Articles in this section

See more

Users and Users Groups

Avatar
Maria Vicedo
  • Updated
Follow

This guide explains the types of user available within AppCheck, Role-Based Access Control (RBAC), and how to create and configure them.

Creating a New User

To create and manage users, navigate to

  • Users
    • Enabled Users

Fill in the form with full name and email address of the new agent. The email address you enter in this form will be their username to access the platform.

Types of Role

There are two types of roles you can assign to agents - Admin or User.

Admin

Admins have full access to all functionality of the scanning platform by default. They can create, modify and delete scans, view all scan results and change vulnerabilities status. They can create new agents and manage them.

Admins can set temporary passwords for other admins and users, reset 2FA or disable them. To do so they need to select Edit option for the agent in question and tick the box for a relevant action:

User

Users have a limited access to AppCheck functionality by default.  Users can only access scans (and vulnerabilities belonging to scans) to which they are expressly given access.  Users are given access to scans using User Groups.

User Groups

To create and edit user groups, navigate to

  • Users
    • Users Groups

The +New User Group button opens the New User Group configuration page.  If you need to update an existing User Group, click the pencil icon.

A User Group specifies a number of users (1), a number of scans to which they should have access (2), and the level of access they should have(3):

Access to vulnerabilities is controlled by access to the scans in which they were found.

To see any scans and vulnerabilities, a User must belong to a User Group.  Admins cannot be added to User Groups (since they would not benefit).

The permissions selected in the User Group dictate what the selected users can do with the selected scans, with one exception: the Can view all scans permission gives users in the group read-only access to all scans, even those not selected in the group.

A User who is not a member of a User Group, or whose User Group does not have any scans selected and does not have Can view all scans permission, will not have visibility of any scans or vulnerabilities.

In the example above, Louise and Tina are given permission to Run, Pause, Abort and Edit the scans example.com API and example.com www.  Because they have the Can view all scans permission, they can view burger.example.com SPA, but cannot perform any other actions on it.

Related articles

Comments

0 comments

Article is closed for comments.