Authorization is done using role-based access control (RBAC). Users can be assigned to roles dynamically, whereas the mapping from a role to a set of permissions (CRUD x API objects) can be static.
Organization roles
Organizations have administrators and members
-
Administrators have complete administrative access to the organization.
-
Members are the default for everybody else. The role that members gain in a project within an organization is configurable by the administrator.
Member permissions
The organization administrator can configure which roles organization members have in all projects of the organization. Options are none, observer, developer, and administrator. Each member will have at least this role in all organization projects. It is still possible to give some users a more privileged role on a project level.
Organization action |
Member |
Administrator |
---|---|---|
List org members |
|
x |
Add member to org |
|
x |
Remove member from org |
|
x |
Delete Org |
|
x |
Manage member permissions |
|
x |
View member permissions |
|
x |
View all org projects |
x |
x |
Add project to org |
x |
x |
Project roles
Projects have the following roles:
-
Observers have read-only access to a project.
-
Developers have read-write access to a project.
-
Administrators have full access to a project, including sensitive and destructive actions such as access rights or deleting things.
Project action |
Observer |
Developer |
Administrator |
---|---|---|---|
View findings |
x |
x |
x |
Download report |
x |
x |
x |
Start fuzzing |
|
x |
x |
Configure fuzzing |
|
x |
x |
Configure project |
|
x |
x |
Delete findings |
|
|
x |
Delete project |
|
|
x |
List members |
|
|
x |
Add members |
|
|
x |
Delete members |
|
|
x |