A customer asked me if there exist a possiblity to modify / configure the Fortify SSC Server to establish a simpler 4-eyes principle process so it can be used by small team which all have the same role .i.e. Developer. Goal is that a person which uploads the FPR file can not modify the Analysis Tag of that application but may can change the Analysis Tag on other applications. This would allow that the review has to be done by another developer which did not made the scan.
I know that you can use restricted Tags but this requires that people will need a separate role like security lead. The customer doesn't want to add the review privileges to a single person / role, so it should just make sure that it can not be done by the same person who did the scan (=uploaded the FPR). Exists therefore a possiblity to configrue such a 4-eyes process?