Users
Last updated
Last updated
Check YouTube for more tutorials: https://youtube.com/@attackforge
Users module provides administrative control over all users in the system. This module is only available to Administrators.
Users module makes it easy to:
Create and Invite New Users
Manage User Access to Projects, Groups and Self-Service APIs
Perform User Updates including Name, Email, Username, Role, Password Change, Reset 2FA, Disable 2FA
Block Sign In or Activate Sign In for users
View Login History for a user
View Audit Logs for a user
Delete a user
AttackForge is built on two primary access models:
Application Roles – determines what modules the user has access to, and functionality within those modules.
Project Roles – determines what privileges and functions a user has access to on a project; and the data they will have access to in AttackForge across all modules.
A non-Admin user will only see vulnerabilities and projects they have explicitly been invited to or inherit access via Groups.
Other access controls apply to relevant sections such as Project Requests, Writeups, Assets, Custom Fields, Reporting, Portfolios, Self-Service APIs and more.
There are currently five (5) application roles an Administrator can assign to a user:
Client (standard user)
Consultant (standard user)
Library Moderator (deprecated)
Project Coordinator
Administrator
Clients / Consultants can do the following:
Access Global Dashboard
Access Analytics module
can see analytics for data they have access to
Access Vulnerabilities module
can see all vulnerabilities they have access to
Access Projects module
can only see any projects they have been invited to
can only see project requests they have made
Access Scheduling module
can only see their projects
Access Portfolios module
has view access only to portfolios/streams based on configuration
Access Assets module (if enabled)
has view/edit access to assets based on asset library access controls and uncatalogued assets access controls
Access Writeups module
has view/edit access only to writeup libraries based on configuration
Access Self-Service API
by default has no access to API methods/endpoints
Access Attack Chains module
Access Help & Support
Library Moderators (deprecated) can do the following:
!IMPORTANT: We do not recommend using Library Moderator role. Access to libraries can now be managed via library access controls.
Access Global Dashboard
Access Analytics module
can see analytics for data they have access to
Access Vulnerabilities module
can see all vulnerabilities they have access to
Access Projects module
can only see any projects they have been invited to
can only see project requests they have made
Access Scheduling module
can only see their projects
Access Portfolios module
has view access only to portfolios/streams based on configuration
Access Assets module (if enabled)
has view/edit access to assets based on asset library access controls and uncatalogued assets access controls
Access Writeups module
has view/edit access only to writeup libraries based on configuration
Access Self-Service API
by default has no access to API methods/endpoints
Access Attack Chains module
Access Help & Support
Project Coordinators can do the following:
Access Global Dashboard
Access Analytics module
can see analytics for data they have access to
Access Vulnerabilities module
can see all vulnerabilities they have access to
Access Projects module
can create new projects
can update projects
gets access to all new projects (optional)
can invite users to projects
can manage user access to projects
can access all pending & actioned project requests
can approve new project requests
can request more information on project requests
can reject new project requests
Access Scheduling module
can only see their projects
can filter schedule by user and project role
Access Portfolios module
has view access only to portfolios/streams based on configuration
Access Report Templates module
has full access to this module, including CRUD operations
Access Assets module (if enabled)
has view/edit access to assets based on asset library access controls and uncatalogued assets access controls
Access Writeups module
has view/edit access only to writeup libraries based on configuration
Access Test Suites module
has full access to this module, including CRUD operations
Access Self-Service API
by default has no access to API methods/endpoints
Access Attack Chains module
Access Help & Support
Administrators are Super Users and can access all functionality & workflows, including:
Access Global Dashboard
Access Analytics module
can see analytics for all data
Access Vulnerabilities module
can see all vulnerabilities
Access Projects module
can create new projects
can update projects
can archive & unarchive projects
can destroy projects
can invite users to projects
can manage user access to projects
can access all pending & actioned project requests
can approve new project requests
can request more information on project requests
can reject new project requests
can perform all workflows on a project
Access Scheduling module
can see all projects
Access Portfolios module
has full access to this module, including CRUD operations
Access Report Templates module
has full access to this module, including CRUD operations
Access Assets module (if enabled)
has access to CRUD operations for all assets
can see vulnerabilities for all assets
Access Writeups module
has full access to this module, including CRUD operations
Access Test Suites module
has full access to this module, including CRUD operations
Access Groups module
has full access to this module, including CRUD operations
can manage Group Membership for users
Access Users module
has full access to this module, including CRUD operations
can perform all administrative tasks, such as user management, access logs, etc.
Access Self-Service API
by default has no access to API methods/endpoints
can assign access to self or other users via Users module
Access Attack Chains module
Access Administration module
has full access. Can purchase add-ons, update tenant configuration and view licensing and support information.
Access Help & Support
Where enabled on your tenant, new users can self-register accounts from the login page. They will need to activate their account (via email activation link) before they can sign in.
The first time a user logs into AttackForge, the user will receive a QR code to scan with their mobile authenticator app to enable two-factor authentication (2FA) for their account. By default, 2FA is mandatory and enforced on all accounts. This can be disabled on a user-by-user basis by Administrators.
Administrators can create new users in the system directly, without having to go through registration workflow. This is useful when you need to create accounts fast or when you don't have access to an email address for activation.
You can create a new user in the system by clicking on New User button.
When creating a new user, you can assign any user role available in the system. Newly created account are already verified and activated so they can log in immediately.
The user will receive a Welcome Email to inform them that their account has been created, and instructions on how they can log in.
You can update a user's profile.
You can update a users account settings. This includes:
Change email address
Change username
Change password
Enable/Disable/Reset MFA
Set expiry date (user will be blocked after that date)
Resend welcome invitation email
Block/Unblock user from signing in
Delete user
You can change a users' role. For information on roles, see User Roles.
You can also manage a users' access to the following:
Groups
Projects
Delegations
Self-Service Events API
Self-Service RESTful API
Here you can update a users' permissions on any groups they are members of, or you can remove their access.
If you update a users' access to a group, the new privileges will apply immediately across all projects linked to the group.
You can also bulk add a user to groups.
Here you can update a users' permissions on any projects they are an existing team member, or you can remove their access.
If you update a users' access to a project, the new privileges will apply immediately on the project.
If you remove a users' access to a project, this will remove the user from the project immediately. They will no longer be able to see any of the projects' vulnerabilities and data.
You can also bulk add a user to projects.
Admins can delegate specific workflows and functions to individual users.
Delegations can be assigned to any user, and can help to:
Reduce the burden placed on admins and privileged users.
Empower trusted individuals with autonomy to perform more tasks in AttackForge.
Here you can update a users' delegations, or remove their delegations.
You can also bulk apply delegations to a user.
Certain delegations can also be assigned to entire application user roles via Administration module.
Here you can manage a users' access to the Self-Service Events API.
Here you can update a users' permissions on any events or you can remove their access.
You can also bulk add events for a user.
!IMPORTANT: By default, all users have no access to the Self-Service API. Access is granted explicitly by the Administrators to a user from within this module. Access to the SSAPI is controlled & applied on an individual event basis.
Every user in the system can generate or rotate their API key by visiting Self-Service API module.
Tip: If you would like to create a service account in the system with non-interactive access to the application interface - you can grant the user permissions via the SSAPI, then block the user so they cannot login to the application. They will still be able to access the SSAPI.
Here you can manage a users' access to the Self-Service RESTful API.
Here you can update a users' permissions on any endpoints or you can remove their access.
You can also bulk add endpoints for a user.
!IMPORTANT: By default, all users have no access to the Self-Service API. Access is granted explicitly by the Administrators to a user from within this module. Access to the SSAPI is controlled & applied on an individual endpoint basis.
Every user in the system can generate or rotate their API key by visiting Self-Service API module.
Tip: If you would like to create a service account in the system with non-interactive access to the application interface - you can grant the user permissions via the SSAPI, then block the user so they cannot login to the application. They will still be able to access the SSAPI.
Admins can update the project email notifications options on behalf of another user, to tailor project notifications for the user.
Admins can view audit logs for a user.
Admins can update the login landing page for a user. The login landing page is the first page a user sees when they log into AttackForge.
The default login landing page is the Global Dashboard.
SSO can be configured in AttackForge.
AttackForge supports SSO via OAuth2 Open ID Connect (OIDC).
AttackForge supports two (2) concurrent Identity Provider (IdP) integrations, meaning you can have two separate SSO login workflows.
SSO is only available on Enterprise plans and must be configured and enabled by AttackForge
AttackForge supports Just-in-Time user creation via SSO, meaning you do not need to pre register or create user accounts - they will be automatically created for the user on their first login and assigned with the configured Default Role for New Users.
You can however disable this feature if required, to prevent anyone with an account on your IdP being able to create an AttackForge user account.
If your IdP does not enforce MFA, you can enable this option to require Admin users in AttackForge to go through AttackForge's 2FA process.
You can opt into having AttackForge automatically manage your SSO application user roles.
This feature allows you to map your Identity Provider Groups or Active Directory Groups to AttackForge Application Roles, meaning the user will be granted the relevent role each time they log in.
If a user's groups do not meet any of the specified groups, the user will be subjected to the Default Role/Action For SSO Users.
The Default Role/Action For SSO Users supports the following:
Blocked - User will be denied log in to AttackForge.
Client - User will be assigned the Client role.
Consultant - User will be assigned the Consultant role.
You can link Identity Provider (IdP) or Active Directory (AD) Groups to AttackForge Groups.
This feature is available for Single-Sign-On (SSO) enabled tenants to help automate provisioning and removal of users to AttackForge Groups and their related projects, based on the users' IdP/AD groups.
This feature can help to ensure that users accessing AttackForge receive sufficient access to projects based on the Enterprises' own access control groups, and remove access to projects which they should not have access - upon each login.
This option is Disabled by default. It is only enabled, on an AttackForge Group-by-Group basis, when an IdP/AD group is linked to the AttackForge Group.
How it works:
When creating a new group in AttackForge, or when editing an existing group - you can link one or more IdP/AD groups. This is an optional field.
Once a group is linked, all group membership will be controlled via SSO.
If the user signing into AttackForge via SSO has IdP/AD groups returned in their SSO profile, the following checks will apply:
For each AttackForge Group with linked IdP/AD groups - check to see if any linked groups match any of the users' IdP/AD groups:
If match exists
If the user is not already a member of the group, add the user as a member to the group.
Assign the access level according to the mapping.
If no match exists
If the user is already a member of the group - remove their access to the group.
