AttackForge
Search
K

Users

Overview

Users module provides administrative control over all users in the system. This module is only available to Administrators.
Users module makes it easy to:
  • Create New Users
  • Manage User Access to Projects, Groups and Self-Service API
  • Perform User Updates including Name, Email, Username, Role, Password Change, Reset 2FA, Disable 2FA
  • Block Sign In or Activate Sign In for users
  • View Login History for a user
  • View Audit Logs for a user
  • Delete a user

User Roles

AttackForge is built on two primacy access models:
  • Application Roles – determines what modules the user has access to, and functionality within those modules.
  • Project Roles – determines what privileges & functions a user has access to on a project; and the data they will have access to in AttackForge across all modules.
A non-Admin user will only see vulnerabilities & projects they have explicitly been invited to.
Other access controls apply to relevant sections such as Writeups, Assets, Custom Fields, Reporting, Portfolios and more.
There are currently five (5) application roles an Administrator can assign to a user:
  • Client (standard user)
  • Consultant (standard user)
  • Library Moderator (deprecated)
  • Project Coordinator
  • Administrator
Clients / Consultants can do the following:
  • Access Global Dashboard
  • Access Analytics module
    • can see analytics for data they have access to
  • Access Vulnerabilities module
    • can see all vulnerabilities they have access to
  • Access Projects module
    • can only see any projects they have been invited to
    • can only see project requests they have made
  • Access Scheduling module
    • can only see their projects
  • Access Portfolios module
    • has view access only to portfolios/streams based on configuration
  • Access Assets module (if enabled)
    • has access to CRUD operations for their assets only
  • Access Writeups module
    • has view/edit access only to writeup libraries based on configuration
  • Access Self-Service API
    • by default has no access to API methods/endpoints
  • Access Attack Chains module
  • Access Help & Support
Library Moderators (deprecated) can do the following:
!IMPORTANT: We do not recommend using Library Moderator role. Access to libraries can now be managed via library access controls.
  • Access Global Dashboard
  • Access Analytics module
    • can see analytics for data they have access to
  • Access Vulnerabilities module
    • can see all vulnerabilities they have access to
  • Access Projects module
    • can only see any projects they have been invited to
    • can only see project requests they have made
  • Access Scheduling module
    • can only see their projects
  • Access Portfolios module
    • has view access only to portfolios/streams based on configuration
  • Access Assets module (if enabled)
    • has access to CRUD operations for their assets only
  • Access Writeups module
    • has view/edit access only to writeup libraries based on configuration
  • Access Self-Service API
    • by default has no access to API methods/endpoints
  • Access Attack Chains module
  • Access Help & Support
Project Coordinators can do the following:
  • Access Global Dashboard
  • Access Analytics module
    • can see analytics for data they have access to
  • Access Vulnerabilities module
    • can see all vulnerabilities they have access to
  • Access Projects module
    • can create new projects
    • can update projects
    • gets access to all new projects (optional)
    • can invite users to projects
    • can manage user access to projects
    • can access all pending & actioned project requests
    • can approve new project requests
    • can request more information on project requests
    • can reject new project requests
  • Access Scheduling module
    • can only see their projects
  • Access Portfolios module
    • has view access only to portfolios/streams based on configuration
  • Access Report Templates module
    • has full access to this module, including CRUD operations
  • Access Assets module (if enabled)
    • has access to CRUD operations for all assets
  • Access Writeups module
    • has view/edit access only to writeup libraries based on configuration
  • Access Test Suites module
    • has full access to this module, including CRUD operations
  • Access Self-Service API
    • by default has no access to API methods/endpoints
  • Access Attack Chains module
  • Access Help & Support
Administrators are Super Users and can access all functionality & workflows, including:
  • Access Global Dashboard
  • Access Analytics module
    • can see analytics for all data
  • Access Vulnerabilities module
    • can see all vulnerabilities
  • Access Projects module
    • can create new projects
    • can update projects
    • can archive & unarchive projects
    • can destroy projects
    • can invite users to projects
    • can manage user access to projects
    • can access all pending & actioned project requests
    • can approve new project requests
    • can request more information on project requests
    • can reject new project requests
    • can perform all workflows on a project
  • Access Scheduling module
    • can see all projects
  • Access Portfolios module
    • has full access to this module, including CRUD operations
  • Access Report Templates module
    • has full access to this module, including CRUD operations
  • Access Assets module (if enabled)
    • has access to CRUD operations for all assets
    • can see vulnerabilities for all assets
  • Access Writeups module
    • has full access to this module, including CRUD operations
  • Access Test Suites module
    • has full access to this module, including CRUD operations
  • Access Groups module
    • has full access to this module, including CRUD operations
    • can manage Group Membership for users
  • Access Users module
    • has full access to this module, including CRUD operations
    • can perform all administrative tasks, such as user management, access logs, etc.
  • Access Self-Service API
    • by default has no access to API methods/endpoints
    • can assign access to self or other users via Users module
  • Access Attack Chains module
  • Access Administration module
    • has full access. Can purchase add-ons, update tenant configuration and view licensing and support information.
  • Access Help & Support

Registering A New User

Where enabled on your tenant, new users can self-register accounts from the login page. They will need to activate their account (via email activation link) before they can sign in.
The first time a user logs into AttackForge, the user will receive a QR code to scan with their mobile authenticator app to enable two-factor authentication (2FA) for their account. By default, 2FA is mandatory and enforced on all accounts. This can be disabled on a user-by-user basis by Administrators.

Creating A New User

Administrators can create new users in the system directly, without having to go through registration workflow. This is useful when you need to create accounts fast or when you don't have access to an email address for activation.
You can create a new user in the system by clicking on New User button.
When creating a new user, you can assign any user role available in the system. Newly created account are already verified and activated so they can log in immediately.
The user will receive an email to inform them that their account has been created, and instructions on how they can log in.

Update User Profile

You can update a user's profile.

Update User Account

You can update a users account settings. This includes:
  • Change email address
  • Change username
  • Change password
  • Enable/Disable/Reset MFA
  • Set expiry date (user will be blocked after that date)
  • Resend welcome invitation email
  • Block/Unblock user from signing in
  • Delete user

Managing Access

You can change a users' role. For information on roles, see User Roles.
You can also manage a users' access to the following:
  • Groups
  • Projects
  • Delegations
  • Self-Service Events API
  • Self-Service RESTful API

Groups

Here you can update a users' permissions on any groups they are members of, or you can remove their access.
If you update a users' access to a group, the new privileges will apply immediately across all projects linked to the group.
You can also bulk add a user to groups.

Projects

Here you can update a users' permissions on any projects they are an existing team member, or you can remove their access.
If you update a users' access to a project, the new privileges will apply immediately on the project.
If you remove a users' access to a project, this will remove the user from the project immediately. They will no longer be able to see any of the projects' vulnerabilities and data.
You can also bulk add a user to projects.

Delegations

Admins can delegate specific workflows and functions to individual users.
Delegations can be assigned to any user, and can help to:
  • Reduce the burden placed on admins and privileged users.
  • Empower trusted individuals with autonomy to perform more tasks in AttackForge.
Here you can update a users' delegations, or remove their delegations.
You can also bulk apply delegations to a user.
Certain delegations can also be assigned to entire application user roles via Administration module. For more details, visit Configuration Options.

Self-Service Events API

Here you can manage a users' access to the Self-Service Events API.
Here you can update a users' permissions on any events or you can remove their access.
You can also bulk add events for a user.
!IMPORTANT: By default, all users have no access to the Self-Service API. Access is granted explicitly by the Administrators to a user from within this module. Access to the SSAPI is controlled & applied on an individual event basis.
Every user in the system can generate or rotate their API key by visiting Self-Service API module.
Tip: If you would like to create a service account in the system with non-interactive access to the application interface - you can grant the user permissions via the SSAPI, then block the user so they cannot login to the application. They will still be able to access the SSAPI.

Self-Service RESTful API

Here you can manage a users' access to the Self-Service RESTful API.
Here you can update a users' permissions on any endpoints or you can remove their access.
You can also bulk add endpoints for a user.
!IMPORTANT: By default, all users have no access to the Self-Service API. Access is granted explicitly by the Administrators to a user from within this module. Access to the SSAPI is controlled & applied on an individual endpoint basis.
Every user in the system can generate or rotate their API key by visiting Self-Service API module.
Tip: If you would like to create a service account in the system with non-interactive access to the application interface - you can grant the user permissions via the SSAPI, then block the user so they cannot login to the application. They will still be able to access the SSAPI.

Reporting

Standard PDF / DOCX / HTML Reports can be customized by users within the application. This allows users to create content within the reports which is relevant to the reader, or purpose.
For example, if the report needs to go to an Executive - they may not have the time to read through hundreds of pages of technical analysis. You can create a report that is structured to provide only the information the Executive cares about.
Another example is when reports need to be provided to 3rd parties or auditors. Considering vulnerability reports contain sensitive data on how to exploit issues, this information may need to be redacted before it is sent to the party. You can create a report that will omit any screenshots, steps to reproduce findings, etc. which may be deemed too sensitive to share with external parties.
As an Administrator, you can override a users' report settings.

Notifications

Admins can update the project email notifications options on behalf of another user, to tailor project notifications for the user.

Logs

Admins can view audit logs for a user.

Preferences

Admins can update the login landing page for a user. The login landing page is the first page a user sees when they log into AttackForge.
The default login landing page is the Global Dashboard.