Allocate, revoke and manage Assess and Protect licenses for individual organizations as a SuperAdmin. An Organization Admin may then apply and remove Protect licenses for servers in their organization.
A SuperAdmin may grant separate Assess and Protect licenses to an organization in the Organizations page. (Assess licenses apply to applications and Protect licenses apply to servers.) The Licenses column in the organizations grid lists the number of used and unused licenses that have been granted. If licenses are nearing expiration, a red warning icon appears in the grid row.
SuperAdmins can also view current license usage, update an EOP license, and manage impending expirations in the User menu > System Settings > Licensing tab.
To grant licenses to an organization, click the caret in the grid row and select Allocate Licenses from the row action dropdown menu. In the dialog that appears, SaaS users can enter the number of Assess and/or Protect licenses in the given fields to allocate to that organization. Click in the corresponding Expiration Date fields to make your selections on the calendars. EOP users can choose to allocate licenses from the total number available, which is shown in dialog along with the predetermined expiration dates.
You can manage the licenses granted to an organization by choosing License Summary in the row action dropdown menu, or by clicking on the license counts in the grid. The License Summary dialog provides thermometer charts of the organization's Assess and Protect licenses as well as upcoming expiration dates. SaaS users can use the links to Allocate more licenses or Revoke unused licenses.
Automatically apply licenses to newly onboarded applications in the Licensing tab in System Settings. Use the toggle to Automatically apply licenses to new applications in the Assess section and the toggle to Automatically apply licenses to new servers in the Protect section. In the dialog that appears, select the button to cancel the action, apply licenses to new organizations only, or apply licenses to all current organizations.
Once the option is turned on for Protect, use the multiselect field to choose the environments in which automatic licensing applies; the default selection is "Production".
Note: The checkbox to Allow organization override gives Organization Admins the option to reconfigure your selections in their organization; it's selected by default.
You may also automatically apply licenses when adding an organization in the Organizations page using the radio button in the dialog that appears. (The default selection requires users to manually allocate licenses.) Enabling Protect using the toggle in the dialog also enables the check box to Automatically apply allocated licenses to servers.
An Organization Administrator can apply, remove and view details on their Protect licenses in the Servers page grid, their Assess licenses in the Applications page grid, or all licenses in the Organization Settings > Organization tab > Licensing panel.
To apply a Protect license to an an individual server, click the UNLICENSED link beside the server name, or click the caret in the grid row and choose Apply Protect License from the row action dropdown menu. To apply Protect licenses to multiple servers, select the checkboxes in the appropriate grid rows, click the shield icon in the batch actions menu above the grid, and choose Apply Protect License from the menu. Click the Apply License button in the confirmation dialog.
Once a license is applied, the Protect toggle is enabled in the grid rows for the applicable servers.
If your organization has consumed all allocated licenses, or if the organization doesn't have enough licenses available for the number of servers selected, the option to apply a license is disabled. Hover over the disabled selection to Apply Protect Licenses for more information. To return a license to the pool of available licenses for the organization, you must remove it from a server.
If a SuperAdmin chose to apply automatic licensing to all organizations, you can use the toggles to disable and re-enable automatic Assess licensing for new applications as well as automatic Protect licensing for new servers. Once Protect is enabled, you can also use the multiselect field to choose the environments in which automatic licensing applies.
Note: If a SuperAdmin disabled organization override, the toggles are not available; however, you can still view details on current licenses.
To remove licenses from an individual server, click the caret in the grid row and choose Remove Protect License from the row action dropdown menu. To remove Protect licenses from multiple servers, select the checkboxes in the appropriate grid rows, click the badge icon in the batch action menu above the grid, and choose Remove Protect License from the menu. Click the Remove button in the confirmation dialog.
Note: All licenses that you remove immediately return to the pool of available licenses for the organization.
Although you can see the types of vulnerabilities that Contrast discovers without an Assess license, you won't be able to retrieve any details or have other important functionality outlined below.
To get started with Assess, enable the Assess functionality on the agents that have instrumented the application(s) you want to analyze. In the Servers page in the Contrast interface, find the server(s) you want to begin analyzing and turn the Assess toggle on.
Next, you need to license the application as well. To license an application, find the application you want to license on the Applications page. You can either click the TRIAL link next to the application name or select Apply License from the row menu. You'll be prompted to confirm this action.
When Assess is enabled, you must restart the application for the Contrast agent to properly instrument the application with Assess capabilities. Once that's complete, Contrast begins to receive vulnerability analytics and more. The application no longer has a TRIAL designation next to the name, which indicates that it has an Assess license assigned to it.
Note: Organization Administrators can skip the step to manually apply licenses for their users by enabling "Automatically apply licenses to new applications" from the Organization Settings page in the Licensing section.
To get started with Protect, the first thing you need to do is enable the Protect functionality on the agents that have instrumented the application you want to protect. This is done in the Contrast interface on the Servers page.
Find the server(s) you want to begin protecting and turn the Protect toggle on. Enabling protection requires a Protect license, so you'll be prompted to upgrade if it isn't already licensed. Alternatively, you can manually apply a license to a single server in the row menu or in bulk. To apply licenses to multiple servers, select the agents to upgrade, click the shield icon in the action bar and select Apply Protect License.
When Protect is enabled, you must restart the application for the Contrast agent to properly instrument the application with Protect capabilities. Once that's complete, Contrast begins monitoring and blocking attacks. The server now has a shield icon next to the name, indicating it has a Protect license assigned to it.
Note: Organization Administrators can skip the step to manually apply licenses for their users by going to the User Menu > Organization Settings > Servers tab, turning the Protect toggle "on". This default can be enabled for specific server environments.
For more information about providing Protect access to users, read the Create Users article.
Contrast provides role-based access control (RBAC) capabilities through groups. Administrators can create these groups to provide or restrict system, organization and application access and privileges to users within Contrast. Contrast has two types of access control groups: System and Organization. System groups, which are only available to on-premises customers, allow for delegated system administration. Organization groups allow for cross-organization access and application access/restriction.
A system group is a convenient way to manage administrative tasks across users and organizations. Users can belong to many groups. They don't have to be created within an organization in order to gain access to that organization.
When you add a user to a system administration group that contains one or more organizations outside their default organization, the user has access to the System Administration interface. A new SuperAdmin option in the user menu is be available, which allows them to managing the organization(s), applications, users and groups associated with the defined organization(s).
Go to the Groups page in the System Administration interface. From there:
Use an organization group to assign authorized users access to organizations and applications. An Organization Admin can create, edit and delete groups from the Organization Settings page. System administrators (EOP only) can also create Cross-Organization Groups to allow users access to more than one organization.
Contrast provides four default groups within each organization. These groups provide access to all applications in the organization with the associated role. That role grants or restricts what the user can do with the application. Those roles are:
Organization administrators can create custom groups within an organization for the purpose of providing granular control and/or access at the application level. This supports the most common deployments of Contrast, in which an organization contains multiple applications with many users.
A user assigned to an organization can have various roles across applications within that organization; each role grants or restricts what the user can do with the given application. However, the users associated with the organization may only require awareness of one or few of the many applications within the organization. This allows users to focus directly on what matters to them rather than sorting through information that has no bearing on their work.
Note: To give a user rights to an individual application, you must create an access group for that application and add the user to that group. Likewise, if the user has no role assigned to an application, the user won't be able to access it.
To create or edit a group, go to the Groups tab in the Organization Settings page, and complete the following actions.
Click the Group name to go to the Edit Group configuration page, where you can view the details of the group and make any modifications. You may change the Group name, Application Access and members of the group. To allow applications to be added to a group during onboarding, choose Applications onboarded to group in the Application Access field.
Delete any group by clicking the trash can icon in the grid row or on Edit Group configuration page. Once this action is confirmed, the group is removed and any access provided by that group is revoked from any of the users assigned to the group.
Note: The default groups provided by Contrast, indicated with a lock icon, have fixed applications and roles, and can't be deleted. You can only add or remove users from these default groups.
In some cases, a user has a Guest designation, which is indicated beside their name on the Users page in Organization Settings. This means the user received an organization role from an Organization Group created in the System Administration interface.
An Organization Admin can add a guest user to their organization by clicking on the Guest link. They can then edit the user and assign them to any group. However, an Organization Admin can't manage guest users, as the system-created organization group designates the organization role and the application access for the user. Deleting a user that was once a Guest reverts that user back to a Guest role, if the user still has access to the organization from a system-created group.
If you place a user into multiple groups that assigns different roles to the same application, it creates role collision. The roles, from most to least restrictive, are: No Access, View, Edit, Rules Admin and Admin. For more information on each role, see the Manage Users article.
Contrast handles collisions by the rule of least privileges: the role that provides the most restrictive access applies.
Example: If you assign a user to the Admin group and then assign that same user to the Edit group, the user has the Edit role for all applications because Edit is more restrictive than Admin.
Contrast also handles role collision by determining the specificity of the role assignment. A role assigned to a specific application overrides a role assigned to all applications, even if the application-specific role is more permissive than the role given to all applications.
Example: If you assign a user to the View group, and then assign them to a custom access group that provides the Admin role for App1, the user has the Admin role for App1 and the View role for the remaining applications.
If a user is assigned to two custom groups that provide roles for the same application, the rule of least privilege applies.
Example: If you assign a user to a custom group that provides the Rules Admin role for App1, and then assign them to another group that provides the No Access role for App1, the user has No Access to App1 because both roles are specific and No Access is more restrictive than Rules Admin.
An administrator can see the level of access assigned to a user and which groups provide that access by going to the Edit User page. Hover over the access indicators for information about the group that provides the existing level of access. For more information, go the the Manage Users article.
Enterprise-on-Premises (EOP) customers with a multi-tenant deployment can give user accounts permission to perform activities across multiple organizations. The designated users can then to toggle between many organizations in the user menu.
Cross-organization access allows users to access to more than one organization. Within the organizations, you can create a policy regarding all, some or just one application. This gives you greater control in appropriately segmenting applications across various organizations when setting up your instance of Contrast.
User scenario: Each business unit is set up as a separate organization, each with their own applications. The application security team that supports all these business units must have access to all applications in all organizations. These application security users can be assigned to a cross-organizational access group, and they can switch between organizations freely using the organization toggle feature.
EOP users can create groups with cross-organization access control policies in the System Administration view in the UI. Either the SuperAdmin, delegated Admin, or even users assigned to a system group with system administrative privileges, can create, edit and delete organization groups.
Note: Administrators can also configure groups in the Organization Settings page of a given organization. However, this configuration method doesn't allow you to grant the option to traverse across applications.
Administrators (EOP customers only) can add users to the system via the SuperAdmin interface or within an organization. Adding a user to a system group provides them access to the System Administration interface or allows them to perform activities across organizations in cross-organization groups. More often, you can also add users within a single organization with a defined role to determine their application access and privileges.
To get started, go to the Users tab in the Organization Settings page. From there:
There are several roles that an administrator can assign to users within an organization. By default, the user doesn't possess any roles. If no role is assigned to a user for any or all applications, the user has no access to those applications. To learn more about each role, go to the System, Organization and Application Roles article.
Note: API-Only users can access Contrast's REST API, but can't log in to the user interface. Contrast doesn't recommend the creation of administrator API accounts.
Enterprise-on-Premises (EOP) customers can grant SuperAdmin permission to one or more user accounts.
SuperAdmins can grant permission by navigating to the user menu > SuperAdmin > User page. To find the recipient, search for the user by their email, name or organization, or find their name in the grid. Select the user name to go to the Edit User page, where you can update their permission level to SuperAdmin in the System Administration field.
Note: You can quickly identify SuperAdmin users by the key icon by their user name in the grid.
Users are most commonly granted SuperAdmin permission for auditing purposes. A SuperAdmin's primary responsibilities include:
Note: All SuperAdmin activities should come from individual accounts. Sharing an account with multiple users isn't a best practice, and can create issues down the road.
If your administration needs are less about managing the Contrast application, and more about managing end users and agent licenses, you might want to create a System Access Control Group. Users that have been granted the System Administrator role through a System Access Control Group can perform responsibilities including: