Manage permissions and roles

Relevant AppViz administrators

This section describes how to manage AppViz roles, and permissions.

Note:

By default, users have access to all Network Objects/Service Objects in application flows. You can use object tags to manage object visibility per user. See Managing Object Permissions Using Tags.

As well, you can use API Access Keys to control user access to view and edit application via API.

Roles and permissions

AppViz access management supports two out-of-the-box System Roles:

System Role

Permissions
User

User permissions are defined in the Settings area of AppViz.

Administrator

All permissions

When a user with the "User" System Role is created, in the AppViz Settings > General tab, you can:

Note: Users automatically have permissions for any applications they create.

Manage role settings and permissions

This section explains how to manage roles in the AppViz Settings area (excluding System Roles).

Do any of the following:

You can give roles permission to view or edit specific applications. Users assigned a role inherit all permissions granted to the role. The procedure below describes how to manage application permissions for roles.

To assign/revoke role permissions:

  1. Navigate to the Administration area.

    • Hover over the SETTINGS icon at the bottom left of the screen. After the panel expands, click ADMINISTRATION.

    The Administration area appears in the workspace.

  2. In the Settings and Permissions area, next to Manage role settings and permissions, click Manage.

    The Role Settings and Permissions page appears.

  3. Do one of the following:
    • Select a role from the list.
    • Perform a simple search for a role by doing the following:

      1. Type any part of the role's name in the search box, and click .

        The matching roles appear below the search box.

      2. Select a role from the list.

        The information for the selected role appears on the right.

  4. In the Authorized Views and Actions area, edit the permissions given to the role. For details, see Authorized views and actions fields.
  5. To give the role permission to view or edit an application, do the following:

    1. In the Authorized Applications area, click +Add Applications.

      The Add Applications wizard appears.

    2. Select applications using the information in Use the Add Applications wizard.

      The selected applications appear in a list. By default, the role is given permission to view the applications.

    3. To give the role permission to edit an application, click the Can View drop-down list for the application and select Can Edit.
  6. To revoke the role's permissions to an application, click .
  7. To revoke the user's permissions for all applications, click Remove all applications.
  8. Click Save Changes.

To add users to a role:

  1. Navigate to the Administration area.

    • Hover over the SETTINGS icon at the bottom left of the screen. After the panel expands, click ADMINISTRATION.

    The Administration area appears in the workspace.

  2. In the Settings and Permissions area, next to Manage role settings and permissions, click Manage.

    The Role Settings and Permission page appears.

  3. Do one of the following:
    • Select a role from the list.
    • Perform a simple search for a role by doing the following:

      1. Type any part of the role's name in the search box, and click .

        The matching roles appear below the search box.

      2. Select a role from the list.

        The information for the selected role appears on the right.

  4. Click the Users tab.

    The Users tab appears.

  5. Edit the users assigned the role, by doing the following:

    1. In the Assigned Users area, click +Add Users.

      The Add Users wizard opens.

    2. Do one of the following:
      • Select users from the list.
      • Perform a simple search for a user by doing the following:

        1. Type any part of the user's name or username in the search box, and click .

          The matching users appear below the search box.

        2. Select users from the list.
    3. To deselect users, click Clear.

    4. Click OK.

      The user(s) appear in the Assigned Users area.

  6. To revoke the role from the user, click .
  7. To revoke all of the role's users, click Remove all users.
  8. Click Save Changes.

To create a new role:

  1. Navigate to the Administration area.

    • Hover over the SETTINGS icon at the bottom left of the screen. After the panel expands, click ADMINISTRATION.

    The Administration area appears in the workspace.

  2. In the Settings and Permissions area, next to Manage role settings and permissions, click Manage.

    The Role Settings and Permission page appears.

  3. Click +New Role.

    New fields appear on the right.

  4. Complete the fields as needed. For details, see New role fields.
  5. Continue completing the fields. For details, see Authorized views and actions fields.
  6. To give the role permission to view or edit an application, do the following:

    1. In the Authorized Applications area, click +Add Applications.

      The Add Applications wizard appears.

    2. Select applications using the information in Use the Add Applications wizard.

      The selected applications appear in a list. By default, the role is given permission to view the applications.

    3. To give the role permission to edit the applications, do the following:
      1. For the desired application, click Can View.
      2. In the drop down menu, select Can Edit.
  7. To revoke the role's permissions to an application, click .
  8. To revoke the role's permissions for all applications, click Remove all users.
  9. Click Save Changes.

New role fields

In this field...

Do this...

Role Name

Type the name of the role.

Description

Type a description for the role. This field is optional.

Enabled

Default is Enabled. Clear check box to disable the role.

If you are importing user data from an LDAP server, you can map LDAP groups to AppViz roles. The user will be assigned the relevant role upon login.

Note: If your environment is configured to import user information from an LDAP server, changes to user settings must be made only on the LDAP server (changes made in the AlgoSec Suite may be overridden the next time the user logs in). For more details, see Configure user authentication.

To map LDAP groups to a role:

  1. Navigate to the Administration area.

    • Hover over the SETTINGS icon at the bottom left of the screen. After the panel expands, click ADMINISTRATION.

    The Administration area appears in the workspace.

  2. In the Settings and Permissions area, next to Manage role settings and permissions, click Manage.

    The Role Settings and Permissions page appears.

  3. Do one of the following:
    • Select a role from the list.
    • Perform a simple search for a role by doing the following:

      1. Type any part of the role's name in the search box, and click .

        The matching roles appear below the search box.

      2. Select a role from the list.

        The Edit Role area for the selected role appears on the right.

  4. Click the Users tab.

    The Users tab appears.

  5. In the Group DN field, type the LDAP group DN you wish to map to the role.

    Note: This field is disabled for the Administrator role. Administrators have all roles.

  6. Click Save Changes.

To delete a role:

  1. Navigate to the Administration area.

    • Hover over the SETTINGS icon at the bottom left of the screen. After the panel expands, click ADMINISTRATION.

    The Administration area appears in the workspace.

  2. In the Settings and Permissions area, next to Manage role settings and permissions, click Manage.

    The Role Settings and Permissions page appears.

  3. Hover over the desired role and click .

    A confirmation message appears.

  4. Click OK.

Manage user settings and permissions

You can manage permissions for users in two ways:

  • You can grant permissions to individual users. This gives users permission to view or edit an application that they do not have permission for by default.
  • You can assign users a role; consequently, the users with the role receive all the permissions of the role. See Manage role settings and permissions.

Note: If a user is assigned both individual permissions and a role, and there are conflicting permissions between the two, the higher permission level will take precedence.

Tip: All users receive default permissions. You can modify these default permissions by configuring the advanced AppViz property permissions.initial. See Configure advanced AppViz properties.

The procedure below describes how to manage permissions for a specific user.

  1. Navigate to the Administration area.

    • Hover over the SETTINGS icon at the bottom left of the screen. After the panel expands, click ADMINISTRATION.

    The Administration area appears in the workspace.

  2. In the Settings and Permissions area, next to Manage user settings and permissions, click Manage.

    The User Settings and Permission page appears.

  3. Do one of the following:
    • Select a user from the list.
    • Perform a simple search for a user by doing the following:

      1. Type any part of the user's name or username in the search box, and click .

        The matching users appear below the search box.

      2. Select a user from the list.

        The information for the selected user appears on the right.

  4. In the Authorized Views and Actions area, edit the permissions given to the user as needed. For details, see Authorized views and actions fields.
  5. To give the user permission to view or edit an application, do the following:

    1. In the Authorized Applications area, click +Add Applications.

      The Add Applications wizard appears.

    2. Select applications using the information in Use the Add Applications wizard.

      The selected application(s) appear in a list below the user. By default the user is given permission to view the application.

    3. To give the role permission to edit an application, click the Can View drop-down list for the application and select Can Edit.
  6. To revoke the user's permissions to an application, click .
  7. To revoke the user's permissions for all applications, click Remove all applications.
  8. Click Save Changes.

In this field...

Do this...
General

 

View activity log

Select this check box to give the user permission to view the activity log tab of applications and network objects.

View change requests

Select this check box to give the user permission to view the change requests tab of applications, network objects, and service objects.

Refresh vulnerability

Select this check box to give the user permission to update the vulnerability assessment of network objects.

All users with permission to update the vulnerability assessment have permission to view vulnerability, as well.

View vulnerability

Select this check box to give the user permission to view the vulnerability tab of applications.

Refresh risks data

Select this check box to give user permission to refresh risks data.

View risks data

Select this check box to give user permission to view risks data.

Refresh connectivity

Select this check box to give the user permission to update the connectivity of applications.
Check connectivity when saving a flow Select this check box to give the user permission to set AppViz to automatically update the connectivity of applications after saving a flow. (The permission Refresh connectivity must be selected first to make the selection box for this option available).
Applications

 

Create new applications

Select this check box to give user permission to create new applications.

Edit all applications

Select this check box to give user permission to edit all applications.

All users with permission to edit all applications automatically have the View all applications permission and the Edit application information permission.

View all applications

Select this check box to give user permission to view all applications.

Apply drafts

Select this check box to give the user permission to apply drafts to applications.

Note: If a user has this permission, they will only be able to apply drafts to applications they have permission to edit.

Create shared flows

Select this check box to give user permission to create shared traffic flows.

Edit application information

Select this check box to give user permission to edit application custom fields, tags, and contacts.
Refresh vulnerability Select this check box to give user permission to refresh vulnerabilities.

Create application tags

Select this check box to give user permission to create user-defined application tags.
Import flows Select this check box to give user permission to import flows.
Network and Service Objects

 

Edit service objects

Select this check box to give user permission to edit service objects.

Edit network objects

Select this check box to give user permission to edit network objects.

Update object from device

Select this check box to give the user permission to synchronize a device object's definition in AppViz with the definition on the device.

You can manage user permissions by assigning roles to users. All users with a specific role receive all of the permissions assigned to the role. The procedure below describes how to assign and revoke roles.

Note: When fetching data from an LDAP server, you cannot manually assign/revoke roles. You must map roles using the LDAP Group DN. For details, see Map LDAP groups to roles .

To assign/revoke user roles:

  1. Navigate to the Administration area.

    • Hover over the SETTINGS icon at the bottom left of the screen. After the panel expands, click ADMINISTRATION.

    The Administration area appears in the workspace.

  2. In the Settings and Permissions area, next to Manage user settings and permissions, click Manage.

    The User Settings and Permission page appears.

  3. Do one of the following:
    • Select a user from the list.
    • Perform a simple search for a user by doing the following:

      1. Type any part of the user's name or username in the search box, and click .

        The matching users appear below the search box.

      2. Select a user from the list.

        The information for the selected user appears on the right.

  4. Click the Roles tab.

    The Assigned Roles area appears.

  5. Edit the roles given to the user, by doing the following:

    1. In the Assigned Roles area, click +Add Roles.

      The Add Roles window appears.

    2. Do one of the following:
      • Select roles from the list.
      • Perform a simple search for a role by doing the following:

        1. Type any part of the role's name in the search box, and click .

          The matching roles appear below the search box.

        2. Select roles from the list.
    3. To deselect roles, click Clear.

    4. Click OK.

      The roles appear in the Assigned Roles list.

  6. To remove the revoke the role from the user, click .
  7. To revoke all of the user's roles, click Remove all users.
  8. Click Save Changes.

Manage application permissions

You can give single users, or all users with a specific role, permission to view or edit an application that they do not have permission for by default. The procedure below describes how to manage user permissions for a specific application.

To manage permissions for an application:

  1. Navigate to the Administration area.

    • Hover over the SETTINGS icon at the bottom left of the screen. After the panel expands, click ADMINISTRATION.

    The Administration area appears in the workspace.

  2. In the Settings and Permissions area, next to Manage application permissions, click Manage.

    The Application Permissions page appears, displaying a list of applications on the left.

  3. Do one of the following:
    • Select an application from the list.
    • Perform a simple search for an application by doing the following:

      1. Type any part of the application name in the search box, and click .

        The matching applications appear below the search box.

      2. Select an application from the list.

        The Authorized Roles and Users area for the selected application appears on the right.

        Note: A role or user will appear disabled in the list for one of the following reasons: the user inherited permission to the application from a role, or the user or role has User has edit all applications permission.

  4. To give single users permission to view or edit the application, do the following:

    1. Click +Add Users.

      The Add Users window appears.

    2. Do one of the following:

      • Select users from the list.
      • Perform a simple search for a user by entering any part of the user's name or username in the search box, and click . The matching users appear below the search box.
      • To deselect users, click Clear.

    3. Click OK.

      Once added, the user(s) appear in a list below the application. By default they are only given permission to view the application.

    4. To give the user permission to edit an application, click the Can View drop-down list for the application and select Can Edit.

  5. To give all users with a specific role permission to view or edit the application, do the following:

    1. Click +Add Roles.

      The Add Roles window appears.

    2. Do one of the following:
      • Select roles from the list.
      • Perform a simple search for a role by typing any part of the role's name in the search box, and clicking . The matching roles appear below the search box. Select roles from the list.
      • To deselect roles, click Clear.

    3. Click OK.

      The role(s) appear in a list below the application. By default they are only given permission to view the application.

    4. To give the role permission to edit an application, click the Can View drop-down list for the application and select Can Edit.
  6. To remove the permissions of a user or role for the application, click .
  7. To remove all user and role permissions for the application, click Remove all.
  8. Click Save Changes.

Manage API Access Key permissions

You can manage permissions to use APIs in two ways:

  • You can assign API access keys their own set of permissions to view or edit applications via API. In this way, you can control the permissions of the anyone using these API Access Keys. For information about API Access Keys, see Manage API access keys
  • You can assign individual roles their own set of permissions including to view or edit applications via API.

To assign/revoke API Access Key permissions:

  1. Navigate to the Administration area.

    • Hover over the SETTINGS icon at the bottom left of the screen. After the panel expands, click ADMINISTRATION.

    The Administration area appears in the workspace.

  2. In the Settings and Permissions area, next to Manage API access key permissions, click Manage.

    The API Access Key Permissions page appears.

  3. Do one of the following:
    • Select an API Access Key from the list.
    • Perform a simple search for a role by doing the following:

    • Type any part of the API Access Key's name in the search box, and click .

    The matching API Access Key appears below the search box.

  4. In the Authorized Views and Actions area, edit the permissions given to the API Access Key. For details, see Authorized views and actions fields.
  5. To give API Access Key permission to view or edit an application, do the following:

    1. In the Authorized Applications area, click +Add Applications.

      The Add Applications wizard appears.

    2. Select applications using the information in Use the Add Applications wizard.

      The selected applications appear in a list. By default, the API Access Key is given permission to view the applications.

    3. To give the API Access Key permission to edit an application, click the Can View drop-down list for the application and select Can Edit.
  6. To revoke the API Access Key's permissions to an application, click .
  7. To revoke the user's permissions for all applications, click Remove all applications.
  8. Click Save Changes.

In this field...

Do this...
General

 

View activity log

Select this check box to give the user of the API Access Key permission to view the activity log tab of applications and network objects via API.

View change requests

Select this check box to give the the user of the API Access Key permission to view the change requests tab of applications, network objects, and service objects via API.

Refresh vulnerability

Select this check box to give the the user of the API Access Key permission to update the vulnerability assessment of network objects via API.

All users with permission to update the vulnerability assessment have permission to view vulnerability, as well .

View vulnerability

Select this check box to give the the user of the API Access Key permission to view the vulnerability tab of applications via API.

Refresh risks data

Select this check box to give the user of the API Access Key permission to refresh risks data via API.

View risks data

Select this check box to give user permission to view risks data via API.

Refresh connectivity

Select this check box to give the user permission to update the connectivity of applications via API.
Check connectivity when saving a flow Select this check box to give the the user of the API Access Key permission to set AppViz to automatically update the connectivity of applications after saving a flow via API. (The permission Refresh connectivity must be selected first to make the selection box for this option available).
Applications

 

Create new applications

Select this check box to give the user of the API Access Key permission n to create new applications via API.

Edit all applications

Select this check box to give user permission to edit all applications via API.

All users with permission to edit all applications automatically have the View all applications permission and the Edit application information permission.

View all applications

Select this check box to give the user of the API Access Key permission to view all applications via API.

Apply drafts

Select this check box to give the the user of the API Access Key permission to apply drafts to applications via API.

Note: If a the user of the API Access Key permission has this permission, they will only be able to apply drafts to applications they have permission to edit.

Create shared flows

Select this check box to give the user of the API Access Key permission to create shared traffic flows.

Edit application information

Select this check box to give the user of the API Access Key permission to edit application custom fields, tags, and contacts.

Create application tags

Select this check box to give the user of the API Access Key permission to create user-defined application tags via API.
Import flows Select this check box to give the user of the API Access Key permission to import flows via API.
Network and Service Objects

 

Edit service objects

Select this check box to give the user of the API Access Key permission to edit service objects via API.

Edit network objects

Select this check box to give the user of the API Access Key permission to edit network objects via API.

Update object from device

Select this check box to give the the user of the API Access Key permission to synchronize a device object's definition in AppViz with the definition on the device via API.

You can give roles permission to view or edit specific applications via API. Users assigned a role inherit all permissions granted to the role. The procedure below describes how to manage application permissions via API for roles.

To assign/revoke role permissions:

  1. Navigate to the Administration area.

    • Hover over the SETTINGS icon at the bottom left of the screen. After the panel expands, click ADMINISTRATION.

    The Administration area appears in the workspace.

  2. In the Settings and Permissions area, next to Manage API access key permissions, click Manage.

    The API Access Key Permissions page appears.

  3. Click the Roles tab.

  4. Do one of the following:
    • Select a role from the list.

    • Perform a simple search for a role by typing any part of the role's name in the search box, and click .

    The matching roles appear below the search box.

  5. In the Authorized Views and Actions area, edit the permissions given to the role. For details, see Authorized views and actions fields.
  6. To give the role permission to view or edit an application, do the following:

    1. In the Authorized Applications area, click +Add Applications.

      The Add Applications wizard appears.

    2. Select applications using the information in Use the Add Applications wizard.

      The selected applications appear in a list. By default, the role is given permission to view the applications.

    3. To give the role permission to edit an application, click the Can View drop-down list for the application and select Can Edit.
  7. To revoke the role's permissions to an application, click .
  8. To revoke the user's permissions for all applications, click Remove all applications.
  9. Click Save Changes.