Select Service
Example of Role-Based Access Control in Web App Scanning
Published April 5, 2023 | Last modified October 29, 2024
Objective
In this article, we will provide an example of how the Role-Based Access Control (RBAC) capabilities in F5® Distributed Cloud Web App Scanning can be utilized. This example will serve as inspiration for using the RBAC capabilities to manage your apps, domains, and users in Distributed Cloud Web App Scanning.
Assumptions
In our example, we have set up the following apps, users, and groups. These objects lay the foundation for our example.
Web Applications
| Web Application | Associated Group |
|---|---|
| Customer Portal | Customer Portal Team |
| Support Site | None |
| Extranet | Reviewers |
| AI Universe | Innovation Team |
| Gaming Portal | Innovation Team |
Users
| User | Global Role | Group Memberships |
|---|---|---|
| admin@example.com | Admin | None |
| user@example.com | User | Innovation Team (Admin), Customer Portal Team (User), Reviewers (Monitor) |
| monitor@example.com | Monitor | Reviewers (Monitor) |
| developer@example.com | Monitor | Innovation Team (User), Customer Portal Team (Monitor), Reviewers (User) |
| supporter@example.com | Monitor | Customer Portal Team (User) |
Groups
| Group | Members |
|---|---|
| Innovation Team | user@example.com (Admin), developer@example.com (User) |
| Customer Portal Team | user@example.com (User), supporter@example.com (User) |
| Reviewers | user@example.com (Monitor), monitor@example.com (Monitor), developer@example.com (User) |
Access Rights
Based on the tables above, you can review the access rights of each individual user in the sections below.
admin@example.com
- Global Role: Admin
- Access Rights: As an Admin,
admin@example.comhas full access to all web applications, regardless of group membership. This user can manage any user, group, or app across the Distributed Cloud Web App Scanning platform. No group-specific access is required since Admins have overarching control.
user@example.com
- Global Role: User
- Group Memberships:
- Innovation Team (Admin)
- Customer Portal Team (User)
- Reviewers (Monitor)
- Access Rights:
- As a User,
user@example.comcan create new apps in the Scan service and domains in the Recon service. - AI Universe and Gaming Portal: As an Admin of the Innovation Team,
user@example.comhas full control over these applications as well as the members (and their roles) in the Innovation Team group. - Customer Portal: This user has User-level access, meaning they can interact with the app and change its configuration. However, they cannot change the group association of the app or delete it. They also cannot manage the Customer Portal Team group.
- Extranet: As a Monitor for the Reviewers group, they have read-only access and can review completed penetration tests but cannot make changes to the app or manage the Extranet group.
- As a User,
monitor@example.com
- Global Role: Monitor
- Group Memberships:
- Reviewers (Monitor)
- Access Rights:
- As a Monitor,
monitor@example.comcan only review apps and completed penetration tests for apps associated with groups of which they are a member. - Extranet: This user has read-only access to the Extranet application. They can review completed penetration tests but cannot modify settings.
- As a Monitor,
developer@example.com
- Global Role: Monitor
- Group Memberships:
- Innovation Team (User)
- Customer Portal Team (Monitor)
- Reviewers (User)
- Access Rights:
- As a Monitor,
developer@example.comcan only review apps and completed penetration tests for apps associated with groups they are a member of. - AI Universe and Gaming Portal: As a User in the Innovation Team,
developer@example.comhas User-level access to these apps, meaning they can interact with the apps and change their configurations. However, they cannot change the group association of the apps or delete them. - Customer Portal: As a Monitor, they can review completed penetration tests of the Customer Portal application but cannot modify its settings.
- Extranet: As a User in the Reviewers group, they can interact with the Extranet app and change its configuration. However, they cannot change the group association of the app or delete it.
- As a Monitor,
supporter@example.com
- Global Role: Monitor
- Group Memberships:
- Customer Portal Team (User)
- Access Rights:
- As a Monitor,
supporter@example.comcan only review apps and completed penetration tests for apps associated with groups they are a member of. - Customer Portal: This user has User-level access, meaning they can interact with the app and change its configuration. However, they cannot change the group association of the app or delete it. They also cannot manage the Customer Portal Team group.
- As a Monitor,
Conclusion
As you can see from this example, the RBAC capabilities of Distributed Cloud Web App Scanning can be used to provide granular access to the resources you have set up in the platform. For any questions on the use of these features, please reach out to the Distributed Cloud Web App Scanning support team.