Container Security Users and Permissions

The Qualys Container Security application uses a Role Based Access Control (RBAC) model to control access to Container Security features. With RBAC, each user is assigned a pre-defined user role which determines which actions the user can take in the UI and API.

About User Roles

A Manager user (superuser with full permissions and scope) can access the Administration utility, has all roles assigned, can add and manage users, can create custom roles and assign roles to users. The first user in a new customer subscription is a Manager user.

We have the following pre-defined roles for Container Security. These roles are exclusive to the Container Security module. The roles defined in other modules have NO correlation with those defined in Container Security.

• CS Manager: A CS Manager has all Container Security permissions and can perform all actions in the Container Security UI and API. All Container Security users existing prior to the Container Security 1.17 release will be assigned the CS Manager role automatically, which means they can perform all actions.
• CS User: The CS User role only has permission to access the Container Security UI, and has no other permissions assigned.

The CS user role will not be available in new customer subscriptions created after Container Security 1.17.

How to View and Edit Roles and Permissions

CS Managers can view user roles and permissions from the Administration utility. If you need help at any time, please refer to the Qualys Administration Utility Help.

1. Choose Administration under Utilities from the application picker.
   
2. Go to the Users >  Role Management tab. This is where you’ll find roles and their related permissions. You can search for the module “container security” to view the Container Security roles.

   The Role Management tab is only visible if you have full permissions and scope, or a role with the “Access Role Management Section” permission enabled.

3. Select View from the Quick Actions menu for any role in the list to see the permissions associated with the role, or Edit to make changes to the permissions.

   When you change the permissions for a role, all users with the role will be affected by the changes.

   

4. Go to the Permissions tab to view permissions for the selected role. At the top, you’ll see Global UI and API access permissions. For Container Security module access and permissions, click the Change link under Role Permissions by Modules.

   

   Permissions are grouped by object like registry, image, container, host, and so on.

   

5. Expand any group of permissions to see the individual permissions within the group. Note the CS UI Access and CS API Access permissions. You’ll need to assign these permissions to give users the ability to log into the Container Security UI and API. Click Save after making any changes to the role permissions. 

   

How to Manage Assets of a CS User 

CS Manager can assign tags to the CS Users accounts which can prevent them from accessing the assets (images and containers) which are not in their scope.

1. Go to Configuration > General > Miscellaneous Settings > Enable User Scope Settings.
2. Slide the toggle bar to the right to enable the user scope settings.
   
3. Go to UTILITIES > Administration > User Management. 
4. Select the CS User to which you want to assign tags.
5. In the Quick Actions menu, select Add Tags to Scope.
   
6. Choose the tags which you want to assign to the user and click Save.
   

Once tags are assigned, the selected user will only see the images and containers which carries the same tags which are assigned to the user. 

How to Remove Permissions from an Existing User

All users existing prior to the Container Security 1.17 release will automatically get the 'CS Manager' role which gives them all Container Security permissions. If you want to limit the permissions for a particular user, then you’ll need to create a custom role and select only the permissions the user should be granted.

Edit the user account from the Users > User Management tab in the Administration utility. Remove the 'CS Manager' role from the user since this gives the user all permissions, and assign the new custom role to the user.

How to Add New Users

Any Manager can add new users and assign them roles and permissions. See How to Add Users for more information.

When a User Does Not Have Permissions

If a user is not granted a particular permission for an action or for certain images or containers, then the user will not be able to perform the related action from the UI or API, also the user will not see those images or containers.

When a user does not have the List permission for an object, then the user will not be able to view the related data list in the UI or fetch the list from the API. In the UI, the user see an UNAUTHORIZED ACCESS message when you do not have permission to view the list. In the example below, the user does not have the List Hosts permission. The same result will be seen when the user tries to access the images and containers which are not in the scope.

If the user has the List permission but does not have other permissions like Create, Update, and Delete, then the list will be visible to the user, but the button or menu option for the action will not be visible. For example, if the user does not have the Create Registry permission then the user will not see the New Registry button and will not be able to create registries from the API.