Spaces:
Runtime error
Runtime error
File size: 6,308 Bytes
56b6519 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 |
# Roles
> Auditforge can manage different user account roles to access different kind of data with some level of granularity<br>
> There are 2 builtins roles: user and admin. But additional custom roles can easily be added.
## List of permissions
Here is the list of available permissions to access data:
| Audits | Vulnerabilities | Data | Custom Data | Settings | Classify |
| :---------------: | :--------------------------: | :--------------: | :-----------------------------: | :------------------: | :--------: |
| audits:create | vulnerabilities:create | users:create | languages:create | settings:read | classify:all |
| audits:read | vulnerabilities:read | users:read | languages:read | settings:read-public | |
| audits:update | vulnerabilities:update | users:update | languages:update | settings:update | |
| audits:delete | vulnerabilities:delete | users:delete | languages:delete | | |
| audits:read-all | vulnerability-updates:create | clients:create | audit-types:create | | |
| audits:update-all | | clients:read | audit-types:read | | |
| audits:delete-all | | clients:update | audit-types:update | | |
| audits:review | | clients:delete | audit-types:delete | | |
| audits:review-all | | companies:create | vulnerability-types:create | | |
| | | companies:read | vulnerability-types:read | | |
| | | companies:update | vulnerability-types:update | | |
| | | companies:delete | vulnerability-types:delete | | |
| | | templates:create | vulnerability-categories:create | | |
| | | templates:read | vulnerability-categories:read | | |
| | | templates:update | vulnerability-categories:update | | |
| | | templates:delete | vulnerability-categories:delete | | |
| | | roles:read | custom-fields:create | | |
| | | | custom-fields:read | | |
| | | | custom-fields:update | | |
| | | | custom-fields:delete | | |
| | | | sections:create | | |
| | | | sections:read | | |
| | | | sections:update | | |
| | | | sections:delete | | |
## Built-In Roles
### user
This role has following permissions:
- audits:create, audits:read, audits:update, audits:delete
- vulnerabilities:read, vulnerability-updates:create
- users:read, roles:read
- clients:create, clients:read, clients:update, clients:delete
- companies:create, companies:read, companies:update, companies:delete
- templates:read
- languages:read, audit-types:read, vulnerability-types:read, vulnerability-categories:read, sections:read, custom-fields:read
- settings:read-public
- classify:all
### admin
This role has full permissions access
## Create additional Roles
Custom roles can be defined in `backend/src/config/roles.json`
The format is:
```
role_name: {
allows: [], // Array of allowed permissions to access or use '*' for all (admin)
inherits: [] // Array of inherited users permissions
}
```
A default custom role is already defined as a `report` role for example:
```
"report": {
"inherits": ["user"],
"allows": [
"audits:read-all"
]
}
```
This role inherits all `user` permissions but since `user` can only access and modify its own Audits, we add the `audits:read-all` permission to `report` to access all Audits.
To update and delete all Audits additional `audits:update-all` and `audits:delete-all` would be required.
To be able to properly use the review feature of the application, a reviewer role should be added. This reviewer should have the `audits:review` or `audits:review-all` permissions to be able to review reports. A reviewer with only the `audits:review` permission can only review the reports on which they are assigned. The role could look like the following:
```
"reviewer": {
"inherits": ["user"],
"allows": [
"audits:review"
]
}
```
A reviewer with the `audits:review-all` permission should also have the `audits:read-all` permission to be able to take full advantage of the first one. He could look like the following:
```
"reviewer": {
"inherits": ["user"],
"allows": [
"audits:review-all",
"audits:read-all"
]
}
```
Keep in mind that these two roles inherit their permissions from the `user` role, which means that they can also create their own audits. A reviewer cannot review an audit for which he is the creator or a collaborator.
|