Netsparker team id fix - how to handle multi tenancy

[de-jcup]

Situation

Netsparker has (currently) following permission model:

user1a (=Team1 = Team1 admin)
|_user1b
|_user1c

user2a (=Team2 = Team2 admin)
|_user2b
|_user2c

so when user1a scans something user1b and user1c will have access to all of these results. But user2a,user2b,user2c will not have access.

At the moment we provide only one Team means, when we would give users access to netsparker UI, they will see all results .

Wanted

Every project user should only see its own project results.

Obstacles

One thought solution was to define a team for every sechub project and give access to users inside this team only.

Unfortunately netsparker users must all have unique email adresses and we got a 1:1 mapping between team admin and users, means when we got a user which is in project1 and project2 we could not manage this situation - except when we add two different email addresses (means accounts) to same person! So a solution by just setting up for netsparker teams for each sechub project will not work!

Solution

Netsparker provides a mechanism called "website groups". Inside these groups you can give explicit permissions. Having a website group defined those scans are no longer visible for all users but only dedicated ones.

Example:

user1a (=Team1 = Team1 admin)
|_user1b
|_user1c
|_website-group1 (contains. test1.example.com)
   |_assign user1b to this group
|_website-group2 (contains. test2.example.com)
   |_assign user2b to this group

In the example before user2b has only access t o scans fortest2.example.com.

So this solves our problem and we have no

Consequences

• If you need to separate results because of need of multi tenancy you are currently forced to create website groups (manual) and add users to these website groups (manual)

[de-jcup]

Close issue because described workaround

[de-jcup]

is related to #58