Managing groups

  • Last updated: May 17, 2022

  • Read time: 2 Minutes

A group is a group of users with a predefined set of roles. For example, rather than managing every role for each user individually, you can set roles centrally on the group level and assign users to the relevant group accordingly.

Groups can also optionally be restricted to parts of the sites tree. Users in the group will inherit the permissions that are defined in the assigned roles, subject to any restrictions on sites. Each user can belong to multiple groups, and will inherit the roles and permissions resulting from all of the groups to which they belong.

The Groups tab of the Team page shows details of the configured groups, including the group name, user count, and any restrictions on sites.

To delete a group, click the icon to the far right of the screen. Note that you cannot delete the built-in groups.

You can use the New group button to create a new group. By clicking on an existing group, you can view and edit the group name, its assigned roles, users, and any site restrictions that are defined for the group.

Restricting access to sites

Burp Suite Enterprise Edition supports role-based access control (RBAC) to help you restrict access to sensitive data and functionality to only those who need it. The roles assigned to a group allow for vertical segregation of privileges so that different categories of user can perform different types of action; for example, being able to initiate scans versus being able to view scan results. The ability to place restrictions on sites allows for horizontal segregation of privileges so that different categories of user can perform the same types of action on different data; for example, being able initiate scans for some sites versus others.

The primary use case for restrictions on sites is to support teams where different groups of people require access to different parts of an organization's infrastructure. For example:

  • Different people have responsibility for operations, finance, and payroll applications.
  • Different people have access to development, staging, and production systems.
  • Different people handle applications in different geographical regions.

By default, groups have no restrictions on sites. This means that users in a group will have the defined roles in relation to all sites. In the group details, on the Site restrictions tab, you can configure a group to be restricted to certain sites. You can select parts of the site tree to which this group's roles apply. This can be folders or individual sites. Anything not explicitly allowed will be disallowed by default.

Within any folders that you select as allowed, you can deselect specific sites and subfolders that should be disallowed. This enables you to support various situations. For example, you might want to let a group view scan results for everything within the "Production" folder but disallow the "HR" folder beneath that, because its scan results might contain more sensitive information.