User Roles
Purpose
This document describes how to create user roles.
Introduction
The User Roles tab is used to administrate the user roles. Every user can be given one or several user roles which determines what actions that user can perform. Multiple user roles can be assigned to one user, which allows for further customization of the user permissions.
Creating Roles
To create a user role:
- Click Main Menu > Settings > Manage User.
- In the Manage User Accounts window select User Roles tab and click + New.
- In the Maintaining User Role window, enter a Role Name.
- Select the various boxes to match the role being created.
- Click Save.
Maintaining User Role
Option | Description |
Role name | Every user role needs to have a given name to identify the role. |
Read Only | User will not be permitted to do any changes or new creations when this option is enabled. |
| LDAP/AD Group (HIAB only) | The LDAP/AD Group field is available if LDAP/AD is enabled on the HIAB. This user role is mapped to the defined role in LDAP/AD when the user login. |
Target Management
Option | Description |
Administrate Targets/Target Groups | Allows the user to administrate targets and groups in the Manage Targets view. |
Scan Scheduling
Option | Description |
Administrate Scheduling | Determines if the user can define and set up new scan schedules. |
Force Target Group in Scheduling | Enforces the user only to use the already defined groups in the scheduling section. No manual targets can be entered in the targets tab. |
Administrate Scanning Policies | Determines if the user can create, modify and remove scanning policies within the system. |
Stop scans | If the user can administrate scan scheduling he/she will also be allowed to stop scans if this setting is enabled. |
Reporting Tools
Reporting Tools field gives a user, permission to view the reporting tools. If not enabled, reporting tools is not shown to the user.
Option | Description |
Mark False Positives | Allow the user to mark a finding as a false positive. |
Risk Management | Allow the user to mark vulnerabilities as accepted risks and/or change the risk level for a finding. |
Verify scan | Allow the user to perform verification scans. No scans will be deducted from the license when using this feature. |
| Receive Scan Results SMS Notifications | Enable the user to receive scan results as SMS. |
Remove Scan Result | Allow the user to remove reports. |
Receive Scan Results by Email | Enable the user to receive reports by email. |
Access Dashboard | Allow the user to see the Dashboard. |
Compliance Scanning
Note
Compliance Scanning is only visible if it is included in your license.
Compliance Scan field gives a user, permission to view the Compliance scanning module.
If not enabled, it will not be shown to the user.
Option | Description |
Create/Edit Policies | Allow the user to Create/Edit policies. |
Mark Exceptions | Allow the user to mark exceptions. |
Answer Question | Allow the user to answer questions. |
Approve Question | Allow the user to approve questions. |
Web Application Scanning
Note
Web Application Scanning is only visible if it is included in your license.
| Option | Description |
|---|---|
| Administrate Scoping | Allow user to administrate Scoping. |
| Access Reporting | Allow user to access reporting. |
| Remove Scan Results | Allow user to remove Scan results. Access Reporting needs to be selected for this role. |
SWAT
Note
This section is only visible if you have an SWAT license.
Option | Description |
Add Comment | Allows the user role to comment findings. |
Request Verification | Allows the user role to submit verification requests. |
Discussion | Allows the user role to discuss findings with the Outpost24 support. |
Risk Management | Allows the user role to change risk levels and mark findings as accepted risks . |
Scoping
Note
Outscan only
| Option | Description |
|---|---|
| Submit scoping request | Allows the user role to submit Appsec scoping requests. |
PCI Management
Note
PCI Management is only visible if PCI Compliance scan is included in your license.
Option | Description |
Administrate Scoping | Allow the user to create, modify, or remove any scopes in this module. |
Administrate Scheduling | Allow the user to start and stop PCI scans. |
Access Reporting | Allow the user to view PCI reports. |
Dispute Findings | If the user has Access Reporting this option allow the user to dispute findings from the report. |
Managed Reports
Note
This section is only visible if you have an Managed Reports license.
Option | Description |
Comment Reports | Allow users to add comments to reports. |
Vulnerability Management
Option | Description |
Comment Vulnerability Database | Allow the user to create and edit comments in the vulnerability database. |
User Management
Option | Description |
Administrate Accounts | Allow the user to administrate accounts. |
Administrate User Roles | Allow the user to administrate user roles. |
Ticket Management
Option | Description |
Manage Tickets | Allow the user to administrate tickets. |
Grant All Tickets | Give access to all internal tickets. (If Manage Tickets is selected). |
Audit Log Management
Option | Description |
Read Audit Logs | The user is able to read the auditing log. |
License
Option | Description |
View License | Allow the user to view the License tab in Main Menu > Settings > Account. |
HIAB Management (HIAB only)
Note
HIAB Management only visible if it is included in your license.
Option | Description |
Administrate HIAB Server | Allow the user to restart the HIAB and setup HIAB settings like backup and networking. |
Related Articles
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.