Role-based Access Control (RBAC) for InsightAppSec
Admin Access Required
Managing which users can access what data is one element of a strong security program. Administrators often need to separate apps between teams so that users from a team can access apps approved for their team only. To enforce this type of application isolation, you can configure individual and user group access at the feature and app levels. By using groups and roles, you can scale your application security program without manually assigning individual users to individual apps, or giving too much access to too many users.
InsightAppSec and Platform admins can customize and manage user roles and access at the feature-level with Role-based access control (RBAC) in the Insight Platform. To get started with RBAC for InsightAppSec, we offer managed user roles so that you can assign feature-level to your users and user groups.
Access Levels
Users have diverse needs for the data and functionality of features. Though many users may need access to a feature, they may only need to view data or add comments.
To help you refine user roles, each feature has at least one of the following access levels:
- Administer. Full access to the feature, including add, edit, delete, and other privileges.
- View and Change. Access to view and make changes (add, edit, delete) to the data for that feature.
- View. Access to view, but not edit, data.
InsightAppSec User Roles
To better protect your data, create multiple user roles with specific permissions based on the different tasks users perform in their roles.
We provide the following user roles that you can copy or update to fit your needs:
- App Owner. Set up apps and configure settings within the app, but has lesser privileges to scan configurations and vulnerabilities.
- Scan Manager. Create scan configs and run scans, but not view and change apps or vulnerabilities.
- Remediator. Fix, manage, and replay attacks on vulnerabilities within apps they can access, but not manage apps or scans.
User Roles and Default Feature Access
The following table shows the default access permission at the feature-level for each user role.
| Feature | App Owner | Scan Manager | Remediator |
|---|---|---|---|
| Apps | View and Change | View | None |
| Dashboards | View and Change | View and Change | None |
| Scans | View | View and Change | None |
| Scan Configs | View | View and Change | None |
| Attack Templates | None | View and Change | None |
| Engines | View and Change | None | None |
| Engine Groups | View | None | None |
| Files | View and Change | View and Change | None |
| Schedules | View | View and Change | None |
| Tags | View and Change | None | None |
| Targets | View | View | None |
| Users | View | None | None |
| User Groups | View | None | None |
| App Blackouts | View and Change | View and Change | None |
| Global Blackouts | View | View | None |
| Vulnerabilities | View | View | View and Change |
| Vulnerability Severity | View | View | None |
| Vulnerability Comments | View and Change | None | View and Change |
| Vulnerability Export | View and Change | None | None |
| PDF Reports | View | View and Change | None |
| Executive Reports | View and Change | None | None |
Feature-Level Access Details
You can customize roles by setting additional permissions at the feature level for apps, scans, vulnerabilities, and administrative tasks.
Expand each high-level feature to view specific features and their descriptions.
Apps
By default, InsightAppSec admins have access to all app functionality, but not all app data. App-level data access can be assigned from the Insight Platform and InsightAppSec.
App Access
In order to access and interact with other features within apps, the user must have access to that app.
The following app features and data can be configured for user access.
| Feature | Access Name | Description |
|---|---|---|
| Applications | IAS APPS | Access to the Apps page. |
| App Files | IAS FILES | Add and manage files required to successfully scan an app. For example, apps that are hard to crawl can use Macro, Traffic, and Selenium or other supported files to help with scanning and crawling. |
| Tags | IAS TAGS | Create and manage tags from the tag management area, the all apps page, or individual apps. |
| Targets | IAS TARGETS | Create and manage allowlisted targets. |
| Users | IAS USERS | Depending on platform access, assign apps to individual users within InsightAppSec. |
| Groups | IAS USER GROUPS | Assign apps to user groups within InsightAppSec. In InsightAppSec, you can add a new or existing app to user groups that were created in the platform. |
| Reports | IAS REPORTS | Sets which users can create and manage reports. Use the following custom feature roles to set access for exporting reports by report type: - IAS PDF REPORTS - IAS VULNERABILITY EXPORT - IAS EXECUTIVE REPORT |
| Executive reports | IAS EXECUTIVE REPORT | View and create reports. You must also have view and change access to IAS PDF REPORT. |
| Vulnerability export | IAS VULNERABILITY EXPORT | Export vulnerabilities to Jira or ServiceNow. |
| PDF Reports | IAS PDF REPORT | Ability to generate scan reports. |
Scans
The following scan and scan config features and data can be configured for user access.
| Feature | Access Name | Description |
|---|---|---|
| Scans | IAS SCANS | Access the scan activity from all or individual apps. |
| Scan Configs | IAS SCAN CONFIGS | Create and manage scan configs for an individual app. The following additional feature permissions are required to manage scan configs: - Schedules - Targets - Attack templates |
| Attack Templates | IAS ATTACK TEMPLATES | Create and manage the Attack Templates of any app . |
| Engines | IAS ENGINES | Create and manage on-premise engines that aren't accessible from the internet. |
| Engine Groups | IAS ENGINE GROUPS | Create and manage engine groups. Group scan engines with similar network configurations together to use for scanning a web application. |
| Schedules | IAS SCHEDULES | Create and manage scan schedules. |
| Blackouts | IAS BLACKOUTS | Create and manage the scan blackouts for an app. |
| Organization-wide Blackouts | IAS BLACKOUTS ORG | Create and manage blackouts for an entire org. |
Vulnerabilities
The following vulnerability and reporting features and data can be configured for user access.
| Feature | Access Name | Description |
|---|---|---|
| Vulnerabilities | IAS VULNERABILITIES | Interact with vulnerabilities from the Vulnerabilities list, within an app, or within a scan. |
| Vulnerability Comments | IAS VULNERABILITY COMMENTS | Sets which users can interact with vulnerability comments from the vulnerability details screen. |
| Vulnerability Severity | IAS VULNERABILITIES SEVERITY | Change the severity assigned to a vulnerability. |
Administrative
| Feature | Access Name | Description |
|---|---|---|
| Dashboards | IAS DASHBOARDS | View and add dashboards and cards with organizational data. *The card data available is dependent on the apps that user has been assigned. |
| Integration connections | IAS INTEGRATION CONNECTIONS | Create and manage integration Server Connections. |
| Integration configuration | IAS INTEGRATION CONFIGURATIONS | Create and manage individual integration configurations. |
App-level access
Network administrators often need to segregate apps between teams so that users from a team can access apps approved for their team only. To enforce this type of application isolation, you can configure user access at the app level. Administrators can manage user access for all apps.
Configure access to a new app
To configure user access to a new app, navigate to the “Users” screen of the “Add App” wizard and select the users that should have access to the app. Users assigned to that app will now be able to see it in the “Apps” screen and will have the level of access available to their user role.
Configure access to an existing app
- To configure user access to an existing app, navigate to the “Apps” screen and click the name of the app you want to configure.
- On the app page, click the Manage App button on the upper right side of the screen.
- On the Manage App panel, in the “Manage Users” tab, select the users that should have access to this app, and click the Save button. Users assigned to that app will now be able to see it in the “Apps” screen and will have the level of access available to their user role.
User group-level access
You can grant or restrict user groups access to individual or all apps. If you restrict access to an app group, every app current or future apps created within the group is automatically restricted. Users are only given access to the apps you select within an app group. When you select some and not all of the apps within a group, users will not have access to any additional apps added to the group in the future.
Manage Role Conflicts
RBAC functionality makes user management more flexible, but the freedom to assign multiple roles to users and leverage user groups may result in permissions conflicts. Platform Admins can resolve permission conflicts by reviewing the cause of the conflict and adjusting permissions as needed by editing the individual user’s permissions, a user role, or the groups a user is assigned to. For more information, view Resolve Permission Conflicts in the Insight Platform documentation.
Do you have questions?
Check out our FAQ for InsightAppSec RBAC.