|
| 1 | +--- |
| 2 | +title: "Permissions" |
| 3 | +date: 2021-02-02T20:46:28+01:00 |
| 4 | +weight: 4 |
| 5 | +draft: false |
| 6 | +--- |
| 7 | + |
| 8 | +{{% notice warning %}} |
| 9 | +The permissions described on this page only become active if you set the ``FEATURE_AUTHORIZATION_V2`` feature flag to ``True``. This feature is currently in beta, you should not use it in production environments. |
| 10 | +{{% /notice %}} |
| 11 | + |
| 12 | +Users have different functionality available to them, depending on their system-wide permissions and on the role they have as a member of a particular Product or Product Type. |
| 13 | + |
| 14 | +## System-wide permissions |
| 15 | + |
| 16 | +* Administrators (aka super users) have no limitations in the system. They can change all settings, manage users and have read and write access to all data. |
| 17 | +* Staff users can add Product Types and Products, and have access to data according to their role in a Product or Product Type. There is a parameter in the settings (AUTHORIZATION_STAFF_OVERRIDE) to give staff users full access to all Products and Product Types. |
| 18 | +* Guest users have limited functionality available. They cannot add Product Types or Products and have only read permission for Products or Product Types. |
| 19 | + |
| 20 | +## Product and Product Type permissions |
| 21 | + |
| 22 | +Users can be assigned as members to Products and Product Types, giving them one out of five predefined roles. The roles define what kind of access a user has to functions for interacting with data of that Product or Product Type: |
| 23 | + |
| 24 | +**Product / Product Type roles:** |
| 25 | + |
| 26 | +| | Reader | Writer | Maintainer | Owner | API Importer | |
| 27 | +|-----------------------------|:------:|:------:|:----------:|:-----:|:------------:| |
| 28 | +| Add Product Type <sup>1)</sup> | | | | | | |
| 29 | +| View Product Type | x | x | x | x | | |
| 30 | +| Remove yourself as a member | x | x | x | x | | |
| 31 | +| Manage Product Type members | | x | x | | |
| 32 | +| Add Product Type member as Owner | | | | x | | |
| 33 | +| Edit Product Type | | | x | x | | |
| 34 | +| Add Product | | | x | x | | |
| 35 | +| Delete Product Type | | | | x | | |
| 36 | +| | | | | | | |
| 37 | +| View Product | x | x | x | x | | |
| 38 | +| Remove yourself as a member | x | x | x | x | | |
| 39 | +| Manage Product members | | | x | x | | |
| 40 | +| Add Product member as Owner | | | | x | | |
| 41 | +| Edit Product | | | x | x | | |
| 42 | +| Delete Product | | | | x | | |
| 43 | +| | | | | | | |
| 44 | +| View Engagement | x | x | x | x | | |
| 45 | +| Add Engagement | | x | x | x | | |
| 46 | +| Edit Engagement | | x | x | x | | |
| 47 | +| Risk Acceptance | | x | x | x | | |
| 48 | +| Delete Engagement | | | x | x | | |
| 49 | +| | | | | | | |
| 50 | +| View Test | x | x | x | x | | |
| 51 | +| Add Test | | x | x | x | | |
| 52 | +| Edit Test | | x | x | x | | |
| 53 | +| Delete Test | | | x | x | | |
| 54 | +| | | | | | | |
| 55 | +| View Finding | x | x | x | x | | |
| 56 | +| Add Finding | | x | x | x | | |
| 57 | +| Edit Finding | | x | x | x | | |
| 58 | +| (Re-)Import Scan Result | | x | x | x | x | |
| 59 | +| Delete Finding | | | x | x | | |
| 60 | +| | | | | | | |
| 61 | +| View Finding Group | x | x | x | x | | |
| 62 | +| Add Finding Group | | x | x | x | | |
| 63 | +| Edit Finding Group | | x | x | x | | |
| 64 | +| Delete Finding Group | | x | x | x | | |
| 65 | +| | | | | | | |
| 66 | +| View Endpoint | x | x | x | x | | |
| 67 | +| Add Endpoint | | x | x | x | | |
| 68 | +| Edit Endpoint | | x | x | x | | |
| 69 | +| Delete Endpoint | | | x | x | | |
| 70 | +| | | | | | | |
| 71 | +| Edit Benchmark | | x | x | x | | |
| 72 | +| Delete Benchmark | | | x | x | | |
| 73 | +| | | | | | | |
| 74 | +| View Components | x | x | x | x | | |
| 75 | +| | | | | | | |
| 76 | +| View Note History | x | x | x | x | | |
| 77 | +| Add Note | | x | x | x | | |
| 78 | +| Edit Note | | x | x | x | | |
| 79 | +| Delete Note | | (x) <sup>2)</sub> | x | x | | |
| 80 | + |
| 81 | + |
| 82 | +<sup>1)</sup> Every staff user and administrator can add Product Types. Guest users are not allowed to add Product Types. |
| 83 | + |
| 84 | +<sup>2)</sup> Every user is allowed to delete his own notes. |
| 85 | + |
| 86 | +The role of a user within a Product Type is inherited by all Products of that Product Type, unless the user is explicitly defined as a member of a Product with a different role. If a user is a member of a Product, his role in the Product must be at least the same level or higher as his role for the respective Product Type. |
| 87 | + |
| 88 | +A Product Type needs to have at least one owner. The last owner cannot be removed. |
0 commit comments