Skip to main content
Skip table of contents

SAML Access Control Setup Guide

Overview

After setting up SAML integration with Mend, SAML Groups and Roles need to be mapped to a Mend Group. These groups needs to then be mapped to a Mend Role in order to properly handle Role Based Access Control. This document will go over the steps needed to assign groups to roles both manually and at scale.

For details on how to set up SAML Integration within Mend, see SAML 2.0 Integration

The following video gives a basic walkthrough of this setup with Okta.

https://youtu.be/197X0_jirh8

For Non-Global SAML set ups, Group mapping can be done via SAML Attribute.

Groups

Mend’s Role Based Access Controls can be assigned to individuals and groups. Mend recommends assigning roles to groups rather than individuals.

For Non-Global SAML set ups, once a user has signed into Mend with their SSO, if the group is not present, it will be created and the user will automatically be assigned to the group. When initially created, groups have no roles assigned to them.

image-20240215-215253.png

Mend Platform

Mend Roles

Mend Platform has two different scopes for roles: Organization and Application.

Both Organization and Application scopes have the same set of roles:

  • Admin

  • Security Analyst

  • Scan Manager

  • Member

Manually Map Mend Groups to Mend Roles

An Organization Admin can assign a group to both an Organization or Application role with the same workflow.

From anywhere on the Mend Platform, Click the Gear icon then select Administration.

On the Administration Screen, Click Groups then click the desired Group name to open the details for that Group

Click the Roles Tab then Add Role

On the Add Group Role Dialog, select the Scope level and the desired Roles for the Group then click Add.

After a Role has been added to a group, it can be managed from the Roles tab.

Global Account - Map SAML Property to Mend Group

For Global Account SAML configurations, there is another layer of abstraction needed in order to assign users to the proper groups within each Mend Organization. A SAML property must be chosen to have it’s value mapped to Mend Groups.

This configuration can only be done by a Global Account Admin

From anywhere on the Mend Platform, Click the Gear icon then select Account Management.

image-20240228-202553.png

On the Account Management Screen, Select SAML Integration from the top ribbon.

image-20240228-202723.png

Click the Edit button to modify the SAML integration.

image-20240228-202910.png

Under Key Attributes, Set the Role field to the SAML property that will represent SAML Roles

image-20240228-200811.png
image-20240228-200825.png

Under Role Mapping, Click Add Role.

image-20240228-203658.png

Set the Role to be the expected value of the SAML Attribute specified in the last step. Then add any number Mend Groups from any of the Organizations in the Global Account.

image-20240228-201411.png

When all mappings are complete, click Save at the top of the screen

image-20240228-215300.png

The next time a user logs into Mend Platform, they will be automatically added to the specified groups if their value in the specified SAML attribute matches the value in the Role section of the Role Mapping.

Mend Legacy SCA

Roles

Mend Legacy SCA has two different scopes for roles: Organization and Product.

For more information on each role and what permissions, see Organization Assignment Roles and Product-Related Roles

Manually Map Groups to Roles

Organization

To manually assign a group to an Organization Role, an Organization Admin needs to go to the Organization Administration panel then select Assignments under the “System” Category.

This will open the Assignments screen where groups and individuals can be assigned to a specific role.

On the Assignments Screen, expand the desired role then select Assign.

An Edit Groups window will open where the group can be selected and saved

Product

Products are created automatically by the Mend Integration when a scan occurs. To manually create a product see Creating a New Product.

To manually assign a group to a Product Role, a Product Admin needs to go to the Product Administration screen by select the gear icon on the Product Dashboard.

On the Product Administration Screen, expand the desired role then select Override.

An Edit Groups window will open where the group can be selected and saved

Automatically Assign New Products to Organization Admin Group

By default, when a new product is created, all organization users can view the product that was created.

Mend Legacy SCA has a setting that will assign new products to the Organization Admin group. This allows for products created by a Mend Integration to not be accessed by users until the proper group is assigned later either manually or via API allowing for greater access control.

This setting is enabled by an Organization Admin via the Integrate tab of the UI:

Expand the Advanced Settings then check “New products will automatically be assigned to the admin group”

Global Account - Map SAML Property to Mend Group

For Global Account SAML configurations, there is another layer of abstraction needed in order to assign users to the proper groups within each Mend Organization. A SAML property must be chosen to have it’s value mapped to Mend Groups.

This configuration can only be done by a Global Account Admin

From anywhere on the Mend UI, Click Global Admin.

image-20240228-214059.png

On the Global Admin Console, Select SAML Integration

image-20240228-214157.png

In the SAML Integration Screen, Click Advanced Settings to open Mapping Attribute Keys

image-20240228-214328.png

Set the Role field of Mapping Attribute Keys to be the SAML Attribute whose values will used to map to Mend Groups.

image-20240228-214542.png

In the Roles box, Select Add Role to begin mapping the SAML attribute to Mend Groups

image-20240228-214727.png

Enter the desired value of the SAML attribute , then click Submit

image-20240228-214758.png

Select all desired groups for the Role then select Ok

image-20240228-214917.png

When all mappings are completed, Click Save at the bottom of the screen.

image-20240228-215346.png

The next time a user logs into Mend Platform, they will be automatically added to the specified groups if their value in the specified SAML attribute matches the value in the Role section of the Role Mapping.

This mapping can be edited at any time by selecting Edit Groups

image-20240228-215152.png

Automatically Mapping Mend Groups to Mend Roles

Currently, there is no process for automatically mapping groups to roles. For guidance on how to use Mend APIs to create a script to assist with the mapping, see Automating Group Assignments.

Roles in Mend Legacy SCA and Mend Platform

Review the role mapping between Mend Legacy SCA and Mend Platform to determine role equivalency between the two platforms

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close