3.3.2. Roles

Roles can be assigned to users. This simplifies controlling permissions. The Roles tab lists the existing roles in the system.

images/download/attachments/38580249/image2019-9-11_14-0-20.png

Default roles

After installation the following default roles are created with the following parameters:

Rolename

Display name

Default member username

Permissions on functionality

Permissions on API level

admin

Administrators

admin

Full on all functions

Be able to fetch scan result submitted by anyone

Be able to download processed file where original file was submitted by anyone

security_admin

Security administrators

 

Full on Scan history, Update history, Security rules, Security zones,
Analysis workflows, Scan nodes, Engines, Update settings, Scan settings functions

Be able to fetch scan result submitted by anyone

Be able to download processed file where original file was submitted by anyone

security_auditor

Security auditor

 

Read-only on a ll except External settings functions

Be able to fetch scan result submitted by anyone

Be able to download processed file where original file was submitted by anyone

help_desk

Help desk

 

Read-only on Scan history, Update history, Security rules, Security zones,
Analysis workflows, Scan nodes, Engines, Scan settings functions

Be able to fetch scan result submitted by anyone

Be able to download processed file where original file was submitted by anyone

Permissions on functionality

Each role has a set of rights associated to it. Each of these rights represent the level of access to the appropriate function of Metadefender Core v4 Web Management Console.
A right can be set to one of three different states:

  • None: users of this role have no right to access the given function of Metadefender Core v4 Web Management Console. The menu belonging to the function is not displayed for the users of this role.

  • Read-only: users of this role have right to access the given function for observation purposes only. Users of this role can, however, not effectuate any modification or any change to the function.

  • Full: users of this role have full access to the given function, including viewing any data belonging to it and modifying its configuration.

Permissions on API level

Each role has a set of rights pertaining to REST API access level, including following REST endpoints:

Processing result fetching:

Download processed file:

  • GET /file/converted/<data_id> (Download Sanitized Files)

  • GET /file/processed/<data_id> (Leveraged by Core management console)

A right can be set to one of three different states:

  • None:

    • Users of this role have no right to access the given REST APIs (return "Access denied" error) and relevant functionalities on Metadefender Core v4 Web Management Console

    • Note: When "NONE" is selected for "Processing result fetching", "Processing history" menu item under Dashboard will automatically switch to "READ-ONLY" right, and "FULL" right will instead be disabled for selection ("FULL" right can be only enabled for selection back when this option is switched to "ANYONE")

images/download/attachments/38580249/image2019-9-11_15-57-56.png

  • Self-only:

    • Users of this role only have right to access the given REST APIs and relevant functionalities on Metadefender Core v4 Web Management Console where the scan requests were submitted by themselves only

    • Users of this role have no right to access the given REST APIs (return "Access denied" error) where scan requests were submitted by anyone else

    • Note: When "SELF-ONLY" is selected for "Processing result fetching", "Processing history" menu item under Dashboard will automatically switch to "READ-ONLY" right, and "FULL" right will instead be disabled for selection ("FULL" right can be only enabled for selection back when this option is switched to "ANYONE")

images/download/attachments/38580249/image2019-9-11_16-0-57.png

  • Anyone: Users of this role have full access to the given REST APIs and relevant functionalities on Metadefender Core v4 Web Management Console where the scan requests were submitted by anyone

Functions

Besides listing existing roles the Roles tab provides the following functions:

  • Add new role

  • Modify (and view) existing role

  • Delete existing role

The default role Administrators can not be deleted or modified.

Modify role

The users' permissions won't be modified during the session, even if one of their roles are modified in the meantime.

For example:

  1. A user is assigned to the role security_admin and has Full permissions on Config history

  2. She can see Config history changes

  3. During her session the Config history permissions are set to None for the security_admin role.

  4. The logged in user can still select the Config history menu and can see the configuration changes there.

Then new permissions will be effective only after a logout and new login.

Delete role

A role can not be deleted as long as it is assigned to any user.

As a consequence deleting a role can not affect active sessions of users.