Users and Roles

CVEScan Web is a multi-user system that allows multiple users to access and manage the same data. This is particularly useful in environments where teams or individuals collaborate on vulnerability management tasks.

To enable this, CVEScan Web employs a role-based access control (RBAC) system, providing fine-grained control over user permissions. Users are assigned specific roles, each defining their access levels and permissions within the system.

Users

A user is an individual with access to the CVEScan Web system. Authentication is managed through Keycloak, which handles user authentication and session management. Users are global entities defined at the system level, and their roles determine their access to entities such as vaults and projects.

There is no limit to the number of roles a user can have, allowing for flexible role assignments based on the user's responsibilities and needs.

Roles

CVEScan Web provides four predefined roles, organized hierarchically. Each role inherits the permissions of the roles below it, offering progressively broader access. The hierarchy is as follows:

flowchart TD
    A[System Admin] --> B[Vault Admin]
    B --> C[Project Admin]
    C --> D[Project Viewer]

System Admin

The system admin role provides the highest level of access in CVEScan Web. System admins have complete authority over all entities, including vaults, projects, components, and scans. They can perform all actions (create, read, update, and delete) on any entity. Furthermore, only system admins have the ability to create users. Deleting users and vaults is also exclusively reserved for system admins.

Limitation: Once any manual work has been performed on a vulnerability from a scan, such as creating a new annotation or updating an existing one, the scan can no longer be deleted. This rule ensures the integrity of the vulnerability management process and is independent of user permissions.

Vault Admin

The vault admin role provides comprehensive management capabilities for a specific vault and its associated entities. Vault admins can create, read, and update projects, components, and scans within the vault. However, they cannot delete users and vaults, as these actions are reserved for system admins. Vault admins can view the users who have access to the vault along with their assigned roles within it. They can also modify these roles, except for the system admin role.

Project Admin

The project admin role offers comprehensive management capabilities for a specific project and its associated entities. Project admins can create, read, and update components, import scans, and manage annotations within the project. However, they cannot delete users, vaults, projects, components, or scans.

Project Viewer

The project viewer role provides read-only access to a specific project. Project viewers can view the project's components, vulnerabilities, and annotations but cannot make any changes.