Skip to main content
Skip table of contents

User Level Access Control in Integrations and APIs

Overview

User-level access control in integrations and APIs is provided by user keys. The user key is a unique identifier that is mapped to a Mend user.

Mend supports the option of creating and using a unique identifier for each user who utilizes its services. The support for using user-level access control in integrations enhances auditing and optimizes accountability insights for the Mend administrator.

It allows to enforce segregation of administrative actions between different products and projects (i.e., a user who is not a product administrator cannot delete it). It also enables the administrator to view details on the activities of each user in relevant reports. Once the Mend administrator enforces the use of user-level access control in integrations, all requests must include a user key.

Applicability

  • All Mend agents support adding an attribute in the agent’s configuration file and/or a parameter in the command line.

  • All HTTP API methods support adding a user key argument to the API request.

Generating User Keys

User keys are generated by the user who will then be required to add it in all of his/her Mend requests. The steps for generating a user key are the following:

  1. Go to the Mend GUI and open the User Profile.

  2. Click on the Generate User Key.

  3. A unique user key is displayed in the User Keys table for the user to add in the various agents and APIs. The user key is mapped to the user profile name.

NOTE: All requests must include a user key. A request which doesn’t include a user key will fail.

Configuring Agents

The user key can be set in several ways, depending on the integration used.

When using the Unified Agent, the user key can be configured via the WS_USERKEY environment variable or by specifying the userKey parameter in the configuration file or by setting the -userKey command-line argument.

Example for configuring the userKey parameter in the configuration file:

Configuration in HTTP API

  • A userKey must be specified in every HTTP API request.

  • Only Mend users with Administrator or Auditor privileges (“Auditor” can only be assigned to service users) are allowed to use the APIs in case the Enforce user level access option has been enabled.

The argument is entered in the following fashion:

"userKey":"user_key",

The following is an example of a “getProjectVulnerabilityReport” API request that includes the userKey argument:

{

"requestType" : "getProjectVulnerabilityReport",

"userKey":"5c5c5b1dc14b44faa71d4bc443de",

"projectToken" : "438629e2da934b4ca68220c"

}

Reports

With the support of the User level access control in integrations, the Mend administrator has the option to view and analyze reports that provide data on the usage of Mend requests per user. Reports display the users’ profile names, which are linked to their respective user keys.

Plugin Request History Report

This report provides data on plugin requests per user.

Plugin Policy Violation History Report

This report provides Plugin Policy Violation History per user.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.