulnerability information and to export those reports as PDF, PNG, or CSV files.

Generate Report Files

Allows user to export reports.

Manage Email Reports

Allows user to manage and schedule email reports.

Manage Policies

Allows user to create or delete policies and attach them to applications, as well as configure notifications and email alerts that are triggered when a policy’s status changes.

Requires a user to have Global Read Access at a minimum to manage policies on the following pages:

  • Application Details Page

  • Policies Page

  • Tag Details Page

  • Team Details Page

Update Statistics

Allows user to update application, team, and global statistics.

Manage CI/CD

Allows user to access the CI/CD Policies page to manage pass criteria and automated defect reporting.

  • If a user has the Manage Policies permission and Manage CI/CD permission, they will be able to see the Filter Policies, Pass Criteria, Defect Reporters, and Time to Remediate Policies tabs

  • If a user has the Manage Policies permission but NOT Manage CI/CD permission, they will only be able to see the Time to Remediate Policies tab

  • If the user only has Manage CI/CD permission but not Manage Policies permission then they have no access to manage policies at all

  • In order to see Pass Criteria, Defect Reporters tab they should have both Manage CI/CD permission and Manage Policies permission in that case they see  all four tabs.

 

Administration

Manage Users

 

Allows user to edit display name, password, role, and permissions for all users. Also allows user to create new user profiles.

Manage API Keys

Allows user to create and manage API keys for interfacing with ThreadFix.

Create API Keys *

Allows user to create their own API keys for interfacing with ThreadFix.

  • New in 2.8.3; in earlier versions all users can create their own key.

Manage Roles

Allows user to designate permissions for new roles and to modify the permissions for existing roles.

Manage System Settings

 

 

Allows user to modify System Settings for ThreadFix. This includes altering LDAP settings, proxy settings, session timeout, dashboard settings, and customizing displayed reports for the application detail page and the team detail page.

Configure Remote Providers

 

 

Allows user to create, modify, and delete Remote Provider configurations for importing scans from SaaS platforms such as QualysGuard WAS, Veracode, and WhiteHat Sentinel.. (In order to access the Remote Providers page, this permission must be granted at the global level.)

Manage Remote Providers

 

Allows user to perform the balance of functions for existing Remote Provider integrations, e.g., mapping and/or synchronizing applications, importing scans, etc. (In order to access the Remote Providers page, this permission must be granted at the global level.)

Manage Groups

Allows user to create or delete groups of users, and set roles for those groups.

View Error Logs

Allows user to view error logs generated by ThreadFix in the Settings menu. (In order to access the Error Messages page, this permission must be granted at the global level.)

Manage Audit History

Allows user to access the History page to view events for applications the user has permission to access.

Manage Scan Result Filters

Allows user to change severity or suppress scanner vulnerability types.

Manage Custom CWE Text

Allows user to create custom text entries mapped to CWE definitions.

Manage Metadata Keys

Allows user to create, edit, and disable keys allowed for Scan and Application Metadata.

Manage Pen Test Teams

Allows user to create, edit, and delete Pen Test Teams as well as attach Users and Groups to Pen Test Teams.

 

WAFs

Manage WAFs

Allows user to create and edit WAFs (Web Application Firewalls). User must have "Manage Applications" permission to assign tags to an application.

Generate WAF Rules

Allows user to create and manage WAFs (Web Application Firewalls). User must have "Manage Applications" permission to designate a WAF for an application.

Queue

Manage Queue

Allows user to cancel queued tasks.

View Queued Items

Allows user to view queued items.

View Processing Queued Items

Allows user to view currently-processing items in the queue.

 

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.