Understand roles
Users on Fluid Attacks' platform have different roles with associated permissions relevant to work on the platform. Depending on your role, you are granted access to certain functions for your daily use of the platform.
You can see your role on Fluid Attacks' platform in the drop-down menu that appears when you click the user icon on the upper-right part of your screen.
The following are the different roles that are available on the platform, along with their descriptions.
Client roles
User Manager role
This is the role that gives the user the most privileges. This user can do everything that a client is allowed to do in the platform. This role is made for the leaders of the product and, besides the basic privileges, it allows the user to generate reports, define important treatments like accepting vulnerabilities permanently, requesting Zero Risk treatments, adding and editing users for the group and more.
User role
This is the default user role, given to developers or the members in charge of solving the vulnerabilities. This user can check all the information about the vulnerabilities needed for solving them and also request reattacks when they deem them solved.
Vulnerability Manager role
This role was designed for people with a position as technical leaders in their company. This role has access to the basic privileges on the platform and is also enabled to generate reports; get notifications; define, change and approve treatments; request reattacks, and add tags. The vulnerability manager does not have permissions to manage roots nor add, edit or remove users.
Client roles permissions
Here, you will find a detailed explanation of each functionality, organized into two levels: the group and organization levels.
Group-level permissions
-
Consulting agent token / expiration date: To verify your agent's token and know the date of expedition, go to
Scope -> DevSecOps agent -> Manage Token -> Reveal token. For more information, go to the following link. -
Update/Generate agent token: To generate or update the agent token, go to
Scope -> DevSecOps agent -> Manage Token -> Generate / Reset. For more information, click on the following link. -
Consulting agent execution: To see the agent reports executed in your pipelines or CI/CD, you can view them in the DevSecOps section of our platform.
-
Deactivate/Activate root: This function allows you to:
- Deactivate repositories for which you no longer want an assessment;
- Activate repositories you want to leave available to our analysts, and
- Move a root to another group, taking all the associated vulnerabilities with it.
-
Move roots: This option allows moving a root to another group. For more information about this feature, click here.
-
Add Git/IP roots: This function allows the addition of Git or IP roots to the scope of the managed group.
-
Add URL/ Environment roots: This function allows the addition of URL or Environments roots to the scope of the managed group.
-
Edit Git/IP/URL/ Environment roots: This function allows you to change URLs of roots that do not have reported vulnerabilities and edit root branches.
-
Update root state: This feature gives you the possibility to update the root state. To learn more about this section, click on the following link.
-
Sync to Git root: Request to clone that repository once again since changes have been generated and it is required to have it updated.
-
Add Exclusions: This feature allows you to choose files or folders in your repository that you do not want to include in the security assessments.
-
Delete Git Environment: Deleting an Environment is no longer part of the group analysis.
-
Add Secrets: Add usernames, passwords, email addresses, tokens, etc, that give us access to private repositories and environments.
-
Delete Secrets: Remove secrets that are no longer needed to gain root access.
-
Consulting Secrets: Visualize the secrets that this specific root has.
-
Consulting: You can communicate all the questions, requests, suggestions, and matters concerning your group or a specific vulnerability or event that require much more direct interaction.
-
Add tag Portfolio: This allows the addition of tags to the managed group, which is useful for categorizing different groups within an organization.
-
Remove tag Portfolio: This action deletes a group from a specific Portfolio. For more information click here.
-
Add/Download files: Upload or download any files you find helpful or necessary for performing penetration tests on the group.
-
Delete files: Eliminate files that are considered unnecessary in the analysis of the group.
-
Delete group: When you determine that a particular group isn't necessary anymore, you can proceed to delete. For more information on how to do this action you can enter here.
-
Update group information: To update the group information to do this action, go to
Scope -> information. -
Unsubscribe group: This action will unsubscribe you from the group no longer having access to this.
-
Update group policies: You can determine which policies you will manage at the group level.
-
Plan upgrade: If you want to upgrade your Essential plan to Advanced.
-
Add members (Group): Add members with access to the group to visualize information or manage vulnerabilities, scope, tags, etc.
-
Update member (Group): Update the information of a member, which can be Email - role or responsibility.
-
Consulting member (Group): Have access to which members are in the group.
-
Delete member (Group): Remove a member from a group.
-
Request Verification on events: This action refers to the verification of events that have already been resolved.
-
Export file in events: Download the data you have in the event section in a .csv file.
-
Approve treatments: This function is for when a treatment change is requested, as there is a need to validate and then accept or reject this request.
-
Zero risk request: According to your organization's analysis, this is a special treatment you can define as a vulnerability that poses no threat.
-
Update treatments: Update treatment of vulnerabilities.
-
Request reattacks: When a vulnerability is solved, there is the need to ask our hackers to verify that it was indeed solved. This function gives you the ability to make this kind of request.
-
Vulnerability assignment: Assign any vulnerability to a member of your team. For more information, you can access this link.
-
Add/Remove tags: Add or remove tags on vulnerabilities.
-
Add users: This function allows adding users to a group and configuring their privileges.
-
Generate a certificate: Generates a security testing certification.
-
Generate a report: This feature allows you to generate and download a complete report with detailed information about the vulnerabilities of a specific group.
-
Receive notifications: This is the ability to receive notifications that Fluid Attacks' platform can send related to your group.
-
Support channels: To have access to assistance channels.
-
Add/Edit/Remove Hooks: Add, edit or remove fields in the Hooks section. For more information, click here.
Organization-level permissions
-
Add credentials: Add credentials that help us to have access to the inputs provided by the users. For detailed information about this section, click here.
-
Delete credentials: Remove credentials for access to inputs.
-
Update credentials: Update any credentials to keep continuous and secure connectivity with inputs.
-
OAuth connection: Connection between the providers GitLab - GitHub - Bitbucket - Azure with the platform.
-
Add Outside repositories: Repositories that are not yet part of any group of the organization. You can add them in bulk or as a unit in your required group.
-
Add a Group: By creating a group, you can manage vulnerabilities by project. For more information, click here.
-
Add/Submit vulnerability for temporary acceptance in policies: Add and submit vulnerabilities that require an approval process before applying temporary acceptance treatment; for more information, click here.
-
Approve or reject vulnerability for temporary acceptance in policies: Approve or reject the vulnerabilities that were requested in the approval process prior to the application of the temporary acceptance treatment.
-
Add/Submit vulnerability for permanent acceptance in policies: Add and submit vulnerabilities to accept permanently, which would be ignored by the DevSecOps agent. For more information, click here.
-
-
Approve or reject vulnerability for permanent acceptance in policies: Approve or reject requests to accept vulnerabilities permanently. Approved vulnerabilities will be ignored by the DevSecOps agent, meaning it will not break the build because of them.
-
-
Update org policies: You can determine which policies you will manage at the organization level.
-
Add members (Org): Organization members can access the Organization's Analytics and Policies. It allows them to give access to new members or configure policies.
-
Update member (Org): Update the information of a member, which can be Email or role.
-
Consulting member (Org): Have access to which members are in the Organization.
-
Delete member (Org): Delete members of the Organization.
-
Vulnerability report Analytics: Download your organization's vulnerabilities (including all vulnerability statuses) in a .CSV file. For more information, click here.
-
Download org analytics: Download the data contained in the analytics section.
-
Add org: Creating an organization on our platform centralizes and organizes information in one place.
-
Compliance Report: Download a report of the compliance section.
Roles permissions summary table
In the following table we specify what functions are enabled for each role.
|
Feature
|
Level
|
User
|
Vulnerability Manager
|
User Manager
|
|
Add/Edit/Remove hooks
|
Group
|
⛔
|
⛔
|
✔
|
|
Consult Agent token
|
Group
|
✔
|
✔
|
✔
|
|
See Agent token expiration date
|
Group
|
✔
|
✔
|
✔
|
|
Update/Generate Agent token
|
Group
|
✔
|
✔
|
✔
|
|
Consult Agent execution
|
Group
|
✔
|
✔
|
✔
|
|
Deactivate/Activate root
|
Group
|
⛔
|
⛔
|
✔
|
|
Move roots
|
Group
|
⛔
|
⛔
|
✔
|
|
Add Git/IP roots
|
Group
|
✔
|
⛔
|
✔
|
|
Add URL roots
|
Group
|
✔
|
⛔
|
✔
|
|
Add Git environment
|
Group
|
✔
|
⛔
|
✔
|
|
Edit Git/IP roots
|
Group
|
✔
|
⛔
|
✔
|
|
Edit environment roots
|
Group
|
✔
|
⛔
|
✔
|
|
Edit URL roots
|
Group
|
✔
|
⛔
|
✔
|
|
Delete Git environment
|
Group
|
✔
|
⛔
|
✔
|
|
Update root state
|
Group
|
⛔
|
⛔
|
✔
|
|
Sync to Git root
|
Group
|
✔
|
⛔
|
✔
|
|
Add Exclusions
|
Group
|
⛔
|
⛔
|
✔
|
|
Add Secrets
|
Group
|
⛔
|
⛔
|
✔
|
|
Delete Secrets
|
Group
|
⛔
|
⛔
|
✔
|
|
Consult Secrets
|
Group
|
⛔
|
⛔
|
✔
|
|
Consulting
|
Group
|
✔
|
✔
|
✔
|
|
Add tag Portfolio
|
Group
|
✔
|
✔
|
✔
|
|
Remove tag Portfolio
|
Group
|
✔
|
✔
|
✔
|
|
Add files
|
Group
|
✔
|
✔
|
✔
|
|
Delete files
|
Group
|
✔
|
✔
|
✔
|
|
Download files
|
Group
|
✔
|
✔
|
✔
|
|
Delete group
|
Group
|
⛔
|
⛔
|
✔
|
|
Update group information
|
Group
|
⛔
|
⛔
|
✔
|
|
Unsubscribe group
|
Group
|
✔
|
✔
|
✔
|
|
Update group policies
|
Group
|
⛔
|
⛔
|
✔
|
|
Plan upgrade
|
Group
|
⛔
|
⛔
|
✔
|
|
Add members
|
Group
|
⛔
|
⛔
|
✔
|
|
Update member
|
Group
|
⛔
|
⛔
|
✔
|
|
Consult member
|
Group
|
⛔
|
✔
|
✔
|
|
Delete member
|
Group
|
⛔
|
⛔
|
✔
|
|
Request Verification on events
|
Group
|
✔
|
✔
|
✔
|
|
Export file in events
|
Group
|
✔
|
✔
|
✔
|
|
Approve treatments
|
Group
|
⛔
|
✔
|
✔
|
|
Zero risk request
|
Group
|
✔
|
✔
|
✔
|
|
Update treatments
|
Group
|
✔
|
✔
|
✔
|
|
Request reattack
|
Group
|
✔
|
✔
|
✔
|
|
Vulnerability assignment
|
Group
|
⛔
|
✔
|
✔
|
|
Add/Remove tags
|
Group
|
✔
|
✔
|
✔
|
|
Add users
|
Group
|
⛔
|
⛔
|
✔
|
|
Generate a certificate
|
Group
|
⛔
|
⛔
|
✔
|
|
Generate a report
|
Group
|
⛔
|
✔
|
✔
|
|
Receive notifications
|
Group
|
✔
|
✔
|
✔
|
|
Support channels
|
Group
|
✔
|
✔
|
✔
|
|
Add credentials
|
Org
|
⛔
|
⛔
|
✔
|
|
Delete credentials
|
Org
|
⛔
|
⛔
|
✔
|
|
Update credentials
|
Org
|
⛔
|
⛔
|
✔
|
|
OAuth connection
|
Org
|
⛔
|
⛔
|
✔
|
|
Add Outside repositories
|
Org
|
⛔
|
⛔
|
✔
|
|
Add group
|
Org
|
⛔
|
⛔
|
✔
|
|
Add vuln for temporary acceptance in policies
|
Org
|
✔
|
⛔
|
✔
|
|
Add vuln for permanent acceptance in policies
|
Org
|
✔
|
⛔
|
✔
|
|
Submit vuln for temporary acceptance in policies
|
Org
|
✔
|
⛔
|
✔
|
|
Submit vuln for permanent acceptance in policies
|
Org
|
✔
|
⛔
|
✔
|
|
Approve or reject vuln for temporary acceptance in policies
|
Org
|
⛔
|
⛔
|
✔
|
|
Approve or reject vuln for permanent acceptance in policies
|
Org
|
⛔
|
⛔
|
✔
|
|
Update org policies
|
Org
|
⛔
|
⛔
|
✔
|
|
Add members
|
Org
|
⛔
|
⛔
|
✔
|
|
Update member
|
Org
|
⛔
|
⛔
|
✔
|
|
Consult member
|
Org
|
⛔
|
⛔
|
✔
|
|
Delete member
|
Org
|
⛔
|
⛔
|
✔
|
|
Vulnerability report in Analytics
|
Org
|
⛔
|
⛔
|
✔
|
|
Download organization analytics
|
Org
|
✔
|
⛔
|
✔
|
|
Add organization
|
Org
|
✔
|
⛔
|
✔
|
|
Compliance report
|
Org
|
✔
|
✔
|
✔
|
Fluid Attacks staff roles
The following are the descriptions of Fluid Attacks staff roles on Fluid Attacks' platform.
Hacker
The hacker is a security analyst whose main objectives are identifying, exploiting and reporting vulnerabilities in organizations' systems.
Reattacker
The reattacker is in charge of verifying, through diverse techniques, the effectiveness of the solutions implemented by the organizations for vulnerability remediation.
Customer Manager
The customer manager mainly provides support and streamlines processes of the organizations. For example, on the platform, they can make changes in group information, request reattacks, generate reports and manage members, among many other things.
Resourcer
The resourcer helps keep updated the inputs provided by the organizations, such as environment credentials and mailmap authors, among others.
Reviewer
The reviewer is in charge of managing the vulnerabilities that are reported to the organizations. They evaluate drafts for approval or disapproval, request reattacks and verify and notify which vulnerabilities are zero risk.
Architect
The architect's main objective is to ensure the highest quality of ethical hacking and pentesting deliverables. Among their functions are deleting false positives or errors, including or deleting evidence, and providing help to the organizations over the support channels.
Closer
The closer role is responsible for verifying whether a reattack to a vulnerability has been requested and seeing if it is solved.
Admin
The admin is the one who has all the privileges on Fluid Attacks' platform, except for the possibility to change treatments.
Fluid Attacks staff roles summary table
The following table specifies what functions are enabled for each role:
|
Feature
|
Hacker
|
Reattacker
|
Resourcer
|
Reviewer
|
Architect
|
Customer Manager
|
Admin
|
|
Add drafts
|
✔ |
✔
|
⛔
|
⛔
|
✔
|
⛔
|
✔
|
|
Add events
|
✔
|
✔
|
✔
|
⛔
|
✔
|
✔
|
✔
|
|
Add roots
|
⛔
|
⛔
|
⛔
|
⛔
|
⛔
|
✔
|
✔
|
|
Approve drafts
|
⛔
|
⛔
|
⛔
|
✔
|
⛔
|
⛔
|
✔
|
|
Change treatments
|
✔
|
⛔
|
⛔
|
⛔
|
✔
|
⛔
|
⛔
|
|
Confirm/Reject Zero risk
|
⛔
|
⛔
|
⛔
|
✔
|
✔
|
⛔
|
✔
|
|
Deactivate/Activate root
|
⛔
|
⛔
|
⛔
|
⛔
|
⛔
|
⛔
|
✔
|
|
Delete groups
|
⛔
|
⛔
|
⛔
|
⛔
|
⛔
|
✔
|
✔
|
|
Edit roots
|
⛔
|
⛔
|
⛔
|
⛔
|
✔
|
⛔
|
✔
|
|
Generate a report
|
✔
|
⛔
|
⛔
|
⛔
|
✔
|
✔
|
✔
|
|
Manage evidence
|
✔
|
⛔
|
⛔
|
⛔
|
✔
|
⛔
|
✔
|
|
Request reattack
|
✔
|
✔
|
✔
|
✔
|
✔
|
✔
|
✔
|
|
Request Zero risk
|
⛔
|
⛔
|
⛔
|
⛔
|
⛔
|
✔
|
✔
|
|
Solve events
|
✔
|
✔
|
✔
|
⛔
|
✔
|
✔
|
✔
|
|
Verify reattack
|
✔
|
✔
|
⛔
|
⛔
|
✔
|
⛔
|
✔
|
Free trial