Users

Overview

Users module provides administrative control over all users in the system. This module is only available to Administrators.

Users module makes it easy to:

Create New Users
Manage User Access to Projects, Groups and Self-Service API
Perform User Updates including Name, Email, Username, Role, Password Change, Reset 2FA, Disable 2FA
Block Sign In or Activate Sign In for users
View Login History for a user
View Audit Logs for a user
Delete a user

User Roles

AttackForge is built on two primacy access models:

Application Roles – determines what modules the user has access to, and functionality within those modules.
Project Roles – determines what privileges & functions a user has access to on a project; and the data they will have access to in AttackForge across all modules.

A non-Admin user will only see vulnerabilities & projects they have explicitly been invited to.

Other access controls apply to relevant sections such as Writeups, Assets, Custom Fields, Reporting, Portfolios and more.

There are currently five (5) application roles an Administrator can assign to a user:

Client (standard user)
Consultant (standard user)
Library Moderator (deprecated)
Project Coordinator
Administrator

Clients / Consultants can do the following:

Access Global Dashboard
Access Analytics module
- can see analytics for data they have access to
Access Vulnerabilities module
- can see all vulnerabilities they have access to
Access Projects module
- can only see any projects they have been invited to
- can only see project requests they have made
Access Scheduling module
- can only see their projects
Access Portfolios module
- has view access only to portfolios/streams based on configuration
Access Assets module (if enabled)
- has access to CRUD operations for their assets only
- has view/edit access to assets based on library access controls
- can see their vulnerabilities for all their assets
Access Writeups module
- has view/edit access only to writeup libraries based on configuration
Access Self-Service API
- by default has no access to API methods/endpoints
Access Attack Chains module
Access Help & Support

Library Moderators (deprecated) can do the following:

!IMPORTANT: We do not recommend using Library Moderator role. Access to libraries can now be managed via library access controls.

Access Global Dashboard
Access Analytics module
- can see analytics for data they have access to
Access Vulnerabilities module
- can see all vulnerabilities they have access to
Access Projects module
- can only see any projects they have been invited to
- can only see project requests they have made
Access Scheduling module
- can only see their projects
Access Portfolios module
- has view access only to portfolios/streams based on configuration
Access Assets module (if enabled)
- has access to CRUD operations for their assets only
- has view/edit access to assets based on library access controls
- can see their vulnerabilities for all their assets
Access Writeups module
- has view/edit access only to writeup libraries based on configuration
Access Self-Service API
- by default has no access to API methods/endpoints
Access Attack Chains module
Access Help & Support

Project Coordinators can do the following:

Access Global Dashboard
Access Analytics module
- can see analytics for data they have access to
Access Vulnerabilities module
- can see all vulnerabilities they have access to
Access Projects module
- can create new projects
- can update projects
- gets access to all new projects (optional)
- can invite users to projects
- can manage user access to projects
- can access all pending & actioned project requests
- can approve new project requests
- can request more information on project requests
- can reject new project requests
Access Scheduling module
- can only see their projects
Access Portfolios module
- has view access only to portfolios/streams based on configuration
Access Report Templates module
- has full access to this module, including CRUD operations
Access Assets module (if enabled)
- has access to CRUD operations for all assets
- has view/edit access to assets based on library access controls
- can see their vulnerabilities for all their assets
Access Writeups module
- has view/edit access only to writeup libraries based on configuration
Access Test Suites module
- has full access to this module, including CRUD operations
Access Self-Service API
- by default has no access to API methods/endpoints
Access Attack Chains module
Access Help & Support

Administrators are Super Users and can access all functionality & workflows, including:

Access Global Dashboard
Access Analytics module
- can see analytics for all data
Access Vulnerabilities module
- can see all vulnerabilities
Access Projects module
- can create new projects
- can update projects
- can archive & unarchive projects
- can destroy projects
- can invite users to projects
- can manage user access to projects
- can access all pending & actioned project requests
- can approve new project requests
- can request more information on project requests
- can reject new project requests
- can perform all workflows on a project
Access Scheduling module
- can see all projects
Access Portfolios module
- has full access to this module, including CRUD operations
Access Report Templates module
- has full access to this module, including CRUD operations
Access Assets module (if enabled)
- has access to CRUD operations for all assets
- can see vulnerabilities for all assets
Access Writeups module
- has full access to this module, including CRUD operations
Access Test Suites module
- has full access to this module, including CRUD operations
Access Groups module
- has full access to this module, including CRUD operations
- can manage Group Membership for users
Access Users module
- has full access to this module, including CRUD operations
- can perform all administrative tasks, such as user management, access logs, etc.
Access Self-Service API
- by default has no access to API methods/endpoints
- can assign access to self or other users via Users module
Access Attack Chains module
Access Administration module
- has full access. Can purchase add-ons, update tenant configuration and view licensing and support information.
Access Help & Support

Registering A New User

Where enabled on your tenant, new users can self-register accounts from the login page. They will need to activate their account (via email activation link) before they can sign in.

The first time a user logs into AttackForge, the user will receive a QR code to scan with their mobile authenticator app to enable two-factor authentication (2FA) for their account. By default, 2FA is mandatory and enforced on all accounts. This can be disabled on a user-by-user basis by Administrators.

Creating A New User

Administrators can create new users in the system directly, without having to go through registration workflow. This is useful when you need to create accounts fast or when you don't have access to an email address for activation.

You can create a new user in the system by clicking on New User button.

When creating a new user, you can assign any user role available in the system. Newly created account are already verified and activated so they can log in immediately.

The user will receive an email to inform them that their account has been created, and instructions on how they can log in.

Update User Profile

You can update a user's profile.

Update User Account

You can update a users account settings. This includes:

Change email address
Change username
Change password
Enable/Disable/Reset MFA
Set expiry date (user will be blocked after that date)
Resend welcome invitation email
Block/Unblock user from signing in
Delete user

Managing Access

You can change a users' role. For information on roles, see User Roles.

You can also manage a users' access to the following:

Groups
Projects
Delegations
Self-Service Events API
Self-Service RESTful API

Groups

Here you can update a users' permissions on any groups they are members of, or you can remove their access.

If you update a users' access to a group, the new privileges will apply immediately across all projects linked to the group.

You can also bulk add a user to groups.

Projects

Here you can update a users' permissions on any projects they are an existing team member, or you can remove their access.

If you update a users' access to a project, the new privileges will apply immediately on the project.

If you remove a users' access to a project, this will remove the user from the project immediately. They will no longer be able to see any of the projects' vulnerabilities and data.

You can also bulk add a user to projects.

Delegations

Admins can delegate specific workflows and functions to individual users.

Delegations can be assigned to any user, and can help to:

Reduce the burden placed on admins and privileged users.
Empower trusted individuals with autonomy to perform more tasks in AttackForge.

Here you can update a users' delegations, or remove their delegations.

You can also bulk apply delegations to a user.

Certain delegations can also be assigned to entire application user roles via Administration module. For more details, visit Configuration Options.

Self-Service Events API

Here you can manage a users' access to the Self-Service Events API.

Here you can update a users' permissions on any events or you can remove their access.

You can also bulk add events for a user.

!IMPORTANT: By default, all users have no access to the Self-Service API. Access is granted explicitly by the Administrators to a user from within this module. Access to the SSAPI is controlled & applied on an individual event basis.

Every user in the system can generate or rotate their API key by visiting Self-Service API module.

Tip: If you would like to create a service account in the system with non-interactive access to the application interface - you can grant the user permissions via the SSAPI, then block the user so they cannot login to the application. They will still be able to access the SSAPI.

Self-Service RESTful API

Here you can manage a users' access to the Self-Service RESTful API.

Here you can update a users' permissions on any endpoints or you can remove their access.

You can also bulk add endpoints for a user.

Every user in the system can generate or rotate their API key by visiting Self-Service API module.

Reporting

Standard PDF / DOCX / HTML Reports can be customized by users within the application. This allows users to create content within the reports which is relevant to the reader, or purpose.

For example, if the report needs to go to an Executive - they may not have the time to read through hundreds of pages of technical analysis. You can create a report that is structured to provide only the information the Executive cares about.

Another example is when reports need to be provided to 3rd parties or auditors. Considering vulnerability reports contain sensitive data on how to exploit issues, this information may need to be redacted before it is sent to the party. You can create a report that will omit any screenshots, steps to reproduce findings, etc. which may be deemed too sensitive to share with external parties.

As an Administrator, you can override a users' report settings.