Manage Roles in the Mend AppSec Platform
Overview
System Admins are responsible for managing user roles within the Mend Platform. This document provides a technical guide for System Admins to control and configure user roles effectively.
After assigning all relevant users to a particular group, you can assign a role to the group which will apply the required permissions to all its users.
Mend Platform Roles and Permissions
Role | Permissions |
|---|---|
Admin | Organization Admins have full access to all features and configurations within the organizational scope. This includes user and group management, labels, scan configurations, applications, and projects. They can:
Application Admins can also create workflows, but only within their assigned application(s). These workflows are application-scoped and separate from organization-wide workflows defined by Org Admins. |
Security Analyst | Security Analysts are responsible to the triage process of all security findings. They can review scans & findings data and take the needed actions to either resolve issues or suppress if needed. |
Scan Manager | Scan Managers can execute security scans using Mend CLI or through the Repository Integrations. They can configure and change the organization structure by adding new applications/projects and making the needed structure changes. |
Member | Members have access to Mend Platform for viewing purposes. They can review all available data in dashboards and drill-down to visualize projects, scans, and security findings data. Members can’t access administration or configuration capabilities and can’t impact data with actions. |
Legal Analyst | This role allows users and groups to manually override a license and copyright assignment that was applied automatically during analysis. |
Auditor | This role grants read-only access for service users requiring data visibility without the ability to modify anything in the platform. |
Understanding Application-Scoped Roles and Default Group Access
By default, the built-in Admin and User groups grant their members access to all applications in the organization. However, this default behavior changes when application-scoped roles are introduced.
How Application-Scoped Roles Affect Default Access
When an application-scoped role is added to the Admin group, the default broad access for all other groups - including the default User group - is removed. After this point, users in those groups will no longer have access to any applications unless access is explicitly granted.
What this means in practice:
Once any application-scoped role exists in the Admin group, users in the User group (and any other non-admin groups) lose access to all applications.
To restore access, an application-scoped role must be explicitly added to each affected group for every application that group needs to access.
This behavior applies to the default User group and to any other custom non-admin groups.
Getting it done
Assign a Role to group(s)
Log into the Mend AI-Native AppSec Platform.
Click the settings gear in the top right corner of the page.
Click Administration.
Click Groups in the Administration menu on the left.
Click on the group name you would like to assign roles for.
Click the Roles tab and then the + Add Role button.
Select which roles to assign to the selected group. The roles can be assigned at the Organization level or a specific Application. Click the Add button to confirm your selection.
Example: Assigning the Auditor Role at the Organization Level
Delete Group Role
Select the relevant group in the Groups table.
Click Roles.
Unselect the role you would like to delete from a specific group.
Click on the “OK” button in the pop-up message window to delete to Group Role.
