Access considerations with automatic role assignments
Once you have completed the repository integration, you may notice that some users are unable to see applications created by the integration in the Mend Platform UI once they log in.
This behavior is the result of a Mend organization configuration. Specifically, Mend organizations can be configured to automatically assign newly created applications to the “admins” group. This setting can be found as follows:
STEPS:
Click on: “Gear Icon” -> “Legacy SCA Platform”
[new tab opens]
Click on: “Integrate” -> “Advanced Settings”
This configuration is a security setting which allows organization administrators to ensure that newly created applications are not immediately visible to other user groups (besides “admins’) without some form of control. When the setting is enabled, if a new application is created in Mend by the repository integration, it is automatically assigned a role that exclusively gives users in the “admins” group access to it. You can see in the example below (navigating to “Administration” -> “Groups”) how the new application is automatically given a “member” role under the “admins” group.
Opening application access to other user groups
To give application access to users in other groups, you have three options:
1. Allow the “users” (or other) group access to the corresponding application
Click on “Administration” -> “Groups” -> “Users” (or other group) -> “Roles”
Click “+ Add Role” to add a new role to that group (see sample image below). Select the application from the dropdown and check “Member”. Click “Add”
NOTE: You will need to repeat the steps above whenever you:
Onboard a new GH.com repository via the integration
Onboard a new Azure DevOps project via the integration
2. Allow any Mend groups access to the newly created application
Click on “Administration” -> “Groups” → “Admins” -> “Roles”
Click on the specific application and uncheck the “Member” box. When prompted to confirm, hit “Ok”
NOTE: You will need to repeat the steps above whenever you:
Onboard a new GH.com repository via the integration
Onboard a new Azure DevOps project via the integration
3. Allow any Mend groups access to any newly created applications
You can achieve this by disabling the “New products will automatically be assigned to the admin group“ security feature. You will need to do this for each Mend organization. Please consider the implications of this change.
Access the setting as shown above
Uncheck the box:
NOTE: This change is only effective for future new applications. For existing applications, consider options 1 or 2 above