Understand roles | Fluid Attacks Help

Understand roles

Members on the Fluid Attacks platform have distinct roles with associated permissions. You can view your role within the organization or group you are navigating in the user menu, which is in the upper right corner of your screen.

This page explains the different roles that are available on the platform, along with the permissions they grant.

Client roles

Organization Manager role

Note on role inheritanceMembers assigned the Organization Manager role are automatically granted the Group Manager role within all groups belonging to the organization.
Designed for technical leaders within their organization, this role provides access to basic privileges on the platform and enables them to handle credentials, billing, members, mailmaps, and policies settings.

Group Manager role

Designed for technical leaders within their group, this role allows them to perform all actions available in the group on the platform. It is designed for product leaders, granting relevant capabilities like generating reportsdefining treatments for vulnerabilities (e.g., accepting vulnerabilities permanently , approving vulnerability deletion requests  by their company),  and managing group members .

User role

This is the role most members are given. It is typically assigned to the developers responsible for remediating vulnerabilities. Members with this role can access vulnerability information required for remediation and request reattacks when they believe they have successfully fixed the code.

Vulnerability Manager role

Intended for technical leaders, this role provides access to features like generating reports, viewing group members, and assigning fix work.

Client roles permissions

Below are the descriptions of the permissions available to clients on Fluid Attacks' platform. These permissions are categorized into two levels: the group and organization levels.

Group-level permissions

    Agent

  • Generate/update agent token: Generate and update the token to use for DevSecOps agent, an application that inspects builds for noncompliance with organization policies and prevents deployment if it finds any. Available at Scope > DevSecOps agent > Manage token > Generate/Reset.

  • View agent token and its expiration date: View the current DevSecOps agent token and when it expires. Available at Scope > DevSecOps agent > Manage token > Reveal token.

  • View agent executions: Access to reports of executions of the DevSecOps agent in your CI/CD. Available at DevSecOps.

  • Events

  • Request verification on events: Request verification that events have been resolved. Available at Events > Request verification.

  • Export file in Events: Download event data as a CSV file. Available at Events > Export.

  • Files

  • Add/download file: Upload or download any files you find helpful or necessary for performing security tests on the group. Available at Scope > Files > Add.

  • Delete file: Eliminate files that are considered unnecessary in the analysis of the group. Available at Scope > Files.

  • Group

  • Delete group: Delete an unnecessary group. Available at Scope > Delete this group.

  • Update group information: Update group informationAvailable at Scope > Information.

  • Plan upgrade: Upgrade from the Essential to the Advanced plan. Available at Scope > Services.

  • Unsubscribe from group: Leave groupAvailable at Scope > Unsubscribe.

  • Use Help options: Access help optionsAvailable at Help.

  • Members

  • Add member: Invite members to access the group and have some or all vulnerability management functions. Available at Members > Invite a member.

  • Delete member: Remove members from group. Available at Members > Remove.

  • Update member: Update member permissions and information (role or responsibility). Available at Members > Edit.

  • View members: View table of members in the group. Available at Members.

  • Invite contributor: Send invitations to contributor developers to register to the platform. Available at Authors.

  • Notifications

  • Receive notifications: Get notifications related to your group. 

  • Add/edit/remove hook: Add, edit, and remove webhooks, which notify of events happening in groups. Available at Integrations > Webhooks > Edit/Connect.

  • Portfolio

  • Create portfolio:  Add tags by which to sort groups within an organization. This is useful to get analytics involving specific groups. Available at Scope > Portfolio > Add.

  • Remove portfolio: Delete a group from a specific portfolio. Available at Scope > Portfolio > Remove.

  • Reports

  • Generate certificate: Generate a certificate of security testing with Fluid Attacks. Available at Vulnerabilities > Generate report > Certificate.

  • Generate report: Generate vulnerability reports varying in detail for a specific group.

  • Roots

  • Activate/deactivate root: Deactivate and activate assets to test. Available at Scope > Git Roots/IP Roots/URL Roots.

  • Move root: Move an asset with all its associated data to another group. Available at Scope > Git Roots.

  • Sync to Git root: Clone the Git repository again after changes have been made, this way Fluid Attacks can test the up-to-date version. Available at Scope.

  • Add Git/IP root: Add Git repositories and IP addresses to the scope of security testing. Available at Scope > Git Roots/IP Roots > Add new root.

  • Edit Git/IP/URL root: Modify URLs and branches. Available at Scope.

  • Add URL root/environment: Add of URLs or environments to the scope of security testing. Available at Scope.

  • Edit IP/URL root: Update root details. Available at Scope.

  • Add exclusions: Exclude files or folders from security assessments. Available at Scope.

  • Add secrets: Add secrets (usernames, passwords, email addresses, tokens, etc.) that give Fluid Attacks access to repositories and environments to test. Available at Scope.

  • View secrets: View secrets associated with a specific root. Available at Scope.

  • Delete secrets: Remove unnecessary secrets. Available at Scope.

  • Edit/delete Git environment: Edit or delete environments associated to source code repositories. Available at Scope.

  • Vulnerabilities

  • Vulnerability assignment: Assign vulnerability remediation responsibilities to team member. Available at Vulnerabilities > [Type] > Locations > Edit.

  • Request Zero risk: Request deletion of a vulnerability, as it poses no threat according to the organization. Available at Vulnerabilities > [Type] > Locations > Edit.

  • Request reattacks: Request retests by Fluid Attacks' tool to verify the effectiveness of remediation efforts. In the Advanced plan, reattacks may involve both Fluid Attacks' tool and hacking team.

  • Approve treatment: Accept and reject requests to change the treatments of vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Treatment acceptance.

  • Update treatment: Change the treatments of vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Edit.

  • Add/remove tag: Add and remove tags for vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Edit.

  • Consulting: In the Advanced plan, communicate questions, requests, and suggestions regarding a specific vulnerability or event. In the Essential plan, view comments about reattack outcomes. Available at Vulnerabilities/Events > Consulting.

Organization-level permissions

    Analytics

  • Download org analytics: Download the charts and figures of the Analytics sections. Available at Analytics > Download Analytics and Portfolios > Analytics > Download Analytics.

  • Vulnerability report in Analytics: Download a CSV file of details of all the vulnerabilities reported to the organizationAvailable at Analytics > Vulnerabilities.

  • Compliance

  • Compliance report: Download a report of compliance with several international standards. Available at Compliance > Standards > Generate report.

  • Credentials

  • Add credentials: Add credentials so Fluid Attacks has access to assets for testing. Available at Credentials > Add credential.

  • Delete credentials: Remove credentials, resulting in Fluid Attacks losing access to them. Available at Credentials > Remove.

  • Update credentials: Update credentials to maintain Fluid Attacks' access to assets. Available at Credentials > Edit.

  • OAuth connection: Authorize Fluid Attacks to import source code repositories from GitLab, GitHub, Bitbucket, and Azure accounts via Open Authorization, which eliminates the need to provide the credentials for these accounts. Available at Credentials > Add credential.

  • Members

  • Add members: Add members with access to the organization's Analytics and Policies sections. Available at Members > Invite a member.

  • View member: View members in the organization. Available at Members.

  • Update member: Update roles of members. Available at Members > Edit.

  • Delete member: Delete members at the organization level. Available at Members > Remove.

  • Policies

  • Update organization/group policies: Manage policies at the organization and group levels. Available at Policies.

  • Submit vulnerability for temporary acceptance in Policies: Submit requests to accept vulnerabilities temporarily. Available at Policies > Acceptance > Temporary acceptance.

  • Submit vulnerability for permanent acceptance in Policies: Submit requests to accept vulnerabilities permanently. Available at Policies > Acceptance > Permanent acceptance.

  • Approve and reject vulnerability for temporary acceptance in Policies: Approve and reject requests to accept vulnerabilities temporarily. Available at Policies > Acceptance > Temporary acceptance.

  • Approve and reject vulnerability for permanent acceptance in policies: Approve and reject requests to accept vulnerabilities permanently. Available at Policies > Acceptance > Permanent acceptance.

  • Project

  • Add repositories in Outside: Add repositories identified through OAuth access that are not yet part of any group. Available at Outside > Add new roots.

  • Add group: Create groups dedicated to managing the vulnerabilities of systems separately. Available at Groups > New group.

  • Add organization: Create another organization on the platform. Available in the organization menu.

Roles permissions summary table

The following tables specify the permissions that apply to each role on the platform.

Within groups

Feature group Feature User Vulnerability Manager Group Manager
Agent Generate/update agent token
Agent View agent token
Agent View agent token expiration date
Agent View agent executions
Events Request verification on events
Events Export file in Events
Files Add file
Files Download file
Files Delete file
Group Delete group
Group Update group information
Group Plan upgrade
Group Unsubscribe from group
Group Use Help options (talk to a hacker, chat, email)
Members Add/update/delete members
Members View members
Members Invite contributors
Notifications Receive notifications
Notifications Add/edit/remove hook
Portfolio Create portfolio
Portfolio Remove portfolio
Reports Generate certificate
Reports Generate report
Roots Activate/deactivate root
Roots Move root
Roots Sync to Git root
Roots Add Git root
Roots Edit Git root
Roots Add/edit IP root
Roots Add/edit URL root
Roots Add exclusions
Roots Add/view/delete root secrets
Roots Add/view/edit/delete Git environment
Vulnerabilities Vulnerability assignment
Vulnerabilities Request Zero risk
Vulnerabilities Request reattack
Vulnerabilities Approve treatment
Vulnerabilities Update treatment
Vulnerabilities Add/remove tag
Vulnerabilities Consulting section

At the organization level

Feature group Feature User Organization Manager
Analytics Download org analytics
Analytics Vulnerability report in Analytics
Compliance Compliance report
Credentials View credentials
Credentials Add/update/delete credentials
Credentials OAuth connection
Members Add/view/update/delete members
Policies Update org/group policies
Policies Submit vuln for temporary acceptance in Policies
Policies Submit vuln for permanent acceptance in Policies
Policies Approve and reject vuln for temporary acceptance in Policies
Policies Approve and reject vuln for permanent acceptance in Policies
Project Add repositories in Outside
Project Add group
Project Add organization

Fluid Attacks staff roles

There are roles on the platform available only for Fluid Attacks staff to ensure they access only the information and functions pertinent to their assignments.

Hacker

Hackers are the security analysts who identify, exploit, and report vulnerabilities in organizations' systems.

Reattacker

Reattackers are members that verify the effectiveness of fixes implemented by organizations.

Customer Manager

Customer Managers provide support to organizations' tasks, such as adding assets, deleting groups, requesting the deletion of vulnerabilities, and managing members.

Resourcer

Resourcers help maintain the assets provided by organizations, such as environment credentials and mailmap authors, up-to-date.

Reviewer

Reviewers mainly evaluate drafts for approval or disapproval and analyze vulnerability deletion requests.

Architect

Architects ensure that secure code review and penetration testing as a service deliverables are high-quality. Among their functions are deleting false positives or errors, including or deleting evidence, and providing help to the organizations over the help channels.

Closer

Closers are responsible for verifying whether a reattack to a vulnerability has been requested and setting the vulnerability status to Safe after a positive reattack outcome.

Admin

The Admin is the member who has the most privileges, lacking only the permission to change treatments.

Fluid Attacks staff roles summary table

The following table specifies the permissions that apply to each Fluid Attacks staff role on the platform.

Feature
Hacker
Reattacker
Resourcer
Reviewer
Architect
Customer Manager
Admin
Add draft
Add event
Add root
Approve draft
Change treatment
Confirm/reject Zero risk
Deactivate/activate root
Delete group
Edit root
Generate a report
Manage evidence
Remove vulnerability
Request reattack
Request Zero risk
Solve event
Verify reattack
Manage mailmap
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.