Uleska has three different types of users roles depending on the needs you have. The three role names are:
The permissions of each role are shown in the following table.
Customer Administrator | Application Manager | Executive | |
Add/Edit Applications | Yes (all projects) | Yes (team projects) | No |
Run Tests, View Results, Triage, Reports | Yes (all projects) | Yes (team projects) | No |
Edit Risk Configuration | Yes | No | No |
Set/Edit Advisories | Yes | No | No |
Set/Edit Tool Connections | Yes | No | No |
Set/Edit Ecosystem Authentications | Yes | No | No |
Bulk Import | Yes | No | No |
Set/Edit Toolkit Patterns | Yes | No | No |
Add Custom Tools | Yes | Yes | No |
View Analytics/Metrics | Yes | No | Yes |
Set/Edit Team Permissions | Yes | No | No |
Invite Teammates | Yes | No | No |
When you first sign-up to Uleska you can use your social account (e.g. GitHub, Google, etc) or your e-mail address. Doing so creates a new ‘Customer’ in Uleska and you can give it a corresponding name in the ‘Welcome to Uleska’ screen.
This new ‘Customer’ entity can now be used to automate security tools for your company teams and collaborate. The first user is automatically a Customer Administrator role user and has permission to do everything within the Customer entity.
Within your Customer entity, you can add application projects (see adding applications) to test and report on, invite colleagues to do the same (see below), and organize everything into teams (see managing teams).
You can invite as many users as needed to your Customer entity (there is no cost per user) to collaborate on your security automation. You can invite a user to join as any role type, however be aware that you cannot modify the user role once they are added (you can delete the user and re-add them if needed).
To invite a user to join:
At this point, the e-mail address invited will receive an e-mail from Uleska with a link to verify their e-mail and complete their sign-up. Clicking on that link will take them to the platform and ask them to set a password for their account.
Entering a valid password will then take you into Uleska. Note that currently, you cannot invite users based on their social logins (e.g. GitHub, Atlassian, etc).
Note that the inviting of users can be automated via the Uleska API, for integration with your user management systems.
You can modify your own user details by clicking ‘Account’ on the left-hand menu. Currently, you can modify your e-mail address, and cannot modify your name, or role values.
A user can change their password by:
Entering a valid password will cause their password to be updated on Uleska.
There are some rules around deleting users:
Once a user is deleted, they will be unable to access the Uleska UI, and their API tokens will no longer be active.
To delete a user:
For users that you can delete, you will be given a bin icon.
Select the bin icon beside the user you wish to delete. You will receive a pop-up confirming you wish to delete the user.
Deletion of users can be performed via the Uleska API for integration into other user management systems.
Each user can generate and use an API token for integration with other platforms. Each user has one API token at a time, which can be used to interact with the Uleska system using the API, or the command-line interface (CLI).
API Tokens generated by a user will have the same permissions as the role and team association of the user who generated the token. For example, this means API Tokens for Application Manager roles with access to the Belfast team will be able to perform Application Manager tasks (add applications, run Toolkit test, view issues, etc) on application projects in the ‘Belfast’ team, but not other Customer Admin actions, or interact with application projects in other teams.
To create your first API token:
When you generate this API Token, Uleska will display the new token. This must be copied and stored securely, as Uleska will not display this token again to the UI (it will be hashed internally).
You can use the copy icon at the right of the generated API token to record it. The next time you go to the ‘Account’ page the API token will not be displayed.
You can revoke the API Token at any time, which will delete the current API token forever and allow you to generate a new API token associated with this user.