Multiple Roles Per User - Rollout starting Sept 1, 2021
In addition to creating multiple user roles, administrators can assign up to five roles to a single user. This article will cover how intersecting roles work in various scenarios.
Examples for Understanding Overlapping Roles
System Admin Role + Custom Role = Admin
An Admin user has the greatest amount of permissions and has access to all assets so adding a custom role does not limit permissions or access to certain assets. This user may be assigned an API key with Admin permission.
System Write Role + Custom Roll
A System Write Role user has all of the permissions and access as an Admin and therefore, adding a custom role will not limit the permissions or access to certain assets. The difference between Admin and Write System Roles is outlined in our Role Permissions article. This user may be assigned an API key with write permission.
System Write Role + System Read-Only Role
A user with two system roles will assume the greatest permissions among roles, will have access to all assets, and may be assigned an API key which reflects this.
System Read Only Role + Custom Role
A System Read Only User has read permissions over all assets. When adding a custom role with write permissions you can specify the risk meters you want to allow the user to have write access over when creating the custom role. For all assets that fall outside of the specific risk meters, the user will still only have read access. If the Custom Role provides write access over "All Assets" this combination will completely override the System Read Only Role in the UI only, and the user will have an API key with read -only access.
Custom Role + Custom Role
Important: Permissions are additive over only the assets that all roles have in common. Where multiple roles share access to the same Risk Meters/assets, the greatest permissions apply to all. Where they do not share access to Risk Meters/assets, only the specific custom role permissions apply. This user will not have an API key.
Here is a simple example looking only at the question of whether the user obtains write permissions over all the assets in each role they are assigned.
Conflicts When Editing Assets
If a user with multiple roles attempts to edit a group of assets, and they do not have the permission to do so, they will see the following message:
"You do not have permission to affect all of the selected assets. Please contact your Kenna Admin if you believe you should have additional permission."
Assigning Multiple Roles to a User
To assign multiple roles to a single user, administrators can navigate to Settings → Users → Edit user and select up to five roles from the drop down list.
Now, from the User list under the Settings menu, anyone with multiple roles will show at least more than one role in the Role column.
Hovering on the role names will reveal all roles assigned.
Finally, if you click on the User's name to open up the User Details page, you will see all roles listed.
API Use with Multiple User Roles
Important: Only users with System Roles may be assigned an API key. A user can have only one API key. A user with a Custom role and a System role may be assigned an API key that reflects their System Role permission. If the user is assigned two System Roles, their API key will have the permissions of the highest System Role.
API Endpoint Change
Users API endpoints will change to reflect multiple role_ids and roles. If you are a heavy user of these endpoints, or use scripts that reference these endpoints, please note the changes. This will not be backwards compatible.
Show Userendpoints' responses will be changed. When showing or listing users, the
role_idparameter will be called
role_idsand will list an array of
roleparameter will be called
rolesand will list an array of
roles. Even where only one role is used, it will be listed in the array.
Update Userendpoints will be changed. Both previously accepted and required either the
role_idparameter in the request. With MRPU,
role_idsmust be used rather than
role_idand requires an array whether or not multiple roles are used.
Bulk Update Permissionswill be changed to allow
view_appsec_reporting_pageto be updated.
- Even when only one role is being assigned, plural options will show up with arrays once MRPU is released and feature flag is enabled.
- All of the user's "roles" or "role_ids" should be provided in the arrays including the existing ones and the new ones, any existing "roles" or "role_ids" that are not included in the arrays will be unassigned from the user.