The team functionality lets you configure role-based access control (RBAC) for users of the application. It can be accessed via the burger menu. The teams page contains tabs for users, groups, and roles:
The users tab of the team page shows details of the configured users, including name, email, and whether they are an API user.
The filter bar lets you show or hide users based on particular features; for example, only showing users who are locked out, or who have never logged in.
Hovering the mouse over a user shows contextual options for that user, such as disabling or deleting the user.
You can use the "New user" button to create a new user. You will need to specify:
When a new user is created, they will receive an email inviting them to complete the registration process and obtain their password. If you have not yet configured email settings, you will be able to copy a registration link that you can provide to the user.
You can click into a user to view and edit the details of an existing user.
When creating a new user, you can specify whether the user will log in with a password or an API key. API users can be used for integration with other software, such as CI/CD platforms, using the REST API.
A group has a set of roles and users.
Groups can also optionally be restricted to parts of the sites tree. Users in the group will inherit the permissions that are defined in the assigned roles, subject to any restrictions on sites. Each user can belong to multiple groups, and will inherit the union of all the permissions resulting from the groups to which they belong.
Hovering the mouse over a group shows contextual options for that group, such as deleting it.
You can use the "New group" button to create a new group. You can click into a group to view or edit more details, including:
The roles assigned to a group allow for vertical segregation of privileges, so that different categories of user can perform different types of action; for example, being able to initiate scans versus being able to view scan results. The ability to place restrictions on sites allows for horizontal segregation of privileges, so that different categories of user can perform the same types of action on different data; for example, being able initiate scans for some sites versus others.
The primary use case for restrictions on sites is to support teams where different groups of people require access to different parts of an organization's infrastructure. For example:
By default, groups have no restrictions on sites. This means that users in a group will have the defined roles in relation to all sites. You can configure a group to be restricted to certain sites in the "Site restrictions" tab within the group details view:
The ability to allow a sites tree folder and disallow some items beneath it allows you to support various situations. For example, you might want to let a group view scan results for everything within the "Production" folder but disallow the "HR" folder beneath that, because its scan results might contain more sensitive information.
A role is a set of permissions to perform specific types of action. Roles group together a number of individual permissions that are related or depend upon each other. It is generally useful to define roles that match the actual job functions of people within your team. This facilitates placing users into the right groups in a quick and reliable way.
The roles tab of the team page shows the configured roles.
There are various built-in roles that define common job functions. These cannot be modified. You can create your own custom roles as necessary.
Hovering the mouse over a role shows contextual options for that role, such as deleting it.
You can use the "New role" button to create a new role.
You can click into a role to view details. For custom roles, you can edit the role name and the assigned permissions.
There are dependencies between some permissions. In general, the permission to edit an entity depends on having permission to view the same entity. These dependencies are clearly indicated within the UI for editing permissions, as some permissions are only available to select if another permission is selected.