This page explains the different roles that are available on the platform, along with the permissions they grant.

Client roles

User Manager role

This role gives the most privileges, allowing the person to perform all actions available to a client on the platform. It is designed for product leaders, granting relevant capabilities like generating reports, defining treatments for vulnerabilities (e.g., accepting vulnerabilities permanently, approving vulnerability deletion requests by their company), setting policies, and managing members at the group and organization levels.

User role

This is the role most members are given. It is typically assigned to the developers responsible for remediating vulnerabilities. Members with this role can access vulnerability information required for remediation and request reattacks when they believe they have successfully fixed the code.

Vulnerability Manager role

Intended for technical leaders, this role provides access to features like generating reports, viewing group members, and assigning fix work.

Client roles permissions

Below are the descriptions of the permissions available to clients on Fluid Attacks' platform. These permissions are categorized into two levels: the group and organization levels.

Group-level permissions

• Generate/update agent token: Generate and update the token to use for DevSecOps agent, an application that inspects builds for noncompliance with organization policies and prevents deployment if it finds any. Available at Scope > DevSecOps agent > Manage token > Generate/Reset.

• View agent token and its expiration date: View the current DevSecOps agent token and when it expires. Available at Scope > DevSecOps agent > Manage token > Reveal token.

• View agent executions: Access to reports of executions of the DevSecOps agent in your CI/CD. Available at DevSecOps.

• Deactivate/activate root: Deactivate and activate assets to test. Available at Scope > Git Roots/IP Roots/URL Roots.

• Move root: Move an asset with all its associated data to another group. Available at Scope > Git Roots.

• Add Git/IP root: Add Git repositories and IP addresses to the scope of security testing. Available at Scope > Git Roots/IP Roots > Add new root.

• Add URL root/environment: Add of URLs or environments to the scope of security testing. Available at Scope.

• Edit Git/IP/URL root/environment: Modify URLs and branches. Available at Scope.

• Delete Git environment: Delete environments associated to source code repositories. Available at Scope.

• Sync to Git root: Clone the Git repository again after changes have been made, this way Fluid Attacks can test the up-to-date version. Available at Scope.

• Add exclusions: Exclude files or folders from security assessments. Available at Scope.

• Add secrets: Add secrets (usernames, passwords, email addresses, tokens, etc.) that give Fluid Attacks access to repositories and environments to test. Available at Scope.

• Delete secrets: Remove unnecessary secrets. Available at Scope.

• View secrets: View secrets associated with a specific root. Available at Scope.

• Consulting: In the Advanced plan, communicate questions, requests, and suggestions regarding a specific vulnerability or event. In the Essential plan, view comments about reattack outcomes. Available at Vulnerabilities/Events > Consulting.

• Create portfolio:  Add tags by which to sort groups within an organization. This is useful to get analytics involving specific groups. Available at Scope > Portfolio > Add.

• Remove portfolio: Delete a group from a specific portfolio. Available at Scope > Portfolio > Remove.

• Add/download file: Upload or download any files you find helpful or necessary for performing security tests on the group. Available at Scope > Files > Add.

• Delete file: Eliminate files that are considered unnecessary in the analysis of the group. Available at Scope > Files.

• Delete group: Delete an unnecessary group. Available at Scope > Delete this group.

• Update group information: Update group information. Available at Scope > Information.

• Unsubscribe from group: Leave group. Available at Scope > Unsubscribe.

• Update group policies: Manage policies at the group level. Available at Scope > Policies.

• Plan upgrade: Upgrade from the Essential to the Advanced plan. Available at Scope > Services.

• Add member: Invite members to access the group and have some or all vulnerability management functions. Available at Members > Invite a member.

• Update member: Update member permissions and information (role or responsibility). Available at Members > Edit.

• View members: View table of members in the group. Available at Members.

• Delete member: Remove members from group. Available at Members > Remove.

• Request verification on events: Request verification that events have been resolved. Available at Events > Request verification.

• Export file in Events: Download event data as a CSV file. Available at Events > Export.

• Approve treatment: Accept and reject requests to change the treatments of vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Treatment acceptance.

• Zero risk request: Request deletion of a vulnerability, as it poses no threat according to the organization. Available at Vulnerabilities > [Type] > Locations > Edit.

• Update treatment: Change the treatments of vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Edit.

• Request reattacks: Request retests by Fluid Attacks' tool to verify the effectiveness of remediation efforts. In the Advanced plan, reattacks may involve both Fluid Attacks' tool and hacking team.

• Vulnerability assignment: Assign vulnerability remediation responsibilities to team member. Available at Vulnerabilities > [Type] > Locations > Edit.

• Add/remove tag: Add and remove tags for vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Edit.

• Invite contributor: Send invitations to contributor developers to register to the platform. Available at Authors.

• Generate certificate: Generate a certificate of security testing with Fluid Attacks. Available at Vulnerabilities > Generate report > Certificate.

• Generate report: Generate vulnerability reports varying in detail for a specific group.

• Receive notifications: Get notifications related to your group. 

• Help options: Access help options. Available at Help.

• Add/edit/remove hook: Add, edit, and remove webhooks, which notify of events happening in groups. Available at Integrations > Webhooks > Edit/Connect.

Organization-level permissions

• Add credentials: Add credentials so Fluid Attacks has access to assets for testing. Available at Credentials > Add credential.

• Delete credentials: Remove credentials, resulting in Fluid Attacks losing access to them. Available at Credentials > Remove.

• Update credentials: Update credentials to maintain Fluid Attacks' access to assets. Available at Credentials > Edit.

• OAuth connection: Authorize Fluid Attacks to import source code repositories from GitLab, GitHub, Bitbucket, and Azure accounts via Open Authorization, which eliminates the need to provide the credentials for these accounts. Available at Credentials > Add credential.

• Add repositories in Outside: Add repositories identified through OAuth access that are not yet part of any group. Available at Outside > Add new roots.

• Add group: Create groups dedicated to managing the vulnerabilities of systems separately. Available at Groups > New group.

• Submit vulnerability for temporary acceptance in Policies: Submit requests to accept vulnerabilities temporarily. Available at Policies > Acceptance > Temporary acceptance.
  

• Approve and reject vulnerability for temporary acceptance in Policies: Approve and reject requests to accept vulnerabilities temporarily. Available at Policies > Acceptance > Temporary acceptance.

• Submit vulnerability for permanent acceptance in Policies: Submit requests to accept vulnerabilities permanently. Available at Policies > Acceptance > Permanent acceptance.

• Approve and reject vulnerability for permanent acceptance in policies: Approve and reject requests to accept vulnerabilities permanently. Available at Policies > Acceptance > Permanent acceptance.
  

• Update organization policies: Manage policies at the organization level. Available at Policies.

• Add members: Add members with access to the organization's Analytics and Policies sections. Available at Members > Invite a member.

• Update member: Update roles of members. Available at Members > Edit.

• View member: View members in the organization. Available at Members.

• Delete member: Delete members at the organization level. Available at Members > Remove.

• Vulnerability report in Analytics: Download a CSV file of details of all the vulnerabilities reported to the organization. Available at Analytics > Vulnerabilities.

• Download org analytics: Download the charts and figures of the Analytics sections. Available at Analytics > Download Analytics and Portfolios > Analytics > Download Analytics.

• Add organization: Create another organization on the platform. Available in the organization menu.

• Compliance report: Download a report of compliance with several international standards. Available at Compliance > Standards > Generate report.

Roles permissions summary table

Hacker

Hackers are the security analysts who identify, exploit, and report vulnerabilities in organizations' systems.

Reattacker

Reattackers are members that verify the effectiveness of fixes implemented by organizations.

Customer Manager

Customer Managers provide support to organizations' tasks, such as adding assets, deleting groups, requesting the deletion of vulnerabilities, and managing members.

Resourcer

Resourcerts help maintain the assets provided by organizations, such as environment credentials and mailmap authors, up-to-date.

Reviewer

Reviewers mainly evaluate drafts for approval or disapproval and analyze vulnerability deletion requests.

Architect

Architects ensure that secure code review and penetration testing as a service deliverables are high-quality. Among their functions are deleting false positives or errors, including or deleting evidence, and providing help to the organizations over the help channels.

Closer

Closers are responsible for verifying whether a reattack to a vulnerability has been requested and setting the vulnerability status to Safe after a positive reattack outcome.

Admin

The Admin is the member who has the most privileges, lacking only the permission to change treatments.

Fluid Attacks staff roles summary table

The following table specifies the permissions that apply to each Fluid Attacks staff role on the platform.

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.