About User Roles
There are five standard roles. Each role is associated with specific privileges. A given user will have a specific role with regard to specific assets that defines what they are able to do with those assets.
Site-related actions are available to Continuous Dynamic Portal users with access to (DAST) sites, application-related actions are available to Portal users with access to (SAST) applications. For a brief summary of assets, applications, and sites, see the introduction to Managing Your Assets.
All user role actions are available only to users who have a role for those assets that gives them those permissions. |
Viewer
-
View findings for an asset
-
View scan history and schedules for an asset or group of assets
-
Generate reports
-
View a list of assets in a group
-
View code bases associated with an asset
-
Ask a question about a vulnerability
-
Generate an API Key
Dev
Everything available to Viewer role, and also
-
Retest vulnerabilities associated with a site asset
-
Manage notes on vulnerabilities associated with a site asset
SecOps
Everything available to Dev role, and also
-
Add/edit/delete schedules
-
Add/edit/delete credentials
Secops Admin
Everything available to SecOps role, and also
-
Add, edit, validate, or delete a codebase associated with an application
Admin
A Sentinel Admin (assigned the Admin role) can do everything available to SecOps Admin role except add applications. (If an Admin user should in addition have the ability to add applications, please contact Black Duck to have that privilege enabled.)
A Sentinel Admin can also
-
View the Activity Log tab
-
View Action Items
-
Add, edit, or delete a group
Additionally, Admins for multi-client customers may be assigned as the Client admin for one or more of the customer’s clients. This enables the admin to do everything available to the Admin role, add applications, and:
-
Change client settings (e.g. the rating methodology or scan speed)
-
Manage all users, assets, and groups under the client
-
Add sites (provided that the Client Admin is also a Primary Customer Contact according to Black Duck’s records)
Glossary for User Roles
Asset: An asset is either a code base pertaining to an application or a running application/website that needs to be tested for vulnerabilities.
Asset Group: An asset group, as the name implies, is a group defined for one or more assets. An asset group defines subset of assets for a single client and cannot span across multiple clients. Multiple asset groups can be defined for each client. There is no concept of user group in the Portal.
Client: A client defines the boundaries of a set of assets belonging to a single organization or an entity within an organization. Black Duck customers can have one client or multiple clients depending on their needs.
Multi-client Environment: Customers needing to separate and manage assets based on their business entities but having a single buying center to manage their contract with Black Duck would need a multi-client environment within the Portal.
User: A user, when created in the Portal, always has a primary client assigned to them, but no assets and role are assigned by default. A client admin or an admin needs to assign asset(s) or group of assets to the user along with the role to manage those assets. User privileges are defined based on the role assigned to the user. These privileges define the ways the user can act on the assets assigned to the role. Only users assigned the client admin role can see assets without being explicitly assigned to them. Only when assets or a group of assets are assigned along with a role to a user can the user see and act on those assets based on the privileges of the role.
Table 1: User role and privileges table
Role/Privileges | Viewer | Developer | SecOps | SecOps Admin | Admin | Client Admin** |
---|---|---|---|---|---|---|
View assets/groups |
X |
X |
X |
X |
X |
X |
View findings |
X |
X |
X |
X |
X |
X |
View scan history and schedule for assets/groups |
X |
X |
X |
X |
X |
X |
View list of assets in a group |
X |
X |
X |
X |
X |
X |
View code bases of an asset |
X |
X |
X |
X |
X |
X |
Ask a question |
X |
X |
X |
X |
X |
X |
Generate API key |
X |
X |
X |
X |
X |
X |
Retest vuln associated with site assets |
X |
X |
X |
X |
X |
|
Manage notes associated with assets |
X |
X |
X |
X |
X |
|
Add/edit/delete schedules and credentials |
X |
X |
X |
X |
||
Add/edit sites |
X* |
X* |
||||
Add/edit applications |
X |
X* |
X |
|||
Add/edit/validate/delete application codebases |
X |
X |
X |
|||
Add users and assign roles |
X |
X |
||||
Assign assets/groups |
X |
X |
||||
Add/edit/delete group |
X |
X |
||||
View Action Items sub tab |
X |
X |
X |
X |
||
Schedule/edit/cancel BLA |
X |
X |
||||
Add/delete AHNs |
X |
X |
||||
Download appliance |
X |
X |
||||
Add appliance |
X |
|||||
Access to assets across multiple clients |
X |
|||||
View Activity Log sub tab |
X |
X |
X |
X |
X |
X |
Access Admin tab and sub tabs |
X |
X |
||||
Risk management– Vuln customization at instance level and by defining policy and applying to assets |
X |
X |
||||
Appliance management |
X |
X |
||||
Account overview |
X |
X |
\* Other users need the Can Add Site permission to add new sites. This can be granted by an Admin or Client Admin on the User Management tab, as described in Editing a User.
\** Client Admin is an implicit role such that whenever an admin is assigned one or more clients that admin becomes a client admin.
User Role Use Cases
Single client user having Admin and Developer roles
The Admin logs into the Portal, then goes to the Admin Tab, chooses User Management, and clicks Add User.
The Admin enters a Username/email, First and Last name, and Primary client. If the new user will be a client admin, the Admin selects Client Admin from the drop-down menu. Then the Admin clicks Save.
The User Details page appears, listing all entered information about the new user.
Click Edit under the Assigned Roles heading to add roles or make any other changes.
The Edit Role Associations page appears. The Admin must select either Groups of Assets or Individual Assets for which the user will have administrator privileges. Clicking Save assigns the role to the user.
Then the Admin selects Developer from the drop-down role menu. Then the Admin must select either Groups of Assets or Individual Assets for which the user will have Developer privileges. Clicking Save assigns the role to the user. Each time the page is saved, the updated User Details page appears.
In order to assign both groups and individual assets, the Admin assigns one type first, clicks Save, and then assigns the second type and clicks Save again.
The Admin assigns assets to the new user by clicking Edit under Assigned Groups or Assigned Assets. The available groups or assets are displayed in the column to the left Available, and the Admin can assign them to this user by selecting them and moving them (using the right-arrow) to the Selected list. The Admin must click on Save to assign those groups or those assets.
Single client user having Admin and SecOpsAdmin roles
The Admin logs into the Portal, then goes to the Admin Tab, chooses User Management, and clicks on Add User.
The Admin enters a Username/email, First and Last name, and Primary client. The Admin selects Admin from the drop-down role menu. Then the Admin must select either Groups of Assets or Individual Assets for which the user will have administrator privileges. Clicking Save assigns the role to the user. Each time the page is saved, the updated User Details page appears.
Then the Admin selects SecOpsAdmin from the drop-down role menu. Then the Admin must select either Groups of Assets or Individual Assets for which the user will have SecOpsAdmin privileges. Clicking Save assigns the role to the user.
In order to assign both groups and individual assets, the Admin assigns one type first, clicks Save, and then assigns the second type and clicks Save again.
The Admin assigns assets to the new user by clicking Edit under Assigned Groups or Assigned Assets. The available groups or assets are displayed in the column to the left Available, and the Admin can assign them to this user by selecting them and moving them (using the right-arrow) to the Selected list. The Admin must click on Save to assign those groups or those assets.
Multi-client user having Admin role on primary client and Developer role on secondary client
The Admin logs into the Portal, then goes to the Admin Tab, chooses User Management, and clicks on Add User.
The Admin enters a Username/email, First and Last name, and Primary client. To select the User role, the Admin chooses Admin from the drop-down menu.
The Admin assigns assets to the new user by clicking Edit under Assigned Groups or Assigned Assets. The available groups or assets are displayed in the column to the left Available, and the Admin can assign them to this user by selecting them and moving them (using the right-arrow) to the Selected list. The Admin must click on Save to assign those groups or those assets. Each time the page is saved, the updated User Details page appears.
The Admin selects the user and clicks Edit. The Admin adds a the secondary client from the drop-down menu. To select the User role, the Admin chooses Developer from the drop-down menu.
The Admin assigns assets to the new user by clicking Edit under Assigned Groups or Assigned Assets. The available groups or assets are displayed in the column to the left Available, and the Admin can assign them to this user by selecting them and moving them (using the right-arrow) to the Selected list. The Admin must click on Save to assign those groups or those assets.