Role-Based Access Control in Web App Scanning

Published April 5, 2023 | Last modified November 21, 2025

Objective

In this article, we provide an overview of the Role-Based Access Control (RBAC) capabilities in F5® Distributed Cloud Web App Scanning. These capabilities allow you to determine the granular level of access each of your team members should have concerning the objects hosted in your Web App Scanning tenant (e.g., apps, penetration test reports, found vulnerabilities, etc.).

Prerequisites

To access the Web App Scanning service via the Distributed Cloud Console, you must have one of the roles prefixed with f5xc-web-app-scanning- in the system namespace. Please refer to our User Management documentation for further guidance on how to invite and assign roles to users in your Distributed Cloud tenant.

Having one of the roles prefixed with f5xc-web-app-scanning- in the system namespace makes the Web App Scanning tile available in the Distributed Cloud Console overview. This allows a user to navigate to the Web App Scanning service and utilize its capabilities.

The first time a user visits the Web App Scanning service, a user object will be created for them in Distributed Cloud Web App Scanning. Since a user with the same email address (e.g., jsmith@example.com) may be a member of multiple Distributed Cloud tenants, a unique username will be created for them in Distributed Cloud Web App Scanning. This username will be generated automatically according to the following pattern:

  • <local-part>+<tenant-id>@<domain>

You can find the value of <tenant-id> by navigating to https://<tenant-name>.console.ves.volterra.io/web/workspaces/administration/tenant-settings/tenant-overview. Replace <tenant-name> with the name of your tenant. This URL will return a page where you can see an overview of the details related to your Distributed Cloud tenant, including your tenant ID.

For example, if the user jsmith@example.com is a member of a tenant named hoopes with the tenant ID hoopes-uxgstlwo, their username in Distributed Cloud Web App Scanning would be:

  • jsmith+hoopes-uxgstlwo@example.com

Understanding how usernames are generated is important to effectively use the RBAC capabilities of Distributed Cloud Web App Scanning.

You can obtain an overview of the users in your tenant who have accessed the Web App Scanning service by navigating to the service overview of the Distributed Cloud Console, clicking on the Web App Scanning tile, selecting Visit Service, and navigating to https://app.heyhack.com/members. Note that you must be an Admin in your Web App Scanning tenant to access this overview.

Global Roles in Web App Scanning

All users in the Web App Scanning service have a global role. This global role is not tied to the role prefixed with f5xc-web-app-scanning- in the system namespace of your Distributed Cloud tenant. Instead, it must be assigned inside the Web App Scanning service by navigating to https://app.heyhack.com/members. Only users with the global Admin role can assign or change roles of other users.

There are three different global roles that provide the following privileges in the Web App Scanning service:

  • Admin
    • Users with the Admin role have full access to all capabilities in the Web App Scanning service, including reviewing and interacting with all apps, penetration test reports, and found vulnerabilities (whether or not those apps are associated with groups), associating them with groups, creating and managing groups, and inviting and assigning roles to users.
  • User
    • Users with the User role can create new objects in Web App Scanning (e.g., new apps in the Scan service or new domains in the Recon service). They can also associate apps to groups if they do not already have a group association. They cannot access apps associated with a group of which they are not a member. They cannot delete unassociated apps either. Additionally, they cannot create new groups or manage groups/users in the Web App Scanning tenant.
  • Monitor
    • Monitors do not have any tenant-level privileges—i.e., they cannot create new objects, change settings, or manage groups/users. They can only access apps that have not been assigned to a group and apps associated with groups of which they are members.

By default, all new users in a Web App Scanning tenant are assigned the global Admin role. If you do not wish to assign a new user to this role, you must first assign them a different role in Web App Scanning (on https://app.heyhack.com/members) before giving them one of the roles prefixed with f5xc-web-app-scanning- in the system namespace of your Distributed Cloud tenant.

Group-Level Roles

You can create groups in Web App Scanning and associate them with apps in the Scan service. This lets you group different users and granularly control which apps they have access to and with what privileges. There is a one-to-many relationship between groups and apps in the Scan service, meaning that a group can have access to many apps while an app can only be associated with one group.

Members of a group can access apps that have been associated with that group. Inside the group, a member can have one of three roles:

  • Admin
    • Users with the Admin role in a group have full access and control over the apps associated with that group. That means that they can start penetration tests of those apps, change all of their settings (including their group association), and even delete them. They can also add/remove users to the groups they're Admins of and change the roles of other members.
  • User
    • Users with the User role in a group can interact with the apps associated with that group. That means that they can start penetration tests of those apps and change all of their settings (excluding their group association). However, they cannot delete them. Also, they cannot add/remove new users to that group nor manage other members.
  • Monitor
    • Users with the Monitor role in a group can review the apps associated with that group. That means that they can see results of penetration tests run on those apps. However, they cannot change their settings or delete them. Also, they cannot add new users to that group nor manage other members.

Associating an App with a Group

You can associate an app with a group upon creation of the app or subsequently by changing its settings. You will only be able to associate an app with a group you are a member of (and are a group-level Admin or a group-level User) unless you have the global Admin role.

If an app is not associated with a group, it will be visible to all members of your tenant. Users that have either the global Admin role or the global User role will be able to associate it with a group.

  • Users with the global Admin role will be able to associate it with any group in the tenant. They can subsequently change the group association if they wish to do so.
  • User with the global User role will be able to associate it with a group that they are either a group-level Admin or a group-level User of. If they hold a group-level Admin membership, they can change the assocation again. If they hold a group-level User membership, they cannot subsequently change the association.

Email notifications that relate to an app that has been associated with a group will only be sent to members of that group (if they have defined their individual notification settings to receive emails).

Example of the Use of RBAC

You can review an example of how to apply the RBAC capabilities of Distributed Cloud Web App Scanning by checking out our RBAC Example article.

On this page: