Understand roles
This page explains the different roles that are available on the platform, along with the permissions they grant.
Client roles
Organization Manager role
Members assigned the Organization Manager role are automatically granted the Group Manager role within all groups belonging to the organization.Group Manager role
Designed for technical leaders within their group, this role allows them to perform all actions available in the group on the platform. It is designed for product leaders, granting relevant capabilities like generating reports, defining treatments for vulnerabilities (e.g., accepting vulnerabilities permanently , approving vulnerability deletion requests by their company), and managing group members .
User role
This is the role most members are given. It is typically assigned to the developers responsible for remediating vulnerabilities. Members with this role can access vulnerability information required for remediation and request reattacks when they believe they have successfully fixed the code.
Vulnerability Manager role
Intended for technical leaders, this role provides access to features like generating reports, viewing group members, and assigning fix work.
Client roles permissions
Below are the descriptions of the permissions available to clients on Fluid Attacks' platform. These permissions are categorized into two levels: the group and organization levels.
Group-level permissions
-
Generate/update agent token: Generate and update the token to use for DevSecOps agent, an application that inspects builds for noncompliance with organization policies and prevents deployment if it finds any. Available at Scope > DevSecOps agent > Manage token > Generate/Reset.
-
View agent token and its expiration date: View the current DevSecOps agent token and when it expires. Available at Scope > DevSecOps agent > Manage token > Reveal token.
-
View agent executions: Access to reports of executions of the DevSecOps agent in your CI/CD. Available at DevSecOps.
-
Request verification on events: Request verification that events have been resolved. Available at Events > Request verification.
-
Export file in Events: Download event data as a CSV file. Available at Events > Export.
-
Add/download file: Upload or download any files you find helpful or necessary for performing security tests on the group. Available at Scope > Files > Add.
-
Delete file: Eliminate files that are considered unnecessary in the analysis of the group. Available at Scope > Files.
-
Delete group: Delete an unnecessary group. Available at Scope > Delete this group.
-
Update group information: Update group information. Available at Scope > Information.
-
Plan upgrade: Upgrade from the Essential to the Advanced plan. Available at Scope > Services.
-
Unsubscribe from group: Leave group. Available at Scope > Unsubscribe.
-
Use Help options: Access help options. Available at Help.
-
Add member: Invite members to access the group and have some or all vulnerability management functions. Available at Members > Invite a member.
-
Delete member: Remove members from group. Available at Members > Remove.
-
Update member: Update member permissions and information (role or responsibility). Available at Members > Edit.
-
View members: View table of members in the group. Available at Members.
-
Invite contributor: Send invitations to contributor developers to register to the platform. Available at Authors.
-
Receive notifications: Get notifications related to your group.
-
Add/edit/remove hook: Add, edit, and remove webhooks, which notify of events happening in groups. Available at Integrations > Webhooks > Edit/Connect.
-
Create portfolio: Add tags by which to sort groups within an organization. This is useful to get analytics involving specific groups. Available at Scope > Portfolio > Add.
-
Remove portfolio: Delete a group from a specific portfolio. Available at Scope > Portfolio > Remove.
-
Generate certificate: Generate a certificate of security testing with Fluid Attacks. Available at Vulnerabilities > Generate report > Certificate.
-
Generate report: Generate vulnerability reports varying in detail for a specific group.
-
Activate/deactivate root: Deactivate and activate assets to test. Available at Scope > Git Roots/IP Roots/URL Roots.
-
Move root: Move an asset with all its associated data to another group. Available at Scope > Git Roots.
-
Sync to Git root: Clone the Git repository again after changes have been made, this way Fluid Attacks can test the up-to-date version. Available at Scope.
-
Add Git/IP root: Add Git repositories and IP addresses to the scope of security testing. Available at Scope > Git Roots/IP Roots > Add new root.
-
Edit Git/IP/URL root: Modify URLs and branches. Available at Scope.
-
Add URL root/environment: Add of URLs or environments to the scope of security testing. Available at Scope.
-
Edit IP/URL root: Update root details. Available at Scope.
-
Add exclusions: Exclude files or folders from security assessments. Available at Scope.
-
Add secrets: Add secrets (usernames, passwords, email addresses, tokens, etc.) that give Fluid Attacks access to repositories and environments to test. Available at Scope.
-
View secrets: View secrets associated with a specific root. Available at Scope.
-
Delete secrets: Remove unnecessary secrets. Available at Scope.
-
Edit/delete Git environment: Edit or delete environments associated to source code repositories. Available at Scope.
-
Vulnerability assignment: Assign vulnerability remediation responsibilities to team member. Available at Vulnerabilities > [Type] > Locations > Edit.
-
Request Zero risk: Request deletion of a vulnerability, as it poses no threat according to the organization. Available at Vulnerabilities > [Type] > Locations > Edit.
-
Request reattacks: Request retests by Fluid Attacks' tool to verify the effectiveness of remediation efforts. In the Advanced plan, reattacks may involve both Fluid Attacks' tool and hacking team.
-
Approve treatment: Accept and reject requests to change the treatments of vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Treatment acceptance.
-
Update treatment: Change the treatments of vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Edit.
-
Add/remove tag: Add and remove tags for vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Edit.
-
Consulting: In the Advanced plan, communicate questions, requests, and suggestions regarding a specific vulnerability or event. In the Essential plan, view comments about reattack outcomes. Available at Vulnerabilities/Events > Consulting.
Agent
Events
Files
Group
Members
Notifications
Portfolio
Reports
Roots
Vulnerabilities
Organization-level permissions
-
Download org analytics: Download the charts and figures of the Analytics sections. Available at Analytics > Download Analytics and Portfolios > Analytics > Download Analytics.
-
Vulnerability report in Analytics: Download a CSV file of details of all the vulnerabilities reported to the organization. Available at Analytics > Vulnerabilities.
-
Compliance report: Download a report of compliance with several international standards. Available at Compliance > Standards > Generate report.
-
Add credentials: Add credentials so Fluid Attacks has access to assets for testing. Available at Credentials > Add credential.
-
Delete credentials: Remove credentials, resulting in Fluid Attacks losing access to them. Available at Credentials > Remove.
-
Update credentials: Update credentials to maintain Fluid Attacks' access to assets. Available at Credentials > Edit.
-
OAuth connection: Authorize Fluid Attacks to import source code repositories from GitLab, GitHub, Bitbucket, and Azure accounts via Open Authorization, which eliminates the need to provide the credentials for these accounts. Available at Credentials > Add credential.
-
Add members: Add members with access to the organization's Analytics and Policies sections. Available at Members > Invite a member.
-
View member: View members in the organization. Available at Members.
-
Update member: Update roles of members. Available at Members > Edit.
-
Delete member: Delete members at the organization level. Available at Members > Remove.
-
Update organization/group policies: Manage policies at the organization and group levels. Available at Policies.
-
Submit vulnerability for temporary acceptance in Policies: Submit requests to accept vulnerabilities temporarily. Available at Policies > Acceptance > Temporary acceptance.
-
Submit vulnerability for permanent acceptance in Policies: Submit requests to accept vulnerabilities permanently. Available at Policies > Acceptance > Permanent acceptance.
-
Approve and reject vulnerability for temporary acceptance in Policies: Approve and reject requests to accept vulnerabilities temporarily. Available at Policies > Acceptance > Temporary acceptance.
-
Approve and reject vulnerability for permanent acceptance in policies: Approve and reject requests to accept vulnerabilities permanently. Available at Policies > Acceptance > Permanent acceptance.
-
Add repositories in Outside: Add repositories identified through OAuth access that are not yet part of any group. Available at Outside > Add new roots.
-
Add group: Create groups dedicated to managing the vulnerabilities of systems separately. Available at Groups > New group.
-
Add organization: Create another organization on the platform. Available in the organization menu.
Analytics
Compliance
Credentials
Members
Policies
Project
Roles permissions summary table
The following tables specify the permissions that apply to each role on the platform.
Within groups
At the organization level
Fluid Attacks staff roles
There are roles on the platform available only for Fluid Attacks staff to ensure they access only the information and functions pertinent to their assignments.
Hacker
Hackers are the security analysts who identify, exploit, and report vulnerabilities in organizations' systems.
Reattacker
Reattackers are members that verify the effectiveness of fixes implemented by organizations.
Customer Manager
Customer Managers provide support to organizations' tasks, such as adding assets, deleting groups, requesting the deletion of vulnerabilities, and managing members.
Resourcer
Resourcers help maintain the assets provided by organizations, such as environment credentials and mailmap authors, up-to-date.
Reviewer
Reviewers mainly evaluate drafts for approval or disapproval and analyze vulnerability deletion requests.
Architect
Architects ensure that secure code review and penetration testing as a service deliverables are high-quality. Among their functions are deleting false positives or errors, including or deleting evidence, and providing help to the organizations over the help channels.
Closer
Closers are responsible for verifying whether a reattack to a vulnerability has been requested and setting the vulnerability status to Safe after a positive reattack outcome.
Admin
The Admin is the member who has the most privileges, lacking only the permission to change treatments.
Fluid Attacks staff roles summary table
The following table specifies the permissions that apply to each Fluid Attacks staff role on the platform.
|
Feature
|
Hacker
|
Reattacker
|
Resourcer
|
Reviewer
|
Architect
|
Customer Manager
|
Admin
|
|
Add draft
|
✔ |
✔
|
⛔
|
⛔
|
✔
|
⛔
|
✔
|
|
Add event
|
✔
|
✔
|
✔
|
⛔
|
✔
|
✔
|
✔
|
|
Add root
|
⛔
|
⛔
|
⛔
|
⛔
|
⛔
|
✔
|
✔
|
|
Approve draft
|
⛔
|
⛔
|
⛔
|
✔
|
⛔
|
⛔
|
✔
|
|
Change treatment
|
✔
|
⛔
|
⛔
|
⛔
|
✔
|
⛔
|
⛔
|
|
Confirm/reject Zero risk
|
⛔
|
⛔
|
⛔
|
✔
|
✔
|
⛔
|
✔
|
|
Deactivate/activate root
|
⛔
|
⛔
|
⛔
|
⛔
|
⛔
|
⛔
|
✔
|
|
Delete group
|
⛔
|
⛔
|
⛔
|
⛔
|
⛔
|
✔
|
✔
|
|
Edit root
|
⛔
|
⛔
|
⛔
|
⛔
|
✔
|
⛔
|
✔
|
|
Generate a report
|
✔
|
⛔
|
⛔
|
⛔
|
✔
|
✔
|
✔
|
|
Manage evidence
|
✔
|
⛔
|
⛔
|
⛔
|
✔
|
⛔
|
✔
|
|
Remove vulnerability
|
✔
|
⛔
|
⛔
|
⛔
|
✔
|
⛔
|
✔
|
|
Request reattack
|
✔
|
✔
|
✔
|
✔
|
✔
|
✔
|
✔
|
|
Request Zero risk
|
⛔
|
⛔
|
⛔
|
⛔
|
⛔
|
✔
|
✔
|
|
Solve event
|
✔
|
✔
|
✔
|
⛔
|
✔
|
✔
|
✔
|
|
Verify reattack
|
✔
|
✔
|
⛔
|
⛔
|
✔
|
⛔
|
✔
|
|
Manage mailmap
|
⛔
|
⛔
|
✔
|
⛔
|
⛔
|
✔
|
✔
|
