Legacy Mend UI - SAML - Access Control Setup Guide
Overview
After setting up SAML integration with Mend, SAML Groups and Roles need to be mapped to a Mend Group. These groups needs to then be mapped to a Mend Role in order to properly handle Role Based Access Control. This document will go over the steps needed to assign groups to roles both manually and at scale.
For details on how to set up SAML Integration within Mend, see SAML 2.0 Integration
Groups
Mend’s Role Based Access Controls can be assigned to individuals and groups. Mend recommends assigning roles to groups rather than individuals.
For Non-Global SAML set ups, once a user has signed into Mend with their SSO, if the group is not present, it will be created and the user will automatically be assigned to the group. When initially created, groups have no roles assigned to them.
Roles
Mend Legacy SCA has two different scopes for roles: Organization and Product.
For more information on each role and what permissions, see Organization Assignment Roles and Product-Related Roles
Manually Map Groups to Roles
Organization
To manually assign a group to an Organization Role, an Organization Admin needs to go to the Organization Administration panel then select Assignments under the “System” Category.
This will open the Assignments screen where groups and individuals can be assigned to a specific role.
On the Assignments Screen, expand the desired role then select Assign.
An Edit Groups window will open where the group can be selected and saved
Product
Products are created automatically by the Mend Integration when a scan occurs. To manually create a product see Creating a New Product.
To manually assign a group to a Product Role, a Product Admin needs to go to the Product Administration screen by select the gear icon on the Product Dashboard.
On the Product Administration Screen, expand the desired role then select Override.
An Edit Groups window will open where the group can be selected and saved
Automatically Assign New Products to Organization Admin Group
By default, when a new product is created, all organization users can view the product that was created.
Mend Legacy SCA has a setting that will assign new products to the Organization Admin group. This allows for products created by a Mend Integration to not be accessed by users until the proper group is assigned later either manually or via API allowing for greater access control.
This setting is enabled by an Organization Admin via the Integrate tab of the UI:
Expand the Advanced Settings then check “New products will automatically be assigned to the admin group”
Global Account - Map SAML Property to Mend Group
For Global Account SAML configurations, there is another layer of abstraction needed in order to assign users to the proper groups within each Mend Organization. A SAML property must be chosen to have it’s value mapped to Mend Groups.
This configuration can only be done by a Global Account Admin
From anywhere on the Mend UI, Click Global Admin.
On the Global Admin Console, Select SAML Integration
In the SAML Integration Screen, Click Advanced Settings to open Mapping Attribute Keys
Set the Role field of Mapping Attribute Keys to be the SAML Attribute whose values will used to map to Mend Groups.
In the Roles box, Select Add Role to begin mapping the SAML attribute to Mend Groups
Enter the desired value of the SAML attribute , then click Submit
Select all desired groups for the Role then select Ok
When all mappings are completed, Click Save at the bottom of the screen.
The next time a user logs into Mend Platform, they will be automatically added to the specified groups if their value in the specified SAML attribute matches the value in the Role section of the Role Mapping.
This mapping can be edited at any time by selecting Edit Groups
Automatically Mapping Mend Groups to Mend Roles
Currently, there is no process for automatically mapping groups to roles. For guidance on how to use Mend APIs to create a script to assist with the mapping, see Automating Group Assignments.
Roles in Mend Legacy SCA and Mend Platform
Review the role mapping between Mend Legacy SCA and Mend Platform to determine role equivalency between the two platforms