FAQ: RBAC for InsightAppSec
You have questions. We have answers. If your question isn't answered by the following questions, contact your Rapid7 CSM.
RBAC for InsightAppSec Rollout
What's new for InsightAppSec customers?
The following table describes what each role becomes after migration.
| Feature | Legacy InsightAppSec roles | New RBAC for InsightAppSec roles |
|---|---|---|
| Pre-built Roles | 3 access-level roles | 4 task-level roles |
| Granular access to data | Manage individual access to apps | Centrally manage access to apps |
| User Groups | Not supported | Supported |
| Custom roles | Not supported | Granular permissions |
| Centralized user management | Not supported | Supported using the Insight Platform |
When will new RBAC be available in my InsightAppSec environment?
We are taking a phased approach and the new functionality will be available starting mid-October 2021. You will be notified via e-mails and in-product notifications prior to and during the change.
When will other products leverage RBAC?
As new RBAC capability becomes available to other Rapid7 products, customers will be notified. Contact your CSM for more information.
What happens to my existing roles and permissions?
Your existing roles will exist in the New RBAC along with updated naming for permissions as described in the table below.
| InsightAppSec roles | RBAC permissions |
|---|---|
| Administer | Admin |
| Read_Only | View |
| View_And_Change | View and Change |
| Manage | View and Change |
| No Access | None |
Do I need to do anything after the new RBAC capability is rolled out to my environment?
No, your users will continue to have the same access they did previously. We recommend creating custom or assigning access roles with RBAC, then adding users to groups with those access role permissions.
Access roles
Are there any new pre-built roles?
Yes. We provide the following user roles that you can copy or update to fit your needs:
- App Owner. Set up apps and configure settings within the app, but has lesser privileges to scan configurations and vulnerabilities.
- Scan Manager. Create scan configs and run scans, but not view and change apps or vulnerabilities.
- Remediator. Fix, manage, and replay attacks on vulnerabilities within apps they can access, but not manage apps or scans.
What is the default feature access for the pre-built roles?
The following table shows the default access permission at the feature-level for each user role.
| Feature | App Owner | Scan Manager | Remediator |
|---|---|---|---|
| Apps | View and Change | View | None |
| Dashboards | View and Change | View and Change | None |
| Scans | View | View and Change | None |
| Scan Configs | View | View and Change | None |
| Attack Templates | None | View and Change | None |
| Engines | View and Change | None | None |
| Engine Groups | View | None | None |
| Files | View and Change | View and Change | None |
| Schedules | View | View and Change | None |
| Tags | View and Change | None | None |
| Targets | View | View | None |
| Users | View | None | None |
| User Groups | View | None | None |
| App Blackouts | View and Change | View and Change | None |
| Global Blackouts | View | View | None |
| Vulnerabilities | View | View | View and Change |
| Vulnerability Severity | View | View | None |
| Vulnerability Comments | View and Change | None | View and Change |
| Jira Export | View and Change | None | None |
| PDF Reports | View | View and Change | None |
| Executive Reports | View and Change | None | None |
If a user has two roles, which permissions do they get?
To best protect your data, RBAC follows the principle of least privilege. For more information, see Resolve permission conflicts.