A user group determines what vulnerability data a user can access. This includes business units, projects, and applications. If you use LDAP or AD in your environment, you can map Resolve user groups to LDAP/AD groups.

A user role determines which features a user has access to and what the user can do with allowed features and data. For example, a role might allow read and update permissions for findings and instances in the Workbench module, but read-only access to Workbench projects.

Users can belong to more than one group and can have the same or different roles within each group.

The following image shows how a user is configured in the Resolve interface. Every user configuration contains a User Groups & Roles page, which specifies which user groups a user belongs to and which role(s) they have for each group. In the example, the Thomas Jones user is assigned to the Security Leads user group with the Security Lead - Track and Workbench Admin roles. The Security Leads user group allows access to entities in the NetSPI business unit and NetSPI project groups. The Workbench Admin role provides CRUD permissions to the Workbench module.

Access to multiple modules

Each role provides access to one — and only one — module. You might have users that need access to more than one module. These users must be assigned a corresponding role for each module.

High-level steps for local user creation with multiple groups and roles

In some cases you might have users that require different types of access to different business units. For example, you need to create a locally authenticated Track user with full access to projects within the IT business unit. This same user needs read-only access to Track projects in the engineering business unit. These high-level steps describe how to accomplish this task.

1. Create business units for IT and Engineering.
2. Create a user group named IT users and allow access to projects within the IT business unit.
3. Create a user group named Engineering users and allow access to projects within the engineering business unit.
4. Create a role name Track - Full Permission that allows full access to features in the Track module.
5. Create a role name Track - Read-only that allows read-only access to features in the Track module.
6. Create a user with these assignments:
   • The IT users group is enabled with the Track - Full Permission role.
   • The Engineering users group is enabled with the Track - Read-only role.

A user with the permissions described above would look like the following:

Configurations appearing in multiple areas

Some user, role, and group configurations appear in multiple areas in the Administration module. For example, you can assign a user to a group through the user configuration or the group configuration. Modifications made in one configuration area are automatically applied to other corresponding areas.