Teams & Roles (RBAC)

On FOSSA, Role-Based Access Control (RBAC) is used to manage which features of the system a user has access to as well as which projects a user may access and what actions they're allowed to perform on those projects.

👍

Enterprise Feature

This feature is only available in a FOSSA Enterprise subscription. Contact [email protected] for more details.

There are two kinds of roles: organization roles and team roles. You assign a user an organization role to give the user to access to all projects in your organization or to give the user permission to manage organization-level settings, such as billing settings. For users in teams, on the other hand, you give each user a role in each of their teams. Teams are used to give users access to certain projects and release groups.

Organization Roles

On the Users Settings page, you can assign a user one of four roles. A user may have the None role at the organization level yet be on a team, giving the user access only to projects and not organization-level features or settings.

Role

Permissions

Admin

  • Full access to all projects in the organization
  • Can import new projects
  • Can view and edit policies
  • Can create, modify, and delete policies
  • Can add (invite) and remove users and projects from teams
  • Can manage roles
  • Can access and change billing information
  • Can correct licensing information and metadata for dependencies

Editor

  • Full access to all projects in the organization
  • Can import new projects
  • Can view and edit policies
  • Can change project settings
  • Can rebuild and rescan projects
  • Can correct licensing information and metadata for dependencies

Viewer

  • Can view all projects and issues
  • Can view policies
  • Can NOT upload new projects
  • Can NOT create Jira tickets
  • Can NOT modify packages or resolve issues

None

  • No access to any projects or other features at the organization level except for permissions granted by being in a team

Note: By default, new users are created with a role of "Admin", but this is configurable on the Organization settings page.

These four organization roles are built-in and may not be edited or deleted.

Team Roles

On the Team Settings page, you can create new teams and manage which Users and Projects belong to each team. Users with a role of "Team Viewer", "Team Editor", or "Team Admin" must be added to a Team in order to see any Projects on FOSSA.

Note: Team permissions grant access to team projects. They do not include access to organizational-wide features like policies.

Role

Permissions

Team Admin

  • Limited to viewing and changing projects that belong to their teams
  • Can import new projects
  • Can delete projects
  • Can change project settings and metadata
  • Can rebuild and rescan projects
  • Can edit only the dependencies that are themselves projects in a team where the user is permitted to edit projects
  • Can import new projects to add to their teams
  • Can view and manage users within their team
  • Can manage team options

Team Editor

  • Limited to viewing and changing projects that belong to their teams
  • Can import new projects
  • Can change project settings
  • Can rebuild and rescan projects
  • Can edit only the dependencies that are themselves projects in a team where the user is permitted to edit projects

Team Viewer

  • Read-only access to projects that belong to their teams

These three team roles are built-in and may not be edited or deleted.

Team Admins and Team Editors have full access to the metadata in the projects in their teams, but this does not extend to being permitted to edit dependencies because an edit to a dependency applies across the entire organization. So, in general, permission to edit a dependency requires an organization-level role such as Admin or Editor.

Custom Roles

FOSSA allows you to create custom roles at both the organization and the team level. Anytime you create a role, you choose the type of the role:

16941694

Once a role is created, its type cannot be changed. The kinds of permissions that can be included in the role depends on the role's type. Some organizational-level features, such as managing users, are possible only in organizational roles. Next, select all the permissions that users who have this role will have by way of the role:

17821782

Auto-Assign Roles with Single Sign On Providers

FOSSA can integrate with your SAML Identity Provider to automatically assign roles to Users and add them to Teams when integrated with Single Sign On.

User Role Auto-Assignment
Configure a 'role' attribute that contains the permission value of the associated user. The values that are accepted today are:

  • 'admin'
  • 'editor'
  • 'viewer'

Team Auto-Assignment
Configure to include a 'teams' attribute in the SAML response. FOSSA will update the user to include users are only assigned to those teams. If the teams are not available in FOSSA, they will get created as part of the assignment process.

Please contact [email protected] for more information.