Managing users and API tokens

 

Uleska User Roles

Uleska has three different types of users roles depending on the needs you have. The three role names are:

  • Customer Administrator
    • This is the overall administrator user with permission to perform all tasks. The Customer Administrator can add/remove users, manage configuration, manage teams, manage applications in any team, run security tests and manage results, add security tools, configure toolkits, and view metrics and insights.
  • Application Manager
    • This role is for the day-to-day user who wants to run security tests and manage results. This role cannot edit the wider configuration but can add applications, run security tests/toolkits, triage results, and generate reports. Often a user in this role will be assigned to a specific team so they can only view, and run security tests, against application projects in their team. Access Tokens for this role are then safe to use in CI/CD as they will not affect the testing of projects outside of the user's team.
  • Executive
    • This role is specific to allow users to view the higher-level statistics and metrics across all teams, but cannot run any tests, view or triage results, or modify any configuration.

The permissions of each role are shown in the following table.

  Customer Administrator Application Manager Executive
Add/Edit Applications Yes (all projects) Yes (team projects) No
Run Tests, View Results, Triage, Reports Yes (all projects) Yes (team projects) No
Edit Risk Configuration Yes No No
Set/Edit Advisories Yes No No
Set/Edit Tool Connections Yes No No
Set/Edit Ecosystem Authentications Yes No No
Bulk Import Yes No No
Set/Edit Toolkit Patterns Yes No No
Add Custom Tools Yes Yes No
View Analytics/Metrics Yes No Yes
Set/Edit Team Permissions Yes No No
Invite Teammates Yes No No

 

Initial Sign-up

When you first sign-up to Uleska you can use your social account (e.g. GitHub, Google, etc) or your e-mail address. Doing so creates a new ‘Customer’ in Uleska and you can give it a corresponding name in the ‘Welcome to Uleska’ screen.

welcometouleska

This new ‘Customer’ entity can now be used to automate security tools for your company teams and collaborate. The first user is automatically a Customer Administrator role user and has permission to do everything within the Customer entity.

Within your Customer entity, you can add application projects (see adding applications) to test and report on, invite colleagues to do the same (see below), and organize everything into teams (see managing teams).

 

Inviting Teammates

You can invite as many users as needed to your Customer entity (there is no cost per user) to collaborate on your security automation. You can invite a user to join as any role type, however be aware that you cannot modify the user role once they are added (you can delete the user and re-add them if needed).

To invite a user to join:

  • Go to ‘Permissions’ on the left-hand menu option
  • Click the ‘Invite User’ button
  • You will be presented with the following form to invite the user:

inviteauser

  • Enter the following:
    • User’s name
    • E-mail to receive the sign-up link and for login
    • Role
    • Team to associate them with (if you have teams configured, this can be changed later)
  • Click the ‘Send Invite’ button to create the user and send an invite e-mail to the e-mail address configured.

At this point, the e-mail address invited will receive an e-mail from Uleska with a link to verify their e-mail and complete their sign-up. Clicking on that link will take them to the platform and ask them to set a password for their account.

setpassword

Entering a valid password will then take you into Uleska. Note that currently, you cannot invite users based on their social logins (e.g. GitHub, Atlassian, etc).

Note that the inviting of users can be automated via the Uleska API, for integration with your user management systems.

 

Modifying a User

You can modify your own user details by clicking ‘Account’ on the left-hand menu. Currently, you can modify your e-mail address, and cannot modify your name, or role values.

modifyuser

Changing Password

A user can change their password by:

  • Going to the ‘Account’ option on the left-hand menu
  • Scrolling to the ‘Change Password’ portion

Entering a valid password will cause their password to be updated on Uleska.

 

Deleting a User

There are some rules around deleting users:

  • You cannot delete your own user account.
  • Customer Administrator roles cannot delete other Customer Administration users (contact Uleska support if you wish to delete users on this role).
  • Application Manager and Executive user accounts can be deleted by the Customer Administrator role.
  • A user who is deleted can be re-added at a later time.

Once a user is deleted, they will be unable to access the Uleska UI, and their API tokens will no longer be active.

To delete a user:

  • Go to ‘Permissions’ on the left-hand menu
  • View the ‘Users’ table

For users that you can delete, you will be given a bin icon.

userstodelete

Select the bin icon beside the user you wish to delete. You will receive a pop-up confirming you wish to delete the user.

deleteuser

Deletion of users can be performed via the Uleska API for integration into other user management systems.

 

Managing API Tokens

Each user can generate and use an API token for integration with other platforms. Each user has one API token at a time, which can be used to interact with the Uleska system using the API, or the command-line interface (CLI).

API Tokens generated by a user will have the same permissions as the role and team association of the user who generated the token. For example, this means API Tokens for Application Manager roles with access to the Belfast team will be able to perform Application Manager tasks (add applications, run Toolkit test, view issues, etc) on application projects in the ‘Belfast’ team, but not other Customer Admin actions, or interact with application projects in other teams.

To create your first API token:

  • Go to ‘Account’ on the left-hand menu
  • Scroll down to the ‘Api Token’ section

generateapitoken

  • Initially, you will not have an API token, to generate one click on the ‘Generate API Token’ button

When you generate this API Token, Uleska will display the new token. This must be copied and stored securely, as Uleska will not display this token again to the UI (it will be hashed internally).

generatedapitoken

You can use the copy icon at the right of the generated API token to record it. The next time you go to the ‘Account’ page the API token will not be displayed.

viewapitoken

You can revoke the API Token at any time, which will delete the current API token forever and allow you to generate a new API token associated with this user.