Roles provide a set of permissions that grant various levels of access and control over the IQ Server as well as the connected suite of tools. To grant permissions, you assign a user to either a system-wide administrator role or an organizational role at one of the levels in the system hierarchy: root organization, organization, or application. Which role and level you choose for a user determines what permissions that user receives.
You can assign roles to individual users or groups of users. IQ Server has a built-in group called Authenticated Users that contains any authenticated user. In addition, LDAP groups may be available, if you configured IQ Server to use an LDAP server with users mapped to specific groups.
IQ Server has several built-in roles, which are shown below. If one does not suit your needs, you can create a custom role.
To view roles in IQ Server:
Only a user assigned to an administrator role can see the information below. If you are using the built-in Admin user account, it is assigned to all administrator roles. It is highly recommended that you change the Admin password. |
To view permissions assigned to built-in roles:
The built-in roles have the permissions shown below.
IQ Elements includes organizations, applications, policies, component labels, license threat groups, application categories, policy violations and waivers. |
The scope of permissions granted to a role is governed by where that role is assigned in the system hierarchy. A role assigned to:
Firewall solution users have an additional entity for which roles can be assigned:
To manage administrator roles, you must log into IQ Server as a user assigned to the System Administrator role. By default, the built-in Admin user account is assigned to the System Administrator role.
To manage organizational roles, you must log into IQ Server as a user assigned to the Policy Administrator role or Owner role. By default, the built-in Admin user account is assigned to the Policy Administrator role.
To view organizational role assignments:
Click Access in the menu bar at the top of the page to scroll to the Access section. Assigned roles are grouped as follows:
To assign a user to an organizational role:
In the Search Users box, search for a user by entering a full name or part of name with an asterisk, then click Search. You can use an asterisk as a wildcard at the beginning or end of a character string. For example, isa*, *mov, and *asi* will all match the name, "Isaac Asimov." Any matching names are displayed below in the Associated Users list.
If you integrated an LDAP server with IQ Server, the LDAP users and groups are also displayed in the search results. If you hover over a list item, the LDAP realm and email address are displayed when available. |
If you want to continue adding role assignments for the selected organization, application or Repositories, click Add Role in the sidebar. |
To edit an organizational role assignment:
In the Search Users box, search for a user by entering a full name or part of name with an asterisk, then click Search. You can use an asterisk as a wildcard at the beginning or end of a character string. For example, isa*, *mov, and *asi* will all match the name, "Isaac Asimov." Any matching names are displayed below in the Associated Users list.
If you integrated an LDAP server with IQ Server, the LDAP users and groups are also displayed in the search results. If you hover over a list item, the LDAP realm and email address are displayed when available. |
If you want to continue editing role assignments for the selected organization, application or Repositories, click a desired role in the sidebar. |
To remove organizational role assignments:
This is the equivalent of removing or disassociating all users from a role. |
You must have permission to Edit Custom Roles if you want create a custom role. The default Admin account and the built-in Policy Administrator role have this permission. |
Custom roles allow you to fine tune IQ security permissions for different users. The following permissions are available for custom roles:
To achieve desired behavior in the IQ user interface, you may need to assign View IQ Elements along with other permissions. For example, to allow a user to create applications in an organization but not edit the organization, you should add View IQ Elements and Add Applications to the role. |
To create a custom role:
Whenever a user assigned to a custom role with Add Applications permission creates an application, that user is automatically assigned to the Owner role for that application. |
If you have an LDAP configuration that prohibits searching for groups, then the Access editor will have an additional section called Associate Group. You can use this section to enter manually a group name and add it to a role.
To assign groups to roles without searching:
To view role assignments:
Terms of Service Privacy Policy
Copyright ©
2008-present, Sonatype Inc. All rights reserved. Includes the
third-party code listed here. Sonatype and Sonatype Nexus are trademarks
of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache
Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation.
All other trademarks are the property of their respective owners.
Sonatype Headquarters - 8161
Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8251 Greensboro Drive #610, McLean, VA
22102
Australia Office - 5 Martin Place, Level 14, Sydney 2000, NSW, Australia