Role-based Access Control (RBAC) for InsightAppSec

Admin Access Required

Managing which users can access what data is one element of a strong security program. Administrators often need to separate apps between teams so that users from a team can access apps approved for their team only. To enforce this type of application isolation, you can configure individual and user group access at the feature and app levels. By using groups and roles, you can scale your application security program without manually assigning individual users to individual apps, or giving too much access to too many users.

InsightAppSec and Platform admins can customize and manage user roles and access at the feature-level with Role-based access control (RBAC) in the Insight Platform. To get started with RBAC for InsightAppSec, we offer managed user roles so that you can assign feature-level to your users and user groups.

Access Levels

Users have diverse needs for the data and functionality of features. Though many users may need access to a feature, they may only need to view data or add comments.

To help you refine user roles, each feature has at least one of the following access levels:

  • Administer. Full access to the feature, including add, edit, delete, and other privileges.
  • View and Change. Access to view and make changes (add, edit, delete) to the data for that feature.
  • View. Access to view, but not edit, data.

InsightAppSec User Roles

To better protect your data, create multiple user roles with specific permissions based on the different tasks users perform in their roles.

We provide the following user roles that you can copy or update to fit your needs:

  • App Owner. Set up apps and configure settings within the app, but has lesser privileges to scan configurations and vulnerabilities.
  • Scan Manager. Create scan configs and run scans, but not view and change apps or vulnerabilities.
  • Remediator. Fix, manage, and replay attacks on vulnerabilities within apps they can access, but not manage apps or scans.
User Roles and Default Feature Access

The following table shows the default access permission at the feature-level for each user role.

FeatureApp OwnerScan ManagerRemediator
AppsView and ChangeViewNone
DashboardsView and ChangeView and ChangeNone
ScansViewView and ChangeNone
Scan ConfigsViewView and ChangeNone
Attack TemplatesNoneView and ChangeNone
EnginesView and ChangeNoneNone
Engine GroupsViewNoneNone
FilesView and ChangeView and ChangeNone
SchedulesViewView and ChangeNone
TagsView and ChangeNoneNone
TargetsViewViewNone
UsersViewNoneNone
User GroupsViewNoneNone
App BlackoutsView and ChangeView and ChangeNone
Global BlackoutsViewViewNone
VulnerabilitiesViewViewView and Change
Vulnerability SeverityViewViewNone
Vulnerability CommentsView and ChangeNoneView and Change
Jira ExportView and ChangeNoneNone
PDF ReportsViewView and ChangeNone
Executive ReportsView and ChangeNoneNone

Feature-Level Access Details

You can customize roles by setting additional permissions at the feature level for apps, scans, vulnerabilities, and administrative tasks.

Expand each high-level feature to view specific features and their descriptions.

Apps

By default, InsightAppSec admins have access to all app functionality, but not all app data. App-level data access can be assigned from the Insight Platform and InsightAppSec.

App Access

In order to access and interact with other features within apps, the user must have access to that app.

The following app features and data can be configured for user access.

FeatureAccess NameDescription
ApplicationsIAS APPSAccess to the All Apps page.
App FilesIAS FILESAdd and manage files required to successfully scan an app.

For example, apps that are hard to crawl can use Macro, Traffic, and Selenium or other supported files to help with scanning and crawling.
TagsIAS TAGSCreate and manage tags from the tag management area, the all apps page, or individual apps.
TargetsIAS TARGETSCreate and manage allowlisted targets.
UsersIAS USERSDepending on platform access, assign apps to individual users within InsightAppSec.
GroupsIAS USER GROUPSAssign apps to user groups within InsightAppSec. In InsightAppSec, you can add a new or existing app to user groups that were created in the platform.
ReportsIAS REPORTSSets which users can create and manage reports. Use the following custom feature roles to set access for exporting reports by report type:

- IAS PDF REPORTS
- IAS JIRA EXPORT
- IAS EXECUTIVE REPORTS
Executive reportsIAS EXECUTIVE REPORTSView and create reports. You must also have view and change access to IAS PDF REPORT.
Jira exportIAS JIRA EXPORTExport vulnerabilities to Jira.
PDF ReportsIAS PDF REPORTAbility to generate scan reports.
Scans

The following scan and scan config features and data can be configured for user access.

FeatureAccess NameDescription
ScansIAS SCANSAccess the scan activity from all or individual apps.
Scan ConfigsIAS SCAN CONFIGSCreate and manage scan configs for an individual app. The following additional feature permissions are required to manage scan configs:

- Schedules
- Targets
- Attack templates
Attack TemplatesIAS ATTACK TEMPLATESCreate and manage the Attack Templates of any app .
EnginesIAS ENGINESCreate and manage on-premise engines that aren't accessible from the internet.
Engine GroupsIAS ENGINE GROUPSCreate and manage engine groups. Group scan engines with similar network configurations together to use for scanning a web application.
SchedulesIAS SCHEDULESCreate and manage scan schedules.
BlackoutsIAS BLACKOUTSCreate and manage the scan blackouts for an app.
Organization-wide BlackoutsIAS BLACKOUTS ORGCreate and manage blackouts for an entire org.
Vulnerabilities

The following vulnerability and reporting features and data can be configured for user access.

FeatureAccess NameDescription
VulnerabilitiesIAS VULNERABILITIESInteract with vulnerabilities from the All Vulnerabilities list, within an app, or within a scan.
Vulnerability CommentsIAS VULNERABILITY COMMENTSSets which users can interact with vulnerability comments from the vulnerability details screen.
Vulnerability SeverityIAS VULNERABILITIES SEVERITYChange the severity assigned to a vulnerability.
Administrative
FeatureAccess NameDescription
DashboardsIAS DASHBOARDSView and add dashboards and cards with organizational data. *The card data available is dependent on the apps that user has been assigned.
Integration connectionsIAS INTEGRATION CONNECTIONSCreate and manage integration Server Connections.
Integration configurationIAS INTEGRATION CONFIGURATIONSCreate and manage individual integration configurations.

App-level access

Network administrators often need to segregate apps between teams so that users from a team can access apps approved for their team only. To enforce this type of application isolation, you can configure user access at the app level. Administrators can manage user access for all apps.

Configure access to a new app

To configure user access to a new app, navigate to the “Users” screen of the “Add App” wizard and select the users that should have access to the app. Users assigned to that app will now be able to see it in the “Apps” screen and will have the level of access available to their user role.

Configure access to an existing app
  1. To configure user access to an existing app, navigate to the “Apps” screen and click the name of the app you want to configure.
  2. On the app page, click the Manage App button on the upper right side of the screen.
  3. On the Manage App panel, in the “Manage Users” tab, select the users that should have access to this app, and click the Save button. Users assigned to that app will now be able to see it in the “Apps” screen and will have the level of access available to their user role.

User group-level access

You can grant or restrict user groups access to individual or all apps. If you restrict access to an app group, every app current or future apps created within the group is automatically restricted. Users are only given access to the apps you select within an app group. When you select some and not all of the apps within a group, users will not have access to any additional apps added to the group in the future.

Manage Role Conflicts

RBAC functionality makes user management more flexible, but the freedom to assign multiple roles to users and leverage user groups may result in permissions conflicts. Platform Admins can resolve permission conflicts by reviewing the cause of the conflict and adjusting permissions as needed by editing the individual user’s permissions, a user role, or the groups a user is assigned to. For more information, view Resolve Permission Conflicts in the Insight Platform documentation.

Do you have questions?

Check out our FAQ for InsightAppSec RBAC.