Skip to main content

Role Management

Roles provide a set of permissions that grant access over Lifecycle and any configured integrations. To grant permissions, you assign a user to either a system-wide administrator role or an organizational role at one of the levels in the system hierarchy: root organization, organization, or application. Which role and level you choose for a user determines what permissions that user receives.

You can assign roles to individual users or groups of users. In addition, LDAP groups may be available, if you configured Lifecycle to use an LDAP server with users mapped to specific groups.

Note

Lifecycle has a built-in group called Authenticated Users that contains any authenticated user.

Role Hierarchy

The scope of permissions granted to a role is governed by where that role is assigned in the system hierarchy. A role assigned to:

  • Root organization - Grants permissions to all organizations, applications, and repositories.

  • Organization - Grants permissions to that organization and all organizations and applications under it in the hierarchy.

  • Application - Grants permissions only to the individual application.

Repository Firewall solution users have an additional entity to which roles can be assigned:

  • Repositories - Grants permissions to repository reports.

Built-in Roles

Lifecycle has several built-in roles. Create custom roles to better suit your requirements.

Administrator Roles:

  • System Administrator - Manages system configuration and users, which includes LDAP and product license management as well as the ability to assign other users to the System Administrator role.

  • Policy Administrator - Provides full control over organizations, applications, policies, policy violations, and custom roles.

Organizational Roles:

  • Owner - Manages assigned organizations, applications, policies, and policy violations.

  • Developer - Views all information for their assigned organization or application.

  • Application Evaluator - Minimum access to scan the application via the CI integrations. Evaluates applications and view policy violation summary results within the CI.

  • Component Evaluator - Evaluates individual componentsand views policy violation results for a specified application within the IDE integrations.

  • Legal Reviewer - Reviews legal obligations for component licenses.

To view roles in Lifecycle:

  1. Click the System Preferences icon on the Lifecycle toolbar.

  2. Click Roles on the System Preferences submenu. A list of built-in roles is displayed.

Warning

Only a user assigned to an administrator role can see the information below. If you are using the built-in Admin user account, it is assigned to all administrator roles. It is highly recommended that you change the Admin password.

75831296.png

Built-in Role Permissions

To view permissions assigned to built-in roles:

  1. Click the System Preferences icon on the Lifecycle toolbar.

  2. Click Roles on the System Preferences submenu. A list of roles is displayed.

  3. Click the arrow next to a specific role to view its details and permissions.

  4. The built-in roles have the permissions shown below.

Administrator Roles

Permissions

System Administrator

Policy Administrator

Administrator Permissions

Edit System Configuration and Users

(thumbs up)
5416203.png

Edit Custom Roles

2621480
(thumbs up)

View All Roles

(thumbs up)
(thumbs up)

Lifecycle Permissions

Edit Proprietary Components

5416203.png
(thumbs up)

Claim Components

5416203.png
(thumbs up)

Edit IQ Elements

5416203.png
(thumbs up)

View IQ Elements

5416203.png
(thumbs up)

Edit Access Control

5416203.png
(thumbs up)

Evaluate Applications

5416203.png
(thumbs up)

Evaluate Individual Components

5416203.png
(thumbs up)

Add Applications

5416203.png
(thumbs up)

Manage Automatic

Application Creation

5416203.png
(thumbs up)

Manage Automatic

Source Control Configuration

5416203.png
(thumbs up)

Remediation Permissions

Waive Policy Violations

5416203.png
(thumbs up)

Change Licenses

5416203.png
(thumbs up)

Change Security Vulnerabilities

5416203.png
(thumbs up)

Review Legal obligations

for component licenses

5416203.png
(thumbs up)

Organizational Roles

Permissions

Owner

Developer

Application Evaluator

Component Evaluator

Legal Reviewer

Administrator Permissions

Edit System Configuration and Users

5416203.png
5416203.png
5416203.png
5416203.png
5416203.png

Edit Custom Roles

5416203.png
5416203.png
5416203.png
5416203.png
5416203.png

View All Roles

(thumbs up)
5416203.png
5416203.png
5416203.png
5416203.png

Lifecycle Permissions

Edit Proprietary Components

(thumbs up)
5416203.png
5416203.png
5416203.png
5416203.png

Claim Components

5416203.png
5416203.png
5416203.png
5416203.png
5416203.png

Edit IQ Elements

(thumbs up)
5416203.png
5416203.png
5416203.png
(thumbs up)

View IQ Elements

(thumbs up)
(thumbs up)
5416203.png
5416203.png
(thumbs up)

Edit Access Control

(thumbs up)
5416203.png
5416203.png
5416203.png
5416203.png

Evaluate Applications

(thumbs up)
5416203.png
(thumbs up)
5416203.png
5416203.png

Evaluate Individual Components

(thumbs up)
(thumbs up)
5416203.png
(thumbs up)
5416203.png

Add Applications

(thumbs up)
5416203.png
5416203.png
5416203.png
5416203.png

Manage Automatic

Application Creation

5416203.png
5416203.png
5416203.png
5416203.png
5416203.png

Manage Automatic

Source Control Configuration

5416203.png
5416203.png
5416203.png
5416203.png
5416203.png

Remediation Permissions

Waive Policy Violations

(thumbs up)
5416203.png
5416203.png
5416203.png
5416203.png

Change Licenses

(thumbs up)
5416203.png
5416203.png
5416203.png
5416203.png

Change Security Vulnerabilities

(thumbs up)
5416203.png
5416203.png
5416203.png
5416203.png

Review Legal obligations

for component licenses

(thumbs up)
5416203.png
5416203.png
5416203.png
(thumbs up)

Permission Details

Edit Proprietary Components

Proprietary components are those that are unique to your organization. Lifecycle will flag them as "Unknown" components. This permission allows you to configure these components to change the match state to "Exact" during the next scan or re-evaluation.

Claim Components

This permission allows you to alter the match state of the component from the Application Composition Report.

Edit IQ Elements

Edit IQ Elements is a wide-reaching permission that enables most add/edit/delete operations that are not governed by a more specific permission for the following items:

  • organizations

  • applications, except adding them

  • application categories

  • policies

  • continuous monitoring

  • policy violation grandfathering

  • license threat groups

  • component labels

  • data retention policies

  • quarantined repository components

  • repositories

  • source control entries

View IQ Elements

View IQ Elements grants read-only access to most properties of a respective organization/application/repository in order to view the current configuration and policy evaluation state.

View IQ Elements is the minimum permission required for users to be able to browse organization/application/repository-related web pages, including application composition reports.

Edit Access Control

This permission allows you to manage access control for applications, organizations, and repositories only. For managing all other access controls, use Edit IQ Elements permission. All roles that have Edit IQ Elements permission also have the 'Edit Access Control' permission.

Evaluate Applications

This permission lets users evaluate or scan applications. Users also need this permission to the target application.

Evaluate Individual Components

This permission lets users evaluate individual components. It's intended for use with our IDE integrations such as Intellij or Eclipse. This permission is also required to evaluate components processed by Sonatype Repository Firewall at the repository level.

Add Applications

This permission allows users to create or import applications (using Automatic Source Control Configuration feature) within the scope of an organization.

Manage Automatic Source Control Configuration

This permission allows users to enable or disable automatic source control configuration using the Automatic Source Control Configuration system preference.

Waive Policy Violations

This permission allows users to:

  1. Release quarantined components by waiving policy violations

  2. Unblock components to go ahead with a build or release

  3. Lower violation counts to reduce noise

Change Licenses

This permission allows users to override the effective license at the component level and set its status to open (default), acknowledged, overridden, selected or confirmed.

Change Security Vulnerabilities

This permission allows users to change the status of a security vulnerability to open, acknowledged, applicable or confirmed, at the component level.

Managing Administrator Roles

To manage administrator roles, you must log in to Lifecycle as a user assigned to the System Administrator role. By default, the built-in Admin user account is assigned to the System Administrator role.

Viewing Administrator Roles

  1. Click the System Preferences icon

    331782.png

    on the Lifecycle toolbar.

  2. Click Administrators. A list of administrator roles and assigned members is displayed.

108959535.png

Assigning Users to Administrator Roles

  1. Click the System Preferences icon

    331782.png

    on the Lifecycle toolbar.

  2. Click Administrators. The administrator's view is displayed.

  3. Click the row for the role to which you want to add users. The administrator's view is updated to display the role and its members.

  4. Search for a user you want to add to the role by entering a full name or part of a name with an asterisk into the search box, the search list will be updated automatically as you type in. You can use an asterisk as a wildcard at the beginning or end of a character string. For example, isa*, *mov, and *asi* will all match the name, "Isaac Asimov." Any matching names are displayed in the Available list.

  5. To add a user to the role, click a user’s name in the dropdown menu with the results of the search, the name will be added to the Members Added list.

  6. To remove a user from a role, click a user’s name in the Members Added.

  7. You can filter the list of Added Members with the filter field, the list will be updated automatically as you type in.

  8. If you have LDAP configured, and you don't have set the Group Search Enabled option, you can add groups by name without fetching them in the search field, just type in the name of the group in the Associate Group field and click add.

  9. Click Submit to save the role assignment(s).

108959862.png
108959863.png
108959548.png

Managing Organizational Roles

To manage organizational roles, you must log in to Lifecycle as a user assigned to the Policy Administrator role, Owner role, or a custom role that has the Edit Access Control permission. By default, the built-in Admin user account is assigned to the Policy Administrator role.

Viewing Organizational Role Assignments

To view organizational role assignments:

  1. Click the Organization & Policies icon

    331786.png

    on the Lifecycle toolbar.

  2. Select an entity (organization, application, or Repository) in the sidebar.

  3. Click Access in the menu bar at the top of the page to scroll to the Access section. Assigned roles are grouped as follows:

    1. Local - Role assignments with a scope that’s specific to the selected organization or application.

    2. Inherited - Role assignments derived from an organization that’s higher in the system hierarchy than the currently selected organization or application.

331787.png

Assigning Users to Organizational Roles

To assign a user to an organizational role:

  1. Click the Organization & Policies icon

    331786.png

    on the Lifecycle toolbar.

  2. Select an entity (organization, application, or Repositories) in the sidebar.

  3. Click Access in the menu bar at the top of the page to scroll to the Access section.

  4. Click the Add Role button. The Access editor is displayed.

  5. In the Role box, select a user role.

  6. In the Search Users box, search for a user by entering a full name or part of name with an asterisk, then click Search. You can use an asterisk as a wildcard at the beginning or end of a character string. For example, isa*, *mov, and *asi* will all match the name, "Isaac Asimov." Any matching names are displayed below in the Associated Users list.

  7. In the Associated Users list, select a user in the Available column on the left, then click the right arrow button to move the user to the Associated column on the right. If you accidentally add a wrong user, select the user in the Associated column, then click the left arrow to return the user to the Available column.

  8. Click Add.

Note

If you integrated an LDAP server with Lifecycle, the LDAP users and groups are also displayed in the search results. If you hover over a list item, the LDAP realm and email address are displayed when available.

331788.png

Tip

If you want to continue adding role assignments for the selected organization, application or Repositories, click Add Role in the sidebar.

Editing Organizational Role Assignments

To edit an organizational role assignment:

  1. Click the Organization & Policies icon

    331786.png

    on the Lifecycle toolbar.

  2. In the sidebar, select the entity (organization, application or Repositories) in which the role is assigned.

  3. Click Access in the menu bar at the top of the page to scroll to the Access section.

  4. Click a listed role (or the chevron next to its name) to display the Access editor.

  5. In the Search Users box, search for a user by entering a full name or part of name with an asterisk, then click Search. You can use an asterisk as a wildcard at the beginning or end of a character string. For example, isa*, *mov, and *asi* will all match the name, "Isaac Asimov." Any matching names are displayed below in the Associated Users list.

  6. In the Associated Users list, you can add a user to a role by selecting the user in the Available column on the left and clicking the right arrow button to move the user to the Associated column. To remove a user from a role, select the user in the Associated column, then click the left arrow to return the user to the Available column.

  7. Click Update.

Note

If you integrated an LDAP server with Lifecycle, the LDAP users and groups are also displayed in the search results. If you hover over a list item, the LDAP realm and email address are displayed when available.

331789.png

Tip

If you want to continue adding role assignments for the selected organization, application or Repositories, click Add Role in the sidebar.

Removing Organizational Role Assignments

To remove organizational role assignments:

  1. Click the Organization & Policies icon

    331786.png

    on the Lifecycle toolbar.

  2. In the sidebar, select the entity (organization, application or Repositories) in which the role is assigned.

  3. Click Access in the menu bar at the top of the page to scroll to the Access section.

  4. Click a listed role (or the chevron next to its name) to display the Access editor.

  5. Click the Remove Role button, then click Continue to remove the role or click Cancel to keep the role.

Note

This is the equivalent of removing or disassociating all users from a role.

Custom Roles

Warning

You must have permission to Edit Custom Roles if you want to create a custom role. The default Admin account and the built-in Policy Administrator role have this permission.

Custom roles allow you to fine-tune Lifecycle security permissions for different users. The following permissions are available for custom roles:

Administrator Roles:

  • View All Roles

  • Edit Proprietary Components

Organizational Roles:

  • Claim Components

  • Edit IQ Elements

  • View IQ Elements

  • Edit Access Control

  • Evaluate Applications

  • Evaluate Individual Components

  • Add Applications

  • Manage Automatic Application Creation

  • Manage Automatic Source Control Configuration

  • Waive Policy Violations

  • Change Licenses

  • Change Security Vulnerabilities

  • Review Legal obligations for components licenses

Tip

To achieve desired behavior in the user interface, you may need to assign View IQ Elements along with other permissions. For example, to allow a user to create applications in an organization but not edit the organization, you should add View IQ Elements and Add Applications to the role.

To create a custom role:

  1. Click the System Preferences icon

    331782.png

    on the Lifecycle toolbar and then click Roles.

  2. Click the Create Role button.

  3. Enter a name and description for the role.

  4. Click the Can/Cannot slider to enable or disable permissions as desired.

  5. Click the Save button.

Note

Whenever a user assigned to a custom role with Add Applications permission creates an application, that user is automatically assigned to the Owner role for that application.

Assigning Groups to Roles without Searching

If you have an LDAP configuration that uses dynamic groups and disabled group search, then the Access editor will have an additional section called Associate Group. You can use this section to enter manually a group name and add it to a role.

To assign groups to roles without searching:

  1. Click the Organization & Policies icon

    331786.png

    on the Lifecycle toolbar.

  2. In the sidebar, select an entity (organization, application or Repositories).

  3. Click Access in the menu bar at the top of the page to scroll to the Access section.

  4. Open the Access editor by clicking Add Role or the chevron next to an existing role.

  5. In the Associate Group box, enter the group name. The text must be an exact match.

  6. Click Add. The group name is added to the Associated column without performing a search of users and groups.

Role Assignments

To view role assignments:

  1. Click the Organization & Policies icon

    331786.png

    on the Lifecycle toolbar.

  2. Select an organization or application in the sidebar. A page of customizable settings is displayed.

  3. Click Access in the menu bar at the top of the page to scroll to the Access section. Users are displayed by their assigned roles for the selected entity (i.e. organization or application). The information is grouped by where the role assignments were made: locally in the current entity or inherited from an entity higher in the system hierarchy.

331794.png