FAQ: RBAC for InsightAppSec

You have questions. We have answers. If your question isn't answered by the following questions, contact your Rapid7 CSM.

RBAC for InsightAppSec Rollout

What's new for InsightAppSec customers?

The following table describes what each role becomes after migration.

FeatureLegacy InsightAppSec rolesNew RBAC for InsightAppSec roles
Pre-built Roles3 access-level roles4 task-level roles
Granular access to dataManage individual access to appsCentrally manage access to apps
User GroupsNot supportedSupported
Custom rolesNot supportedGranular permissions
Centralized user managementNot supportedSupported using the Insight Platform
When will new RBAC be available in my InsightAppSec environment?

We are taking a phased approach and the new functionality will be available starting mid-October 2021. You will be notified via e-mails and in-product notifications prior to and during the change.

When will other products leverage RBAC?

As new RBAC capability becomes available to other Rapid7 products, customers will be notified. Contact your CSM for more information.

What happens to my existing roles and permissions?

Your existing roles will exist in the New RBAC along with updated naming for permissions as described in the table below.

InsightAppSec rolesRBAC permissions
View_And_ChangeView and Change
ManageView and Change
No AccessNone
Do I need to do anything after the new RBAC capability is rolled out to my environment?

No, your users will continue to have the same access they did previously. We recommend creating custom or assigning access roles with RBAC, then adding users to groups with those access role permissions.

Access roles

Are there any new pre-built roles?

Yes. We provide the following user roles that you can copy or update to fit your needs:

  • App Owner. Set up apps and configure settings within the app, but has lesser privileges to scan configurations and vulnerabilities.
  • Scan Manager. Create scan configs and run scans, but not view and change apps or vulnerabilities.
  • Remediator. Fix, manage, and replay attacks on vulnerabilities within apps they can access, but not manage apps or scans.
What is the default feature access for the pre-built roles?

The following table shows the default access permission at the feature-level for each user role.

FeatureApp OwnerScan ManagerRemediator
AppsView and ChangeViewNone
DashboardsView and ChangeView and ChangeNone
ScansViewView and ChangeNone
Scan ConfigsViewView and ChangeNone
Attack TemplatesNoneView and ChangeNone
EnginesView and ChangeNoneNone
Engine GroupsViewNoneNone
FilesView and ChangeView and ChangeNone
SchedulesViewView and ChangeNone
TagsView and ChangeNoneNone
User GroupsViewNoneNone
App BlackoutsView and ChangeView and ChangeNone
Global BlackoutsViewViewNone
VulnerabilitiesViewViewView and Change
Vulnerability SeverityViewViewNone
Vulnerability CommentsView and ChangeNoneView and Change
Jira ExportView and ChangeNoneNone
PDF ReportsViewView and ChangeNone
Executive ReportsView and ChangeNoneNone
If a user has two roles, which permissions do they get?

To best protect your data, RBAC follows the principle of least privilege. For more information, see Resolve permission conflicts.