Email Notification to all Readers

[J1nchur1k1]

I have added 2 products, and both the products has different owners (with Reader privilege), but when I am adding new engagement, the mail notification is being sent to both the owners irrespective of the products. Please let me know if there are any settings/changes so that the notification can be sent only to one specific owner.

[kiblik]

I will summarize some facts (which might be useful for others as well) about notifications:

1. By default setting of notifications is in the user's hands. Right now, there is no option in UI to set notification settings for another user (like admin would manage user settings).
2. Admin is able to define notification template (on global (no product) level) which will define a default global notification setting for newly created users (does not apply on existing users)
3. All notification settings are overridable via API (so even if there is no UI element you are able to customize settings via API - as a "post-product-creation task" written in your own script and perform it with admin permissions)
4. Notifications are not connected to product fields like product_manager, technical_contact or team_manager but to membership (roles, groups, global roles, ...)
5. (non-admin) user will receive a notification if
   • notification type is enabled in his global notification settings
   • or enabled on the production level (the form on the product page is setting individual user settings who is logged in to the page, not settings for all users/members)
6. see that the last behavior is not using overriding but logical "or". So enabling on a global level and disabling no local level will result in enabling.
7. there is one specific type of notification which are not received based on membership but on specific assignments (e.g. lead of engagement or user mentioned in note) - to see all check this
8. admin users will receive almost all notifications

This list of facts is based on implementation in version 2.35.2. It might change in the future based on feedback and the availability of nice people in the DefectDojo community.

[J1nchur1k1]

I will summarize some facts (which might be useful for others as well) about notifications:

1. By default setting of notifications is in the user's hands. Right now, there is no option in UI to set notification settings for another user (like admin would manage user settings).
2. Admin is able to define notification template (on global (no product) level) which will define a default global notification setting for newly created users (does not apply on existing users)
3. All notification settings are overridable via API (so even if there is no UI element you are able to customize settings via API - as a "post-product-creation task" written in your own script and perform it with admin permissions)
4. Notifications are not connected to product fields like product_manager, technical_contact or team_manager but to membership (roles, groups, global roles, ...)

5. (non-admin) user will receive a notification if

   • notification type is enabled in his global notification settings
   • or enabled on the production level (the form on the product page is setting individual user settings who is logged in to the page, not settings for all users/members)
6. see that the last behavior is not using overriding but logical "or". So enabling on a global level and disabling no local level will result in enabling.
7. there is one specific type of notification which are not received based on membership but on specific assignments (e.g. lead of engagement or user mentioned in note) - to see all check this
8. admin users will receive almost all notifications

This list of facts is based on implementation in version 2.35.2. It might change in the future based on feedback and the availability of nice people in the DefectDojo community.

Thanks Mate for the information. However I don't know why the notification of one product/application is going to other user for which that notification is irrelevant. I have only enabled it on product based not from the notification tab. Please let me know if the notification of all products will go to all users with "Reader" access. And is there any way that can be one product notification can be delivered to one user only.

[kiblik]

Thanks Mate for the information.

Happy to help

However I don't know why the notification of one product/application is going to other user for which that notification is irrelevant.

In my opinion, applying the security principle of least privilege, a user should not have access to a product that is irrelevant to him. Especially in the application which might collect a list of possible vulnerabilities.

I have only enabled it on product based not from the notification tab.

If you haven't managed notification via API but only via UI (form in product dashboard), these settings apply to you (not to other users).

Please let me know if the notification of all products will go to all users with "Reader" access.

All Readers (+admins) of related product are "eligible" for notification. They will receive it if they

• enabled global notification by their own
• it was enabled by template (before users were created) and they haven't touched notification settings
• enabled notification for specific product (on the product dashboard) by their own

And is there any way that can be one product notification can be delivered to one user only.

Everybodies notification on the global level will be disabled and the user will go product dashboard and enable it there for him. Or the admin can do it for him via API.

By "notification on a global level" I mean the user goes to the left menu, clicks on "configuration", next "notification" and sets notifications here. By "product dashboard" I mean: Click on the product, not the page called "dashboard"

[J1nchur1k1]

Thanks Mate for the information.

Happy to help

However I don't know why the notification of one product/application is going to other user for which that notification is irrelevant.

In my opinion, applying the security principle of least privilege, a user should not have access to a product that is irrelevant to him. Especially in the application which might collect a list of possible vulnerabilities.

I have only enabled it on product based not from the notification tab.

If you haven't managed notification via API but only via UI (form in product dashboard), these settings apply to you (not to other users).

Please let me know if the notification of all products will go to all users with "Reader" access.

All Readers (+admins) of related product are "eligible" for notification. They will receive it if they

• enabled global notification by their own
• it was enabled by template (before users were created) and they haven't touched notification settings
• enabled notification for specific product (on the product dashboard) by their own

And is there any way that can be one product notification can be delivered to one user only.

Everybodies notification on the global level will be disabled and the user will go product dashboard and enable it there for him. Or the admin can do it for him via API.

By "notification on a global level" I mean the user goes to the left menu, clicks on "configuration", next "notification" and sets notifications here. By "product dashboard" I mean: Click on the product, not the page called "dashboard"

Now I have disabled, all notification under system, and just enabled notification on user basis. But even then the notifications are being sent to all Reader users for one product. Any help will be appriciated.

[kiblik]

Now I have disabled, all notification under system, and just enabled notification on user basis. But even then the notifications are being sent to all Reader users for one product. Any help will be appriciated.

Are these user admins? If so it is the reason.

[J1nchur1k1]

• nabled notification for specific product (on the product dashboard) by their own

No these users are Readers. Attached is the file with screenshots. I any other needed do let me know. Notification Issue.docx

[J1nchur1k1]

Any help will be appriciated. Moreover if you can let me know that what is the schedule timings for notifications to be sent like for SLA breach of critical notification because we haven't got any yet. even to admins.