Skip to main content
Skip table of contents

Legacy Mend UI - SAML - Access Control Setup Guide

Overview

After setting up SAML integration with Mend, SAML Groups and Roles need to be mapped to a Mend Group. These groups needs to then be mapped to a Mend Role in order to properly handle Role Based Access Control. This document will go over the steps needed to assign groups to roles both manually and at scale.

For details on how to set up SAML Integration within Mend, see SAML 2.0 Integration

Groups

Mend’s Role Based Access Controls can be assigned to individuals and groups. Mend recommends assigning roles to groups rather than individuals.

For Non-Global SAML set ups, once a user has signed into Mend with their SSO, if the group is not present, it will be created and the user will automatically be assigned to the group. When initially created, groups have no roles assigned to them.

Roles

Mend Legacy SCA has two different scopes for roles: Organization and Product.

For more information on each role and what permissions, see Organization Assignment Roles and Product-Related Roles

Manually Map Groups to Roles

Organization

To manually assign a group to an Organization Role, an Organization Admin needs to go to the Organization Administration panel then select Assignments under the “System” Category.

This will open the Assignments screen where groups and individuals can be assigned to a specific role.

On the Assignments Screen, expand the desired role then select Assign.

An Edit Groups window will open where the group can be selected and saved

Product

Products are created automatically by the Mend Integration when a scan occurs. To manually create a product see Creating a New Product.

To manually assign a group to a Product Role, a Product Admin needs to go to the Product Administration screen by select the gear icon on the Product Dashboard.

On the Product Administration Screen, expand the desired role then select Override.

An Edit Groups window will open where the group can be selected and saved

Automatically Assign New Products to Organization Admin Group

By default, when a new product is created, all organization users can view the product that was created.

Mend Legacy SCA has a setting that will assign new products to the Organization Admin group. This allows for products created by a Mend Integration to not be accessed by users until the proper group is assigned later either manually or via API allowing for greater access control.

This setting is enabled by an Organization Admin via the Integrate tab of the UI:

Expand the Advanced Settings then check “New products will automatically be assigned to the admin group”

Global Account - Map SAML Property to Mend Group

For Global Account SAML configurations, there is another layer of abstraction needed in order to assign users to the proper groups within each Mend Organization. A SAML property must be chosen to have it’s value mapped to Mend Groups.

This configuration can only be done by a Global Account Admin

From anywhere on the Mend UI, Click Global Admin.

image-20240228-214059.png

On the Global Admin Console, Select SAML Integration

image-20240228-214157.png

In the SAML Integration Screen, Click Advanced Settings to open Mapping Attribute Keys

image-20240228-214328.png

Set the Role field of Mapping Attribute Keys to be the SAML Attribute whose values will used to map to Mend Groups.

image-20240228-214542.png

In the Roles box, Select Add Role to begin mapping the SAML attribute to Mend Groups

image-20240228-214727.png

Enter the desired value of the SAML attribute , then click Submit

image-20240228-214758.png

Select all desired groups for the Role then select Ok

image-20240228-214917.png

When all mappings are completed, Click Save at the bottom of the screen.

image-20240228-215346.png

The next time a user logs into Mend Platform, they will be automatically added to the specified groups if their value in the specified SAML attribute matches the value in the Role section of the Role Mapping.

This mapping can be edited at any time by selecting Edit Groups

image-20240228-215152.png

Automatically Mapping Mend Groups to Mend Roles

Currently, there is no process for automatically mapping groups to roles. For guidance on how to use Mend APIs to create a script to assist with the mapping, see Automating Group Assignments.

Roles in Mend Legacy SCA and Mend Platform

Review the role mapping between Mend Legacy SCA and Mend Platform to determine role equivalency between the two platforms

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.