AppViz users, permissions, and roles

Relevant AppViz administrators

This section describes how to manage AppViz users, roles, and permissions.

Note:

AFA device permissions are used in On-Prem.

In SaaS, by default, users have access to all Network Objects/Service Objects in application flows. You can use object tags to manage object visibility per user. See Managing Object Permissions Using Tags. As well, you can use API Access Keys to control user access to view and edit application via API.

Roles and permissions

AppViz supports the ability to customize application permissions for individual users or roles. You can manage permissions from the perspective of the user/role, or from the perspective of the application. The table below describes the default permissions for each user type.

Role

Permissions

Unprivileged user (FireFlow requestor)
  • Create application
  • View and refresh vulnerability
  • Edit network object
  • Edit service object

Privileged user
  • All unprivileged permissions
  • View and refresh risks data
User User permissions are granted individually per user by admin. See Manage permissions for users.

Administrator

All permissions

Note: Users automatically have permissions for any applications they create.

Create new unprivileged users

This procedure describes how to create a new unprivileged user for a AppViz application. Users are created in FireFlow, and are visible in both FireFlow and AppViz.

Do the following:

  1. In AppViz, at the top-right, click your username and select Administration.

  2. In the Administration area, navigate to the GENERAL tab > Settings and Permissions > Manage application permissions, and click Manage.

    The Application Permissions page appears, displaying a list of applications on the left.

  3. On the right, click Add Users.

  4. At the bottom of the dialog that appears, click Create Users in FireFlow.

    Continue with creating your user as a requestor in FireFlow. For details, see Manage FireFlow users and roles.

Manage permissions for applications

You can give single users, or all users with a specific role, permission to view or edit an application that they do not have permission for by default. The procedure below describes how to manage user permissions for a specific application.

To manage permissions for an application:

  1. In AppViz, at the top-right, click your username and select Settings / Administration .

  2. In the Settings/Administration area, navigate to the GENERAL tab > Settings and Permissions > Manage application permissions, and click Manage.

    The Application Permissions page appears, displaying a list of applications on the left.

  3. Do one of the following:
    • Select an application from the list.
    • Perform a simple search for an application by doing the following:

      1. Type any part of the application name in the search box, and click .

        The matching applications appear below the search box.

      2. Select an application from the list.

        The Authorized Roles and Users area for the selected application appears on the right.

        Note: A role or user will appear disabled in the list for one of the following reasons: the user inherited permission to the application from a role, or the user or role has User has edit all applications permission.

  4. To give single users permission to view or edit the application, do the following:

    1. Click +Add Users.

      The Add Users window appears.

    2. Do one of the following:

      • Select users from the list.
      • Perform a simple search for a user by entering any part of the user's name or username in the search box, and click . The matching users appear below the search box.
      • To deselect users, click Clear.

    3. Click OK.

      Once added, the user(s) appear in a list below the application. By default they are only given permission to view the application.

    4. To give the user permission to edit an application, click the Can View drop-down list for the application and select Can Edit.

  5. To give all users with a specific role permission to view or edit the application, do the following:

    1. Click +Add Roles.

      The Add Roles window appears.

    2. Do one of the following:
      • Select roles from the list.
      • Perform a simple search for a role by typing any part of the role's name in the search box, and clicking . The matching roles appear below the search box. Select roles from the list.
      • To deselect roles, click Clear.

    3. Click OK.

      The role(s) appear in a list below the application. By default they are only given permission to view the application.

    4. To give the role permission to edit an application, click the Can View drop-down list for the application and select Can Edit.
  6. To remove the permissions of a user or role for the application, click .
  7. To remove all user and role permissions for the application, click Remove all.
  8. Click Save Changes.

Manage permissions for users

You can manage permissions for users in two ways:

  • You can grant permissions to individual users. This gives users permission to view or edit an application that they do not have permission for by default.
  • You can assign users a role; consequently, the users with the role receive all the permissions of the role.

The procedure below describes how to manage application permissions for a specific user.

  1. In the toolbar, click your username.

    A drop-down list appears.

  2. In the drop-down list, select Settings / Administration .

    The Settings/Administration page appears in the workspace.

  3. In the Settings and Permissions area, next to Manage user settings and permissions, click Manage.

    The User Settings and Permission page appears.

  4. Do one of the following:
    • Select a user from the list.
    • Perform a simple search for a user by doing the following:

      1. Type any part of the user's name or username in the search box, and click .

        The matching users appear below the search box.

      2. Select a user from the list.

        The information for the selected user appears on the right.

  5. In the Authorized Views and Actions area, edit the permissions given to the user as needed. For details, see Authorized views and actions fields.
  6. To give the user permission to view or edit an application, do the following:

    1. In the Authorized Applications area, click +Add Applications.

      The Add Applications wizard appears.

    2. Select applications using the information in Use the Add Applications wizard.

      The selected application(s) appear in a list below the user. By default the user is given permission to view the application.

    3. To give the role permission to edit an application, click the Can View drop-down list for the application and select Can Edit.
  7. To revoke the user's permissions to an application, click .
  8. To revoke the user's permissions for all applications, click Remove all applications.
  9. Click Save Changes.

In this field...

Do this...
General

 

View activity log

Select this check box to give the user permission to view the activity log tab of applications and network objects.

View change requests

Select this check box to give the user permission to view the change requests tab of applications, network objects, and service objects.

Refresh vulnerability

Select this check box to give the user permission to update the vulnerability assessment of network objects.

All users with permission to update the vulnerability assessment have permission to view vulnerability, as well.

View vulnerability

Select this check box to give the user permission to view the vulnerability tab of applications.

Refresh risks data

Select this check box to give user permission to refresh risks data.

View risks data

Select this check box to give user permission to view risks data.

Refresh connectivity

Select this check box to give the user permission to update the connectivity of applications.
Check connectivity when saving a flow Select this check box to give the user permission to set AppViz to automatically update the connectivity of applications after saving a flow. (The permission Refresh connectivity must be selected first to make the selection box for this option available).
Applications

 

Create new applications

Select this check box to give user permission to create new applications.

Edit all applications

Select this check box to give user permission to edit all applications.

All users with permission to edit all applications automatically have the View all applications permission and the Edit application information permission.

View all applications

Select this check box to give user permission to view all applications.

Apply drafts

Select this check box to give the user permission to apply drafts to applications.

Note: If a user has this permission, they will only be able to apply drafts to applications they have permission to edit.

Create shared flows

Select this check box to give user permission to create shared traffic flows.

Edit application information

Select this check box to give user permission to edit application custom fields, tags, and contacts.
Refresh vulnerability Select this check box to give user permission to refresh vulnerabilities.

Create application tags

Select this check box to give user permission to create user-defined application tags.
Import flows Select this check box to give user permission to import flows.
Network and Service Objects

 

Edit service objects

Select this check box to give user permission to edit service objects.

Edit network objects

Select this check box to give user permission to edit network objects.

Update object from device

Select this check box to give the user permission to synchronize a device object's definition in AppViz with the definition on the device.

You can manage user permissions by assigning roles to users. All users with a specific role receive all of the permissions assigned to the role. The procedure below describes how to assign and revoke roles.

Note: When fetching data from an LDAP server, you cannot manually assign/revoke roles. You must map roles using the LDAP Group DN. For details, see Map LDAP groups to roles .

To assign/revoke user roles:

  1. In the toolbar, click your username.

    A drop-down list appears.

  2. In the drop-down list, select Administration.

    The Administration page appears in the workspace.

  3. In the Settings and Permissions area, next to Manage user settings and permissions, click Manage.

    The User Permission page appears.

  4. Do one of the following:
    • Select a user from the list.
    • Perform a simple search for a user by doing the following:

      1. Type any part of the user's name or username in the search box, and click .

        The matching users appear below the search box.

      2. Select a user from the list.

        The information for the selected user appears on the right.

  5. Click the Roles tab.

    The Assigned Roles area appears.

  6. Edit the roles given to the user, by doing the following:

    1. In the Assigned Roles area, click +Add Roles.

      The Add Roles window appears.

    2. Do one of the following:
      • Select roles from the list.
      • Perform a simple search for a role by doing the following:

        1. Type any part of the role's name in the search box, and click .

          The matching roles appear below the search box.

        2. Select roles from the list.
    3. To deselect roles, click Clear.

    4. Click OK.

      The roles appear in the Assigned Roles list.

  7. To remove the revoke the role from the user, click .
  8. To revoke all of the user's roles, click Remove all users.
  9. Click Save Changes.

Manage API Access Key permissions

You can manage permissions to use APIs in two ways:

  • You can assign API access keys their own set of permissions to view or edit applications via API. In this way, you can control the permissions of the anyone using these API Access Keys. For information about API Access Keys, see Manage API Access Keys
  • You can assign individual roles their own set of permissions including to view or edit applications via API.

To assign/revoke API Access Key permissions:

  1. In the toolbar, click your username.

    A drop-down list appears.

  2. In the drop-down list, select Settings.

    The Settings page appears in the workspace.

  3. In the Settings and Permissions area, next to Manage API access key permissions, click Manage.

    The API Access Key Permissions page appears.

  4. Do one of the following:
    • Select an API Access Key from the list.
    • Perform a simple search for a role by doing the following:

    • Type any part of the API Access Key's name in the search box, and click .

    The matching API Access Key appears below the search box.

  5. In the Authorized Views and Actions area, edit the permissions given to the API Access Key. For details, see Authorized views and actions fields.
  6. To give API Access Key permission to view or edit an application, do the following:

    1. In the Authorized Applications area, click +Add Applications.

      The Add Applications wizard appears.

    2. Select applications using the information in Use the Add Applications wizard.

      The selected applications appear in a list. By default, the API Access Key is given permission to view the applications.

    3. To give the API Access Key permission to edit an application, click the Can View drop-down list for the application and select Can Edit.
  7. To revoke the API Access Key's permissions to an application, click .
  8. To revoke the user's permissions for all applications, click Remove all applications.
  9. Click Save Changes.

In this field...

Do this...
General

 

View activity log

Select this check box to give the user of the API Access Key permission to view the activity log tab of applications and network objects via API.

View change requests

Select this check box to give the the user of the API Access Key permission to view the change requests tab of applications, network objects, and service objects via API.

Refresh vulnerability

Select this check box to give the the user of the API Access Key permission to update the vulnerability assessment of network objects via API.

All users with permission to update the vulnerability assessment have permission to view vulnerability, as well .

View vulnerability

Select this check box to give the the user of the API Access Key permission to view the vulnerability tab of applications via API.

Refresh risks data

Select this check box to give the user of the API Access Key permission to refresh risks data via API.

View risks data

Select this check box to give user permission to view risks data via API.

Refresh connectivity

Select this check box to give the user permission to update the connectivity of applications via API.
Check connectivity when saving a flow Select this check box to give the the user of the API Access Key permission to set AppViz to automatically update the connectivity of applications after saving a flow via API. (The permission Refresh connectivity must be selected first to make the selection box for this option available).
Applications

 

Create new applications

Select this check box to give the user of the API Access Key permission n to create new applications via API.

Edit all applications

Select this check box to give user permission to edit all applications via API.

All users with permission to edit all applications automatically have the View all applications permission and the Edit application information permission.

View all applications

Select this check box to give the user of the API Access Key permission to view all applications via API.

Apply drafts

Select this check box to give the the user of the API Access Key permission to apply drafts to applications via API.

Note: If a the user of the API Access Key permission has this permission, they will only be able to apply drafts to applications they have permission to edit.

Create shared flows

Select this check box to give the user of the API Access Key permission to create shared traffic flows.

Edit application information

Select this check box to give the user of the API Access Key permission to edit application custom fields, tags, and contacts.

Create application tags

Select this check box to give the user of the API Access Key permission to create user-defined application tags via API.
Import flows Select this check box to give the user of the API Access Key permission to import flows via API.
Network and Service Objects

 

Edit service objects

Select this check box to give the user of the API Access Key permission to edit service objects via API.

Edit network objects

Select this check box to give the user of the API Access Key permission to edit network objects via API.

Update object from device

Select this check box to give the the user of the API Access Key permission to synchronize a device object's definition in AppViz with the definition on the device via API.

You can give roles permission to view or edit specific applications via API. Users assigned a role inherit all permissions granted to the role. The procedure below describes how to manage application permissions via API for roles.

To assign/revoke role permissions:

  1. In the toolbar, click your username.

    A drop-down list appears.

  2. In the drop-down list, select Settings .

    The Settings page appears in the workspace.

  3. In the Settings and Permissions area, next to Manage API access key permissions, click Manage.

    The API Access Key Permissions page appears.

  4. Click the Roles tab.

  5. Do one of the following:
    • Select a role from the list.

    • Perform a simple search for a role by typing any part of the role's name in the search box, and click .

    The matching roles appear below the search box.

  6. In the Authorized Views and Actions area, edit the permissions given to the role. For details, see Authorized views and actions fields.
  7. To give the role permission to view or edit an application, do the following:

    1. In the Authorized Applications area, click +Add Applications.

      The Add Applications wizard appears.

    2. Select applications using the information in Use the Add Applications wizard.

      The selected applications appear in a list. By default, the role is given permission to view the applications.

    3. To give the role permission to edit an application, click the Can View drop-down list for the application and select Can Edit.
  8. To revoke the role's permissions to an application, click .
  9. To revoke the user's permissions for all applications, click Remove all applications.
  10. Click Save Changes.

Manage user roles

Do any of the following:

You can give roles permission to view or edit specific applications. Users assigned a role inherit all permissions granted to the role. The procedure below describes how to manage application permissions for roles.

To assign/revoke role permissions:

  1. In the toolbar, click your username.

    A drop-down list appears.

  2. In the drop-down list, select Settings / Administration .

    The Settings/Administration page appears in the workspace.

  3. In the Settings and Permissions area, next to Manage role settings and permissions, click Manage.

    The Role Settings and Permissions page appears.

  4. Do one of the following:
    • Select a role from the list.
    • Perform a simple search for a role by doing the following:

      1. Type any part of the role's name in the search box, and click .

        The matching roles appear below the search box.

      2. Select a role from the list.

        The information for the selected role appears on the right.

  5. In the Authorized Views and Actions area, edit the permissions given to the role. For details, see Authorized views and actions fields.
  6. To give the role permission to view or edit an application, do the following:

    1. In the Authorized Applications area, click +Add Applications.

      The Add Applications wizard appears.

    2. Select applications using the information in Use the Add Applications wizard.

      The selected applications appear in a list. By default, the role is given permission to view the applications.

    3. To give the role permission to edit an application, click the Can View drop-down list for the application and select Can Edit.
  7. To revoke the role's permissions to an application, click .
  8. To revoke the user's permissions for all applications, click Remove all applications.
  9. Click Save Changes.

To add users to a role:

  1. In the toolbar, click your username.

    A drop-down list appears.

  2. In the drop-down list, select Administration.

    The Administration page appears in the workspace.

  3. In the Settings and Permissions area, next to Manage role settings and permissions, click Manage.

    The Role Settings and Permission page appears.

  4. Do one of the following:
    • Select a role from the list.
    • Perform a simple search for a role by doing the following:

      1. Type any part of the role's name in the search box, and click .

        The matching roles appear below the search box.

      2. Select a role from the list.

        The information for the selected role appears on the right.

  5. Click the Users tab.

    The Users tab appears.

  6. Edit the users assigned the role, by doing the following:

    1. In the Assigned Users area, click +Add Users.

      The Add Users wizard opens.

    2. Do one of the following:
      • Select users from the list.
      • Perform a simple search for a user by doing the following:

        1. Type any part of the user's name or username in the search box, and click .

          The matching users appear below the search box.

        2. Select users from the list.
    3. To deselect users, click Clear.

    4. Click OK.

      The user(s) appear in the Assigned Users area.

  7. To revoke the role from the user, click .
  8. To revoke all of the role's users, click Remove all users.
  9. Click Save Changes.

To create a new role:

  1. In the toolbar, click your username.

    A drop-down list appears.

  2. In the drop-down list, select Administration.

    The Administration page appears in the workspace.

  3. In the Settings and Permissions area, next to Manage role settings and permissions, click Manage.

    The Role Settings and Permission page appears.

  4. Click +New Role.

    New fields appear on the right.

  5. Complete the fields as needed. For details, see New role fields.
  6. Continue completing the fields. For details, see Authorized views and actions fields.
  7. To give the role permission to view or edit an application, do the following:

    1. In the Authorized Applications area, click +Add Applications.

      The Add Applications wizard appears.

    2. Select applications using the information in Use the Add Applications wizard.

      The selected applications appear in a list. By default, the role is given permission to view the applications.

    3. To give the role permission to edit the applications, do the following:
      1. For the desired application, click Can View.
      2. In the drop down menu, select Can Edit.
  8. To revoke the role's permissions to an application, click .
  9. To revoke the role's permissions for all applications, click Remove all users.
  10. Click Save Changes.

New role fields

In this field...

Do this...

Role Name

Type the name of the role.

Description

Type a description for the role. This field is optional.

Enabled

Default is Enabled. Clear check box to disable the role.

If you are importing user data from an LDAP server, you can map LDAP groups to AppViz roles. The user will be assigned the relevant role upon login.

Note: If your environment is configured to import user information from an LDAP server, changes to user settings must be made only on the LDAP server (changes made in the AlgoSec Suite may be overridden the next time the user logs in). For more details, see Configure user authentication.

To map LDAP groups to a role:

  1. In the toolbar, click your username.

    A drop-down list appears.

  2. In the drop-down list, select Administration.

    The Administration page appears in the workspace.

  3. In the Settings and Permissions area, next to Manage role settings and permissions, click Manage.

    The Role Settings and Permissions page appears.

  4. Do one of the following:
    • Select a role from the list.
    • Perform a simple search for a role by doing the following:

      1. Type any part of the role's name in the search box, and click .

        The matching roles appear below the search box.

      2. Select a role from the list.

        The Edit Role area for the selected role appears on the right.

  5. Click the Users tab.

    The Users tab appears.

  6. In the Group DN field, type the LDAP group DN you wish to map to the role.

    Note: This field is disabled for the Administrator role. Administrators have all roles.

  7. Click Save Changes.

To delete a role:

  1. In the toolbar, click your username.

    A drop-down list appears.

  2. In the drop-down list, select Administration.

    The Administration page appears in the workspace.

  3. In the Settings and Permissions area, next to Manage role settings and permissions, click Manage.

    The Role Settings and Permission page appears, with a list of all roles on the left.

  4. Hover over the desired role and click .

    A confirmation message appears.

  5. Click OK.