Before you can successfully remediate vulnerabilities with Application Vulnerability Response (AVR), you must assign users to user groups.

Roles define what you and your groups can see and do in Application Vulnerability Response, Performance Analytics for Vulnerability Response, and third-party integrations with Application Vulnerability Response.

User groups

Following are the default user groups supporting Application Vulnerability Response:
  • App-Sec Manager: Contains security managers. Starting from Application Vulnerability Response v15.0, it will also contain application owners who manage the penetration test assessment requests.
  • Security Champion: Contains liaisons between the development group and security managers.
  • Developer: Contains individual contributors.
  • V15.0: Ethical Hacker: Contains members of the ethical hacking team who perform penetration testing of applications.

The system admin [admin] role is required to assign users to the Application Vulnerability Response default user groups, using the User Administration module,

Note:

Assigning AVR users to the Application Vulnerability Response user groups for Application Vulnerability Response is not available in the Vulnerability Response Setup Assistant feature. Only Vulnerability Response roles are assigned there.

The following table lists the available Application Vulnerability Response user groups and the roles associated with them. Use this table to determine which users should be assigned which groups.

User GroupRoles in this group

Security Champion

Members of this group can:
  • Read and write application vulnerable items (AVIs) assigned to you.
  • Assign an AVI, that is assigned to you, to another individual or group.
  • V20.0: Create, update, delete and cancel (deactivate) exception rules.
  • sn_vul.app_read_assigned
  • sn_vul.app_write_assigned
  • sn_vul.app_update_assignment_group
  • sn_vul.app_update_assigned_to
  • sn_vul.app_manage_auto_exception_rule

App-Sec Manager

Members of this group can:
  • V20.0: Create, update, delete and cancel (deactivate) exception rules.
  • Read, write, delete, and all operations on application remediation task rules.
  • Read and write all AVIs.
  • Configure AVR by create and manage rules, calculators, and severity maps.
  • Configure integrations.
  • Delete AVIs.
  • Assign AVI to individuals or groups.
  • Manage applications.
  • Allows access to the Application module.
  • Schedule, configure, execute integration.
  • Read and execute integrations.
  • View AVR Performance Analytics dashboards and reports.
  • V15.0: Manage penetration test assessment requests.
  • sn_vul.app_manage_auto_exception_rule
  • sn_vul.app_manage_group_rules
  • sn_vul.app_read_all
  • sn_vul.app_write_all
  • sn_vul.app_update_assignment_group
  • sn_vul.app_update_assigned_to
  • sn_vul.app_configure_integrations
    Note: By default, this role contains granular roles for third-party integration configuration. To define or edit an App-Sec Manager user group by single or specific integrations, see Vulnerability Response personas and granular roles.
  • sn_vul.app_manage_assignment_rules
  • sn_vul.app_manage_remediation_target_rules
  • sn_vul.app_manage_risk_score_configurations
  • sn_vul.app_manage_applications
  • sn_vul.app_manage_app_vul_permissions
  • sn_vul.app_manage_normalized_severity
  • Version 13.0: sn_vul.app_manage_app_sc
  • Version 12.0 only: sn_vul.app_read_application_release

    [Removed in v12.1. Do not use]

  • sn_sec_int.admin
  • Version 13.0: pa_power_user
  • pa_viewer
    Note: Starting with Vulnerability Response v13.0, pa_viewer is included in pa_power_user and no longer needed by itself.
  • V15.0: sn_vul.app_manage_pen_test_request
  • V15.0: sn_vul.app_update_state
  • V15.0: cmdb_read

Developer

Members of this group can:
  • Read and write AVR records assigned to you.
  • Assign an AVI, that is assigned to you, to another individual or group.
  • sn_vul.app_read_assigned
  • sn_vul.app_write_assigned
  • sn_vul.app_update_assignment_group
  • sn_vul.app_update_assigned_to
  • sn_vul.app_pa_sc_view
V15.0: Ethical Hacker
Members of this group can:
  • Configure default assignment group and assignee for penetration test assessment requests.
  • Manage penetration test findings.
  • Manage penetration test assessment requests.
  • View application vulnerable items.
  • Update assignment for application vulnerable items.
  • V15.0: sn_vul.app_update_state
  • V15.0: sn_vul.app_manage_pen_test_request
  • V15.0: itil
  • V15.0: sn_vul.app_read_all
  • V15.0: sn_vul.app_manage_pen_test_request_config
  • V15.0: sn_vul.app_manage_manual_avits
  • V15.0: sn_vul.app_update_assigned_to
  • V15.0: sn_vul.app_update_assignment_group

Assign users to user groups in Application Vulnerability Response

Assign users to groups using the User Administration module in your instance.

Before you begin

Role required: admin

Procedure

To assign or remove a user from a group:
  1. Navigate to Administration > Groups.
  2. Locate and open the appropriate group, for example, App-Sec Manager.
    The group record is displayed.
  3. Select the Group Members tab.
    The current members of the group are displayed.
  4. Click Edit.
    The Edit members form is displayed.
  5. From Collection list, select users to add to or remove from the group.
  6. Once all users have been added to the Group Members List or removed, click Save.
    You are returned to the Group Members tab.
  7. Click Update to save your changes and return to the Groups list.