Web Application Scanning/TotalAppSec User Roles and Permissions
Web Application Scanning (WAS) or TotalAppSec (TAS) has 3 OOTB (Out-of-the-box) roles for users:
-
WAS Manager: The WAS Manager is the highest‑privileged role in Web Application Scanning after Superuser. Users with this role can perform all administrative, configuration, scanning, scheduling, catalog, remediation, and management actions within WAS. They can create, edit, delete, and manage all assets, scans, schedules, authentication records, catalog entries, and option profiles. Managers also control DNS overrides, reporting schedules, and advanced configurations. Essentially, they have full control over every aspect of WAS operations.
-
WAS Scanner: The WAS Scanner role is designed for users responsible for executing scanning operations without complete administrative authority. These users can launch, cancel, and delete scans, and they can create and modify scan schedules. They are also permitted to create, edit, and manage WAS option profiles, password brute‑forcing lists, search lists, and most request parameter configurations. However, they cannot manage assets, cannot edit catalog entries, and lack access to certain advanced configurations such as DNS overrides and global settings.
-
WAS User: The WAS User role has limited operational permissions, intended primarily for users who need to work with option profiles and basic configuration elements. They can create, edit, and delete option profiles, request parameter sets, and other configuration objects. However, they cannot launch or manage scans, cannot manage WAS assets, cannot edit DNS overrides, cannot create schedules, and cannot access or modify catalog entries. They represent a configuration‑capable but scan‑restricted user level.
TAS permissions appear as WAS in the roles and permissions management.
Users are granted access to WAS/TAS features and functions based on Roles, which are a consolidation of fine-grained Permissions. Managers have full rights and can configure roles and permissions using the Administration utility.
The WAS/TAS application has several permission groups related to specific permission categories. The following are the categories of permissions with each of the related permissions groups for WAS module:
WAS Scan Permissions | WAS Schedule Permissions | Scanner Appliance Permissions | WAS Burp Permissions | WAS Asset Permissions | WAS Catalog Permissions | WAS BugCrowd Permissions | WAS Authentication Record Permissions | WAS Remediation Permissions | WAS Configuration Permissions | Purge Remediation Permissions
| WAS Permission Categories | Description | Default Roles | ||
|---|---|---|---|---|
| WAS Manager | WAS Scanner | WAS User | ||
| WAS Scan Permissions | Launch, Cancel, and Delete WAS Scan. |  |
|
N |
| WAS Schedule Permissions | Create, Edit, and Delete WAS Schedules | |
|
N |
| Scanner Appliance Permissions | Edit Scanner Appliance | N | N | N |
| WAS Burp Permissions | Access Burp Permissions | N | N | N |
| Import Burp Report | N | N | N | |
| Update Burp Report | N | N | N | |
| Download Burp Report | N | |||
| Delete Burp Report | N | N | N | |
| Ignore Burp Finding | N | N | N | |
| Purge Burp Findings | N | N | N | |
| WAS Asset Permissions | Purge, Create, Edit and Delete Web Asset Learn more. | |
N | N |
| View/download Selenium Script sensitive contents | N | N | N | |
| Manage Malware Monitoring | N | N | N | |
| Edit Web Application URL | N | N | N | |
| Select and Lock/Unlock Scanner Appliance | N | N | N | |
| WAS Catalog Permissions | Edit Web Application Catalog | |
N | N |
| Edit Web Application Catalog Entry | |
N | N | |
| Add to Subscription Web Application Catalog Entry | |
N | N | |
| Access to Subscription Web Application Catalog Entry | |
|||
| Delete Web Application Catalog Entry | |
N | N | |
| WAS BugCrowd Permissions | Access Bugcrowd Section | N | N | N |
| Import, Update, Delete, Ignore and Download Bugcrowd Report | N | N | N | |
| Purge Bugcrowd Findings Learn more. | N | N | N | |
| WAS Authentication Record Permissions | View Password in Authentication Record | N | N | N |
| Create Authentication Record | |
N | N | |
| Update Authentication Record | |
N | N | |
| Delete Authentication Record | |
N | N | |
| WAS Remediation Permissions | Update KnowledgeBase | N | N | N |
| Retest vulnerabilities and sensitive content | N | N | N | |
| Ignore and Update Findings | N | N | N | |
| WAS Configuration Permissions |
Create, Edit, and Delete WAS Option Profile Learn more. |
|
|
|
| Create, Edit, and Delete WAS Password Bruteforcing List Learn more. | |
|
|
|
| Create, Edit, and Delete WAS Search List Learn more. | |
|
|
|
| Edit Global Settings Learn more. | N | N | N | |
| Create, Update, and Delete Request Parameter Set Learn more. | |
|
|
|
| Create, Update, and Delete DNS Override Learn more. | N | N | N | |
| Create, Update, and Delete Proxy Learn more. | N | N | N | |
| Create, Update, and Delete Report Schedule Learn more. | |
N | N | |
| Purge Remediation Permissions | Purge vulnerabilities and sensitive content | N | N | N |
| WAS OSWAP Zap Permissions | Ignore, Read and Purge OSWAP Zap Findings | N | N | N |
| Access OSWAP Zap Section | N | N | N | |
| Import, Update OSWAP Zap Report | N | N | N | |
| Download, Delete and Read Zap Report | N | N | N | |
| WAS Discovery Permissions (Only if Discovery needs to be enabled) | Add Discovered Web application | |
|
|
| Update Discovered Web Application | |
|
|
|