Users
Overview
Users module provides administrative control over all users in the system. This module is only available to Administrators.
Users module makes it easy to:
Create New Users
Manage User Access to Projects, Groups and Self-Service API
Perform User Updates including Name, Email, Username, Role, Password Change, Reset 2FA, Disable 2FA
Block Sign In or Activate Sign In for users
View Login History for a user
View Audit Logs for a user
Delete a user
User Roles
AttackForge is built on two primacy access models:
Application Roles – determines what modules the user has access to, and functionality within those modules.
Project Roles – determines what privileges & functions a user has access to on a project; and the data they will have access to in AttackForge across all modules.
A non-Admin user will only see vulnerabilities & projects they have explicitly been invited to.
Other access controls apply to relevant sections such as Writeups, Assets, Custom Fields, Reporting, Portfolios and more.
There are currently five (5) application roles an Administrator can assign to a user:
Client (standard user)
Consultant (standard user)
Library Moderator (deprecated)
Project Coordinator
Administrator
Clients / Consultants can do the following:
Access Global Dashboard
Access Analytics module
can see analytics for data they have access to
Access Vulnerabilities module
can see all vulnerabilities they have access to
Access Projects module
can only see any projects they have been invited to
can only see project requests they have made
Access Scheduling module
can only see their projects
Access Portfolios module
has view access only to portfolios/streams based on configuration
Access Assets module (if enabled)
has access to CRUD operations for their assets only
has view/edit access to assets based on library access controls
can see their vulnerabilities for all their assets
Access Writeups module
has view/edit access only to writeup libraries based on configuration
Access Self-Service API
by default has no access to API methods/endpoints
Access Attack Chains module
Access Help & Support
Library Moderators (deprecated) can do the following:
!IMPORTANT: We do not recommend using Library Moderator role. Access to libraries can now be managed via library access controls.
Access Global Dashboard
Access Analytics module
can see analytics for data they have access to
Access Vulnerabilities module
can see all vulnerabilities they have access to
Access Projects module
can only see any projects they have been invited to
can only see project requests they have made
Access Scheduling module
can only see their projects
Access Portfolios module
has view access only to portfolios/streams based on configuration
Access Assets module (if enabled)
has access to CRUD operations for their assets only
has view/edit access to assets based on library access controls
can see their vulnerabilities for all their assets
Access Writeups module
has view/edit access only to writeup libraries based on configuration
Access Self-Service API
by default has no access to API methods/endpoints
Access Attack Chains module
Access Help & Support
Project Coordinators can do the following:
Access Global Dashboard
Access Analytics module
can see analytics for data they have access to
Access Vulnerabilities module
can see all vulnerabilities they have access to
Access Projects module
can create new projects
can update projects
gets access to all new projects (optional)
can invite users to projects
can manage user access to projects
can access all pending & actioned project requests
can approve new project requests
can request more information on project requests
can reject new project requests
Access Scheduling module
can only see their projects
Access Portfolios module
has view access only to portfolios/streams based on configuration
Access Report Templates module
has full access to this module, including CRUD operations
Access Assets module (if enabled)
has access to CRUD operations for all assets
has view/edit access to assets based on library access controls
can see their vulnerabilities for all their assets
Access Writeups module
has view/edit access only to writeup libraries based on configuration
Access Test Suites module
has full access to this module, including CRUD operations
Access Self-Service API
by default has no access to API methods/endpoints
Access Attack Chains module
Access Help & Support
Administrators are Super Users and can access all functionality & workflows, including:
Access Global Dashboard
Access Analytics module
can see analytics for all data
Access Vulnerabilities module
can see all vulnerabilities
Access Projects module
can create new projects
can update projects
can archive & unarchive projects
can destroy projects
can invite users to projects
can manage user access to projects
can access all pending & actioned project requests
can approve new project requests
can request more information on project requests
can reject new project requests
can perform all workflows on a project
Access Scheduling module
can see all projects
Access Portfolios module
has full access to this module, including CRUD operations
Access Report Templates module
has full access to this module, including CRUD operations
Access Assets module (if enabled)
has access to CRUD operations for all assets
can see vulnerabilities for all assets
Access Writeups module
has full access to this module, including CRUD operations
Access Test Suites module
has full access to this module, including CRUD operations
Access Groups module
has full access to this module, including CRUD operations
can manage Group Membership for users
Access Users module
has full access to this module, including CRUD operations
can perform all administrative tasks, such as user management, access logs, etc.
Access Self-Service API
by default has no access to API methods/endpoints
can assign access to self or other users via Users module
Access Attack Chains module
Access Administration module
has full access. Can purchase add-ons, update tenant configuration and view licensing and support information.
Access Help & Support
Registering A New User
Where enabled on your tenant, new users can self-register accounts from the login page. They will need to activate their account (via email activation link) before they can sign in.
The first time a user logs into AttackForge, the user will receive a QR code to scan with their mobile authenticator app to enable two-factor authentication (2FA) for their account. By default, 2FA is mandatory and enforced on all accounts. This can be disabled on a user-by-user basis by Administrators.
Creating A New User
Administrators can create new users in the system directly, without having to go through registration workflow. This is useful when you need to create accounts fast or when you don't have access to an email address for activation.
You can create a new user in the system by clicking on New User button.
When creating a new user, you can assign any user role available in the system. Newly created account are already verified and activated so they can log in immediately.
The user will receive an email to inform them that their account has been created, and instructions on how they can log in.
Update User Profile
You can update a user's profile.
Update User Account
You can update a users account settings. This includes:
Change email address
Change username
Change password
Enable/Disable/Reset MFA
Set expiry date (user will be blocked after that date)
Resend welcome invitation email
Block/Unblock user from signing in
Delete user
Managing Access
You can change a users' role. For information on roles, see User Roles.
You can also manage a users' access to the following:
Groups
Projects
Delegations
Self-Service Events API
Self-Service RESTful API
Groups
Here you can update a users' permissions on any groups they are members of, or you can remove their access.
If you update a users' access to a group, the new privileges will apply immediately across all projects linked to the group.
You can also bulk add a user to groups.
Projects
Here you can update a users' permissions on any projects they are an existing team member, or you can remove their access.
If you update a users' access to a project, the new privileges will apply immediately on the project.
If you remove a users' access to a project, this will remove the user from the project immediately. They will no longer be able to see any of the projects' vulnerabilities and data.
You can also bulk add a user to projects.
Delegations
Admins can delegate specific workflows and functions to individual users.
Delegations can be assigned to any user, and can help to:
Reduce the burden placed on admins and privileged users.
Empower trusted individuals with autonomy to perform more tasks in AttackForge.
Here you can update a users' delegations, or remove their delegations.
You can also bulk apply delegations to a user.
Certain delegations can also be assigned to entire application user roles via Administration module. For more details, visit Configuration Options.
Self-Service Events API
Here you can manage a users' access to the Self-Service Events API.
Here you can update a users' permissions on any events or you can remove their access.
You can also bulk add events for a user.
!IMPORTANT: By default, all users have no access to the Self-Service API. Access is granted explicitly by the Administrators to a user from within this module. Access to the SSAPI is controlled & applied on an individual event basis.
Every user in the system can generate or rotate their API key by visiting Self-Service API module.
Tip: If you would like to create a service account in the system with non-interactive access to the application interface - you can grant the user permissions via the SSAPI, then block the user so they cannot login to the application. They will still be able to access the SSAPI.
Self-Service RESTful API
Here you can manage a users' access to the Self-Service RESTful API.
Here you can update a users' permissions on any endpoints or you can remove their access.
You can also bulk add endpoints for a user.
!IMPORTANT: By default, all users have no access to the Self-Service API. Access is granted explicitly by the Administrators to a user from within this module. Access to the SSAPI is controlled & applied on an individual endpoint basis.
Every user in the system can generate or rotate their API key by visiting Self-Service API module.
Tip: If you would like to create a service account in the system with non-interactive access to the application interface - you can grant the user permissions via the SSAPI, then block the user so they cannot login to the application. They will still be able to access the SSAPI.
Reporting
Standard PDF / DOCX / HTML Reports can be customized by users within the application. This allows users to create content within the reports which is relevant to the reader, or purpose.
For example, if the report needs to go to an Executive - they may not have the time to read through hundreds of pages of technical analysis. You can create a report that is structured to provide only the information the Executive cares about.
Another example is when reports need to be provided to 3rd parties or auditors. Considering vulnerability reports contain sensitive data on how to exploit issues, this information may need to be redacted before it is sent to the party. You can create a report that will omit any screenshots, steps to reproduce findings, etc. which may be deemed too sensitive to share with external parties.
As an Administrator, you can override a users' report settings.
Notifications
Admins can update the project email notifications options on behalf of another user, to tailor project notifications for the user.
Logs
Admins can view audit logs for a user.
Preferences
Admins can update the login landing page for a user. The login landing page is the first page a user sees when they log into AttackForge.
The default login landing page is the Global Dashboard.
Last updated