Fortify SSC authentication through LDAP not recognizing appropriate permissions
Our system has a Fortify SSC authentication scheme which is directly tied to our LDAP group authentication scheme. In the roles in Fortify, we have setup some user-defined roles. These user-defined roles map to specific LDAP groups. The system-defined roles also map to some groups.
The error which repeatedly occurs is that the people with the user-defined roles try and view the scan errors (the error number on the artifact which is encircled in red and pulls up a list of error locations when you click on it) on an application FPR, it says that the user does not have the "Generate Reports" and/or "View Application Scans" permissions enabled. However, I have double and triple-checked the LDAP group associated with this role and the role permissions themselves. The role permissions include "Generate Reports" and "View Application Scans". Therefore, the user who is in this LDAP group should be able to have these permissions and therefore be able to see the scan errors.
Furthermore, I have noticed that this is not a problem with the "system-defined" roles.
My questions are as follows:
1. Are there any permissions that could override these specific permissions?
2. Is there a setting that is specific to user-defined roles that I may be missing?
The resolution I am looking for is to simply ensure those roles that have the permissions to view scan errors are allowed to do so.
Which version of SSC are you using ? I tried creating user definied roles in 17.2 with "View Application Versions " and " Generate report" and I was able to view issues as well as generate report logged in as the user who is only part of that role.
I dont see "view application scan" permission as you stated in SSC.
Thanks for responding. You're correct. It is "View Application Versions". The Fortify version I am having this problem on is Fortify 17.10. The "Access denied" message remains even if I add those permissions to a role.
I would suggest opening a support ticket as it requires more investigation (looking at logs) on why you are getting access denied. Are those users part of any other role that could be overriding the permissions ?
Would also be helpful to get a list of all the permissions associated with the role you created. Also if universal access is checked off or not. We can attempt to recreate the role here if not I would follow Kruthi's advice and get a ticket open with the logs. I also very much doubt this has anything to do with LDAP.