Manage Users 3.X

Owned by Daniel Colon
Last updated: Jan 10, 2024Version comment
10 min read

You will learn

How to create users, manage user role permissions, groups, application roles, and team roles. Additionally how to create per-user API keys, set per-user notification settings, view user activity history, import LDAP users and prune LDAP users.

Prerequisites

Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 30 minutes
Tools required: N/A

This is the landing page for user administration in ThreadFix. ThreadFix will display a searchable list of existing users. Clicking on a user’s name will display the User Details for that user. This view allows an administrator to create and edit users in a single-user or small-team environment, applying necessary roles and permissions while creating the user.

In larger environments, it is advisable to leverage the role-based access control system to assign permissions by using multiple roles and team permissions.

To configure per-team and per-application permissions for an LDAP or SAML user prior to their first login, create a ThreadFix user corresponding with their LDAP or SAML username and add them to the desired group(s) and/or role(s).

Create a New User

  1. To create a new user, click on Global from the Navigation sidebar, then click on Administration to access the Identity Management page.

  2. From within the Manage Users tab on the Identity Management page, click the Create button.

     

  3. If Local is selected for the User Type provide a UsernameDisplay Name, and Password.  For SAML or LDAP user types, simply provide a Username and Display Name.  When the relevant information has been entered, click the Create User button.

     

LDAP and SAML users do not have to be created in this way as they will have accounts with the default permission set as described in the System Settings guide. The only reason to create an LDAP or SAML user explicitly in this way is to provide that user account with a different permission set from the default permissions for that authentication mechanism.  In that case, the Username field must contain the exact username as their LDAP or SAML user account.

User Details

The details for the created user are now viewable. At the top of the list, under User Details, are the user name and display name information that was entered. Beneath those fields, a drop-down list option sets the Global Role for this user. The default global role for a newly created user allows for no access to the system ("No Global Access").

Select a role for the new user from the Global Role drop-down list, and click the Save Changes button.


Any role selected as the Global Role will provide the access specified in that role across the entire ThreadFix application. The pre-defined roles available in ThreadFix are:

  • User: The User role is intended to be modified by the ThreadFix Administrator to tailor the role permissions to meet the needs of a given project. The default permissions for this role are quite limited.

  • Administrator: All system functionality is accessible. This is the default role in a single-user ThreadFix installation.

Both of these roles are modifiable by a ThreadFix user with appropriate permissions. There are also two constants in the system. Although they appear in the Global Role drop-down list, their permissions are not modifiable. They are:

  • No Global Access: All system functionality is restricted.

  • Read Access: System is available to display data, but modifications to the system (e.g., uploading a scan) are restricted.

 

Roles are pre-defined permission sets, used to authorize user actions in the ThreadFix system. ThreadFix comes with two built-in roles, User and Administrator.

  • The User role, by default, is granted no specific permissions. However, any user/group that is granted this (or any other) role at the global/team/application level will have at least read access from that level downward. At minimum they'll be able to view vulnerability details from the allocated level downward plus whatever other permissions are enabled for the role.

  • The default Administrator role has permissions for all actions in the system. Note: For default LDAP/SAML role information, see the System Settings page.

There are also two constants in the system, which, although not technically roles, appear in the Global Role drop-down lists on both the User Details and Group Details pages. These are No Global Access and Read Access. These constants can be applied to a user to block them from actions in the system or provide read-only access to the system.

In a single-user or small-team environment, users can start working within ThreadFix right away. This is because the default account for a new installation has the Administrator role already. It is important to replace the installation account with a user Administrator role.

In a larger enterprise environment, an administrator can leverage Roles and Groups to create a fine-grained permissions model for their vulnerability management effort.

API Keys

This section allows for the generation of a per-user API key. The API key provides authentication when a user is working with ThreadFix from the command-line and in other instances where the ThreadFix API comes into play, such as any plug-ins that require API access. ThreadFix uses the user’s assigned roles to authorize actions for the key.

  1. To create an API key, click the Add New Key button.

  2. A modal will appear, allowing the addition of notes to the key. These notes are comments that appear along with the key in the API Keys list. Click the Create Key button, the system will generate a new key.


    Clicking the Edit/Delete button allows for deleting the key, or editing its notes.

Groups

User Groups

The Groups section will display any groups in which the user is a member.

  1. To add the currently displayed user to a group, click in the text entry field and begin to type a group name. The field will display a drop-down list of the groups available to this user. Select a group name from the drop-down list, and click Add Group. ThreadFix will add the group name to the group list.

     

  2. If desired, to remove the user from a group click the Remove button. The system will prompt to confirm the action and remove the name from the list.

Pen Test Teams

The Pen Test Teams section will display any groups in which the user is a member.

  1. To add the currently displayed user to a Pen Test Team, click in the text entry field and begin to type a Pen Test Team name. The field will display a drop-down list of the Pen Test Teams available to this user. Select a name from the drop-down list, and click Add Pen Test Team. ThreadFix will add the name to the Pen Test Team list.

     

  2. If desired, to remove the user from a group click the Remove button. The system will prompt to confirm the action and remove the name from the list.

User History

The History section is a log of the user’s activity. The view presented here differs from the global history view, this is a record of this particular user’s activity. Only the teams, applications and scans that the user has permissions for will appear here.

Team Roles

Roles are a predefined set of permissions, applied to users at the System, Team, Group and Application levels. This role-based access control system provides tremendous flexibility and fine-grained control over the management of applications. Adding a Team Role for a user makes the user a member of that team and defines the actions that the user is authorized to perform within that team’s context.

  1. To add a Team Role to this user, click the Add Team Role button. This opens a modal dialog.

     

  2. Choose the desired team from the drop-down menu, and then select the team role to assign to the user. Click the Save Map button, and the new team role will be displayed under the section:

In the following example the user has the User role for Document Example Team’s applications and has the Administrator role. By creating multiple, tiered roles for users, groups, and teams, ThreadFix can be customized to meet the needs of any remediation or secure development project.

Application Roles

Application Roles are the application-level permissions assigned to users working with a particular application. Assigning an Application Role to a user is similar to adding a Team Role.

  1. First, click the Add Application Role button. This brings up a modal dialog.

     

  2. Select the team that contains the application in which a user will be given a role. When the team is selected, the list of applications updates to show only the applications associated with that team.

     

  3. Click the Save Map button. This closes the modal and adds the Application Role to the user’s details.

Notification Settings

Notifications are real-time events reported by the system, letting users and administrators see what other users are doing.  The available toggle options next to each action dictate whether that particular action generates a notification to the user. The ThreadFix role-based authentication controls govern the display of Notifications, so only the teams, groups, and applications the user has permissions for will appear in the list.

 

Notifications appear in a drop-down list accessed from the main navigation:

The Notification Settings area of the user’s details provides a mechanism for limiting the display of notifications for that user. ThreadFix displays all notifications by default, but custom notifications can be set for each user. The events that trigger notifications by category are:

Event Notification Triggers

Event Notification Triggers

Application Notifications:

  • Create

  • Edit

  • Delete

  • Set Tags

  • Upload Scan

  • Delete Scan

Vulnerability Notifications

  • Open Vulnerability From Scan Deletion

  • Create Vulnerability From Scan Upload

  • Create Vulnerability Manually

  • Close Vulnerability From Findings Merge

  • Close Vulnerability From Scan Deletion

  • Close Vulnerability From Scan Upload

  • Close Vulnerability Manually

  • Reopen Vulnerability From Scan Upload

  • Reopen Vulnerability Manually

  • Mark Vulnerability False Positive

  • Unmark Vulnerability False Positive

  • Create Vulnerability Comment

  • Other Vulnerability

Defect Notifications

  • Submit Defect

  • Update Defect Status

  • Close Defect

  • Appeared in Scan After Defect Closed

Policy Notifications

  • Policy Failing

  • Policy Passing

 

  1. To turn off a notification, click the Off button next to the name of the notification.

     

  2. When finished with modifications of the user’s notification options, click the Save Notification Settings button to save changes to the user’s account.

  3. ThreadFix displays a success message at the top of the interface.

In order for users to view event notifications, they must have the 'Manage Audit History' permission at the global, team or app level. They will see event notifications specific to the scope of their permission.

Import LDAP Users

The Import LDAP Users button allows importing of all LDAP users who are members of the Search Base defined in the LDAP Settings and optionally import all groups they belong to.

  1. To import all LDAP users, click the Import LDAP Users button. After clicking the button, the Import LDAP Users modal will appear.

     

  2. Choose the domain, if there is more than one, and whether or not to import all of the LDAP groups the users belong to. Then click the Import LDAP Users button.

     

     

  3. ThreadFix will import the LDAP users, their groups if selected, and the page will refresh to show the newly-added users.

Prune LDAP Users

The Prune LDAP Users button allows deleting ThreadFix users who meet either of the following conditions:

  • Their account has been deleted from the LDAP server.

  • Their account is no longer within the currently configured Search Base, whether they were moved to another Organization Unit on the LDAP server, or the Search Base was changed.

  1. To delete users that meet either condition, click the Prune LDAP Users button.

  2. Select the domain from the drop-down list.

  3. Click the OK button when prompted to confirm or Cancel if if not ready.

  4. A green banner will indicate the number of deleted users if the OK button was clicked.

    *Note, in the event there are no LDAP users to delete, a banner informing this result will display. As seen below:

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.