WAS Permissions Explained

Document created by Leif Kremkow Employee on Sep 6, 2016Last modified by Leif Kremkow Employee on Sep 8, 2016
Version 2Show Document
  • View in full screen mode

Qualys Web Application Scanning is subject to Role-Based Access Control. Users are granted access to features and functions based on Roles. These Roles are a consolidate of fine grained Permissions.

 

A set of Permissions are grouped together as a Role. A User is assigned one, or more, Roles. The sum of the Permissions that are granted a User represent all the rights to access features and functions that a User has.

 

This article reviews all the Permissions that can be found in the Administration module and discusses how they relate to the Web Application Scanning module.

 

WAS Asset

Web Applications - Web Applications.png

This section refers to the functions found in Web Application Scanning > Web Applications > Web Applications.

 

Purge Web Asset, Create Web Asset, Edit Web Asset, Delete Web Asset: See the button "Actions" or the "New Web Application".

 

Web Application Authentication Record.png

View/download Selenium Script sensitive contents: Generally speaking, user who are able to edit Web Application records are also able to edit the Authentication Records, such as the Selenium script used for authentication. This option prevents users from downloading a script that was recorded as part of an Authentication Record.

 

Web Application Edit Malware Monitoring.pngManage Malware Monitoring: allow users to enable or disable Qualys' Malware Detection on the Web Application when it is being scanned.

 

Access

These permissions do not refer to a specific feature or function but determine if access to the interface as a whole is allowed for a user.

 

UI Access: Allow or deny a given user account access to the graphical user interface. This permission must be in at least one Role for a user to be able to log into Qualys' web site and use the Qualys Web Application service.

 

API Access: Allow or deny a given user account access to the Application Programming Interface. This permission may impact custom integration projects that were built around a customer's Qualys service by a 3rd party.

 

Tag

AssetView Assets Tags.pngVeteran users of Qualys Vulnerability Management will be familiar with Qualys' system for organizing assets called "Asset Tags". The new services, which includes Web Application Scanning, use "Tags". These Tags are used in various parts of the Web Application Scanning user interface to act upon, use, or be restricted to Assets. In AssetView > Assets > Tags users can find a centralized configuration interface for Tags.

 

Create User Tag, Edit User Tag, Delete User Tag: Determine whether users are permitted to act upon their own tags.

 

Modify Dynamic Tag RulesAssetView Assets Tags Edit Dynamic Tag.png: Tags can be either static, and as such the assets that they apply to never change. Dynamic Tags can be assigned and removed from Assets automatically are per used defined rules.

 

 

User

Administration - Users - User Management.pngThe Administration module provides a centralized interface to configure users' accounts. These permissions specifically concern Roles: which Permissions they contain and which users they apply to.

 

Edit User: Act directly on user account and change which Roles are assigned to them. This interface also allows for manipulation of Roles.

 

Create User Role, Edit User Role, Delete User Role: Either via the User Management tab, or via the dedicated Role Management tab.

 

Access Role Management Section: Whether the Role Management tab is accessible, leaving only the User Management tab.

 

 

Reporting

Web Application Scanning - Reports - Reports.png

There are various ways in which a report can be produced from scan results. The Web Application Scanning > Reports > Reports provides an easy to use entry point to the functions needed to work with reports.

 

Create Report, Edit Report, Delete ReportWeb Application Report - Report - Edit report.png: These permissions relate to the "New Report" button, and the "Actions" button for Reports that already exist. Once a report is configured and generated, the parameters that produced the report can still edited.

 

Distribute ReportWeb Application Report - Report - Edit report distribution.png: Once a report is produce, it can be saved in an encrypted format, and distributed via e-mail to recipients who do not otherwise have Qualys login credentials.

 

 

Scanner Appliance

Web Application Scanning - Configuration - Appliances.pngDetailed Scanner Appliance configuration is found in the Vulnerability Management module. This includes such common parameters as setting the friendly name or the polling interval of the Appliance and the web user interface-based VLAN configuration. The Web Application Scanning view of the Scanner Appliances allows for configuration of the Tags that are associated with the Appliance.

 

Edit Scanner Appliance: In the section Web Application Scanning > Configuration > Appliances see the Actions item.

 

 

 

 

 

WAS Scan

Web Application Scanning - Scans - Scan List.pngThese permissions are specifically for running scans against declared Web Applications. These permissions are not specific to an area in the user interface, but relate only to the general action of launching, stopping, or deleting scans, as might be available in various places of the user interface.

 

Launch WAS Scan, Cancel WAS Scan, Delete WAS Scan: In the section Web Application Scanning > Scans > Scan List, see Actions and New Scan buttons.

 

 

 

 

WAS Schedule

Web Application Scanning - Scans - Schedules.pngThese permissions are specifically for scheduling scans against declared Web Applications. These permissions are not specific to an area in the user interface but relate to the general action of scan scheduling.

 

Create WAS Schedule, Edit WAS Schedule, Delete WAS Schedule: In the section Web Application Scanning > Scans > Schedules, see Actions and New Schedule buttons.

 

 

 

 

 

WAS Configuration

Web Application Scanning - Web Applications - Web Applications - Edit.pngWeb Applications assets  are made up of various properties. Access to each of these properties is subject to a fine grained access control.

 

Web Application Scanning - Configuration - Option Profiles.pngCreate WAS Option Profile, Edit WAS Option Profile, Delete WAS Option Profile: These parameter sets that govern how a scan is run can either be accessed via a Web Application asset or via the menu Web Application Scanning > Configuration > Option Profiles.

 

Web Application Scanning - Configuration - Bruteforce Lists.pngCreate WAS Password Bruteforcing List, Edit WAS Password Bruteforcing List, Delete WAS Password Bruteforcing List: The list of bruteforcing word list can either be accessed via a Web Application asset or via the menu Web Application Scanning > Configuration > Bruteforce List.

 

Web Application Scanning - Configuration - Search List.pngCreate WAS Search List, Edit WAS Search List, Delete WAS Search List: The Search Lists can either be accessed via a Web Application asset or via the menu Web Application Scanning > Configuration > Search Lists.

 

Create Proxy, Update Proxy, Delete Proxy: Proxy support is a limited availability feature. If you are interested in becoming an early adopter, please contact your Technical Account Manager or our Support Team.

 

Web Application Scanning - Reports - Schedules.pngCreate Report Schedule, Update Report Schedule, Delete Report Schedule: These permissions govern the scheduled tasks for the generation of reports.

 

Web Application Scanning - Configuration - DNS Override.pngCreate DNS Override, Update DNS Override, Delete DNS Override: It is possible for scanner appliances to be force to resolve an FQDN into a specific IP address and not to rely on DNS.

 

Web Application Scanning - Configuration - Global Settings.pngEdit Global Exclusion: Global exclusion lists will be applied to all web applications in your subscription to prevent specific URLs from being tested.

 

Web Application Scanning - Configuration - Parameter Sets.pngCreate Request Parameter Set, Update Request Parameter Set, Delete Request Parameter Set: A parameter set provides the scan engine the request parameter settings that should be injected during web application scanning. A Qualys generated default is used if none are provided, but users may define custom sets for their Web Application assets.

 

 

WAS Catalog

Web Application Scanning - Web Applications - Catalog.pngCatalog entries are web applications discovered by maps and/or scans of the Vulnerability Management service that you may have subscribed to. The Catalog (Web Application Scanning > Web Applications > Catalog) will show catalog entries of an account and user may take on them.

 

Edit Web Application Catalog, Edit Web Application Catalog Entry: Determine whether users are allowed to flag a Catalog entry as New, Rogue, Approved, or Ignore. Users may also add comments to Catalog entries.

 

Add to Subscription Web Application Catalog Entry: Determine whether users are permitted to create a Web Application Asset from a Catalog entry.

 

Access Web Application Catalog: Determines whether the Catalog is accessible to the user.

 

Questionnaire

Invite Questionnaire User, Update Questionnaire, Delete Questionnaire, Create Questionnaire

These functions relate to Qualys' Security Assessment Questionnaire and as such are not discussed in this article.

 

 

WAF Rule

Create Patch/Exception Rule, Update Patch/Exception Rule, Delete Patch/Exception Rule

These functions relate to Qualys' Web Application Firewall and as such are not discussed in this article.

 

 

Access SAQ

Access SAQ module

These functions relate to Qualys' Security Assessment Questionnaire and as such are not discussed in this article.

 

 

WAF Asset

Update WAF Asset, Create WAF Asset, Delete WAF Asset

These functions relate to Qualys' Web Application Firewall and as such are not discussed in this article.

 

 

WAF Policy

Create Policy, Update Policy, Delete Policy

These functions relate to Qualys' Web Application Firewall and as such are not discussed in this article.

 

 

WAF Event

Archive WAF Event, Update WAF Event

These functions relate to Qualys' Web Application Firewall and as such are not discussed in this article.

 

 

WAF Deployment

Manage WAFs

This function relates to Qualys' Web Application Firewall and as such is not discussed in this article.

 

 

WAS Remediation

Web Application Scanning - Web Applications - Detections.pngUpdate findings: Whether users are permitted to modify the vulnerabilities detected by Web Application scans.

 

Retest vulnerabilities and sensitive content: Determine whether users are permitted to re-run scans from reports.

 

Ignore findings: Determine whether users are permitted to suppress findings from reports.

 

 

 

 

 

Access WAF

Access WAF module

This function relates to Qualys' Web Application Firewall and as such is not discussed in this article.

 

 

Access WAS

Access WAS module: Determine whether the Web Application Scan module is available.

 

 

Access MDS

Access MDS module

This function relates to Qualys' Malware Detection and as such is not discussed in this article.

 

 

Access Asset Management

AssetView - Dashboard.pngAssetView is an asset discovery and inventory service. This provides users the ability to see all about the assets of their various services in one interface.

 

Access Asset Management module: Determine whether this user interface is available.

 

 

 

 

 

Access CM

Access Continuous Monitoring module, Access Cloud Agent module

This function relates to Qualys' Continuous Monitoring and as such is not discussed in this article.

 

 

Access Administrator

Administration - Users - User Management.pngAccess Administrator module: Determine whether users can see the Administration module.

 

 

 

 

 

 

 

 

 

Asset Management

AssetView - Connectors.pngAssetView is an asset discovery and inventory service. This provides users the ability to see all about the assets of their various services in one interface.

 

Manage Asset Data Connectors: Grant or deny the configuration of connectors to Amazon EC2 instances that might need to be scanned. Once configured users may perform Vulnerability Management scans and/or Policy Compliance scans of Amazon EC2 virtual machines.

 

Create Asset, Delete Asset, Read Asset, Update Asset: Configure and update virtual machine information into Qualys' Host Asset resources.

 

 

 

MDS Asset

Create MDS Asset, Edit MDS Asset

These functions relate to Qualys' Malware Detection and as such are not discussed in this article.

 

 

MDS Scan

Launch MDS Scan, Cancel MDS Scan

These functions relate to Qualys' Malware Detection and as such are not discussed in this article.

 

 

MDS Schedule

Create MDS Schedule, Edit MDS Schedule, Delete MDS Schedule

These functions relate to Qualys' Malware Detection and as such are not discussed in this article.

 

 

Questionnaire Template

Create Questionnaire Template, Update Questionnaire Template, Delete Questionnaire Template, Publish Questionnaire Template

These functions relate to Qualys' Security Assessment Questionnaire and as such are not discussed in this article.

 

 

WAS Burp

Web Application Scanning - Burp.pngQualys' integration with Burp Suite toolkit is an integration with an attack proxy tool used primarily to conduct more advanced manual application penetration and validation testing. Users can store the findings discovered by the Burp Suite scanner with those discovered by Web Application Scanning and share this information with multiple users.

 

Access Burp Section: Set whether the Burp section is visible.

 

Import Burp Report, Update Burp Report, Download Burp Report, Delete Burp Report: Determine whether users are permitted to import, retrieve, or destroy Burp scan data.

 

Ignore Burp Finding, Purge Burp Findings: Determine whether users are permitted to ignore findings of Burp.

 

 

WAS Authentication Record

Web Application Scanning - Web Applications - Authentication.pngSome web applications require authenticated access to their functionality. Configure authentication records so that the scanner can perform more in-depth assessment of the target web application.

 

Create Authentication Record, Update Authentication Record, Delete Authentication Record: Control whether users are permitted to create, modify, or destroy authentication records.

 

 

 

 

 

CA Activation Key

View Activation Key, Create Activation Key, Edit Activation Key, Enable Activation Key, Disable Activation Key, Delete Activation Key, Enable Module for Activation Key, Add Tags to Activation Key

These functions relate to Qualys' Cloud Agent and as such are not discussed in this article.

 

 

CA Configuration Profile

View Configuration Profile, Create Configuration Profile, Edit Configuration Profile

These functions relate to Qualys' Cloud Agent and as such are not discussed in this article.

 

 

CA Agent

Install Agent, Uninstall Agent, Activate Agent, Deactivate Agent

These functions relate to Qualys' Cloud Agent and as such are not discussed in this article.

 

 

Questionnaire Campaign

Create Questionnaire Campaign, Update Questionnaire Campaign, Delete Questionnaire Campaign, Launch Questionnaire Campaign, Cancel Questionnaire Campaign, Complete Questionnaire Campaign

These functions relate to Qualys' Security Assessment Questionnaire and as such are not discussed in this article.

Attachments

    Outcomes