Permissions in Acunetix
In Acunetix Premium+, permissions determine what actions users can take within the application and which features they can access. Permissions can also restrict users from accessing certain targets. This article explains the different permissions and their access levels.
Access level
Users require different levels of functionality from the features available to them. While some features may be necessary for a significant number of users, other users may only need to view data or add comments. In general, a user can have Full Access or Read access.
- Full Access means a user has four permissions: create, modify, read, and delete.
- Read permission means that a user can only view data.
For example, while a System Administrator can create and delete a custom scan policy, a user with read permission can only view that scan policy.
Permission-level access
System Administrators can grant or restrict access to features in Acunetix by allowing users to access only the features they need to perform their tasks and by preventing access to other features that may not be necessary for their core tasks.
The following table lists and explains the permissions and access levels.
Permission | Access Level | Explanation |
System | Full Access | The user has full access to settings, such as proxy settings, email settings, licenses, and network scanners. |
Excluded Hours | Full Access | The user can create, edit, and delete excluded hours profiles, and set the default excluded hours profile. |
Excluded Hours | Read | The user can view the excluded hours profiles. |
Users | Full Access | The user can create, edit, and delete users, and assign roles, targets, and target groups. |
Agents | Full Access | The user can display the list of agents (e.g. assign them to a target) and installation instructions with a token to deploy new agents. |
Agents | Read | The user can display the list of agents (e.g. assign them to a target). |
Targets | Full Access | The user can create, modify, and delete targets. |
Targets | Read | The user can view the list of targets to which the user is assigned. |
Integrations | Full Access | The user can create, modify, or delete integrations with third-party tools, such as Jira and GitLab. |
Integrations | Read | The user can view the list of integrations. |
WAFs | Full Access | The user can configure, modify, and delete Web Application Firewalls (WAFs). |
WAFs | Read | The user can view the list of Web Application Firewalls (WAFs). |
Scan Profiles | Full Access | The user can create, modify, and delete scan profiles. |
Scan Profiles | Read | The user can view scan profiles. |
Target Groups | Full Access | The user can create, edit, and delete target groups. |
Target Groups | Read | The user can access and view the target groups list that the user is assigned to. The user can also list the content of target groups the user has access to. |
Reports | Full Access | The user can generate, view, and delete reports for any target to which the user is assigned. |
Discovery | Full Access | The user has full access to the Discovery section. |
Scans | Full Access | The user has full access to scan the targets/target groups that the user is assigned. Full access includes starting, pausing, stopping, and deleting scans. |
Scans | Read | The user can view the list of scans for the target/target groups to which the user is assigned. |
Vulnerabilities | Full Access | The user can push a vulnerability to an issue tracker and update the vulnerability status. |
Vulnerabilities | Read | The user can view vulnerabilities. |
API Discovery (Premium+ only) | Full Access | The user can add and manage API sources, and link discovered APIs to targets. |
Engines (On-Premises only) | Full Access | The user can authorize, delete, and manage engines. |
Engines (On-Premises only) | Read | The user can view the list of additional engines. |
Permissions and targets
Permissions can be categorized into two groups: target-based and general.
The main difference between target-based and general permissions is that target-based permissions influence a user's access to a target group. Whereas general permissions are not affected by a user's access to a target group.
Group | Permissions |
Target-based |
|
General |
|
For example, let's assume that the System Administrator assigns a user to the target group called "APAC" (as an AppSec user). The user assumes general and target-based permissions, such as vulnerabilities, reports, and scans. The following diagram shows all of the user's permissions:
After that, the System Administrator creates a custom role to be responsible for vulnerabilities only in a target group "MENA". And, the System Administrator assigns this role to the same user. Together with the responsibilities in the APAC, the user now has the following permissions in total:
- The user can view target and target groups, and manage vulnerabilities in the APAC group.
- However, this user cannot have access to the targets in the MENA group because the role only covers the vulnerabilities in the MENA group.
This example shows how the permissions affect the user's access to targets.