TrustSource has a broad set of features. Some are designed to allow the distribution of responsibility across several users so that a reliable, distributed command and control flow can be established. This helps especially larger organisations to ensure process conformity.
Smaller organisations may compensate the thinner personal layer by stacking roles on selected users. It is possible to grant all roles to one user. This finally would allow him, to approve his own requests. Whether this seems to be useful for your organisation, is your decision.
Roles overview
TrustSource provides a set of basic roles and some functional extension roles. The following table lists all roles. You may manage roles on user level in the User Management section. Enterprise Customers may associate roles to, e.g. when using an Active Directory, Security Groups and use our IDM to auto-sign in and claim the roles based on their internal group memberships. See this article for more details.
-
Standard user and default role, if no role is assigned. Has rights to work on Projects he is member of or projects without membership assignments. Developers can upload SBOMs, view and manage analysis results, search the knowledge base and run reports.
-
Manager is guiding developers and responsible for projects. He is allowed to initiate approval requests or create releases. His responsibility is to ensure completeness and correctness of information. Typically he will review the analysis results and derive actions, which he can push tickets into jira or Azure DevOps or as issues into Github / GitLab. Takes responsibility
-
Compliance Manager:
Takes responsibility of the legal compliance. Can see all legal reports, will be requested to approve compliance reports for modules or projects. Has the power to make legal decisions. Can change legal settings in projects (should always be done together with manager).
-
Portfolio Manager:
Has been created for senior technical managers , e.g. CTOs or CDOs. The main capability is the portfolio overview of all projects on vulnerability, legal and risk states. The 3 click to the library capability allows every portfolio manager to get a detailed understanding of the situation in every project and allows a drill down to the cuases and responsible staff with on 3 clicks.
-
Product Manager:
Product Manager is a role, which is only available to subscribers of the CRA edition. This role will allow to add the product management capabilities on top of the software projects. Thus, you may define a product tree and associate the products with releases of your software solutions. Per product you will receive the capabilities from the software assigned with it, can manage the technical documentation and certificates or declarations.
-
Company Security Manager:
The Company Security Manager has special rights to assess and manage vulnerability information. He may even modify associations between CVEs and components to reduce the number of false positives. In addition the Security manager has the capability to set vulnerability policies, create and manage CSAF documents as well further security related actions.
-
Company Component Manager:
The component manager has the rights to modify the entries in the component lake. Thus, he will be able to add repository URLs, change license settings like declaring effective licenses or even add components.
-
Account Admin:
The account admin rights allow to change settings of account wide relevance. This starts from administrational information like company and billing address, basic settings like standard "written offer" text or select or change the account type. But it will also include the management of application access and authorisation. Account Admins also manage general integrations and all API keys.
-
Enterprise Admin:
The enterprise Admins is available only in enterprise accounts and has the right to create new entities, manage several entities and the relations between.
The roles can be combined. Any user may hold all roles. This is not recommended, but a new user will - directly after TrustSource account creation - be in such a "power user" - role. We decided to provide all the rights to new account creators to ease the identification of TrustSource's capabilities. However, we recommend not to use this in production. A warning will appear in the top bar of the screen, if such a user is logged in. Also all Account admins will receive a warning message, given a user will be assigned such a role accumulation.
For more details on each role, click on the role name and you will get a more detailed overview for this particular role.
PLEASE NOTE: When you assign a scope to an API key, this will equal the access to functionality associated with each role. For example to use an API key to grant an approval based on calculations, AI or statistics, you must assign the API key the role Compliance Manager. See our API Docs for more details.
Comments
0 comments
Article is closed for comments.