Create Organizations

Contrast is a multi-tenant architecture in which a single software product can support many communities of related or potentially unrelated customers. Each customer is defined as a tenant. In Contrast, organizations serve as the tenant or customer. An organization is a group of related users and applications that are associated together for a business purpose.

Organizations can be created by the System Administrator (SuperAdmin). All organizations created in Contrast require a unique name as well as an Organization Administrator (OrgAdmin) to oversee the organization. The OrgAdmin can be a new or existing Contrast user.

Add an Organization

To add an organization in the UI, to the user menu > SuperAdmin > Organizations page. Click the button to Add Organization. In the Add Organization dialog, complete the following fields.

  • Enter the new Organization Name.
  • Use the toggle to enable Protect, if appropriate.
  • In the License Consumption section, use the radio buttons to manually or automatically apply allocated licenses.
  • Use the dropdown menus to choose a Time Zone, and Date and Time formats.
  • Complete the profile information for the OrgAdmin - including their email, name and password - as it should appear in the UI.
  • Only check the box to Require Email Activation if you have a mail server set up with the Contrast application.
  • Click the button to Create the organization.

You may continue to create as many organizations as you need for multi-tenant support.

License Consumption

Organizations are granted licenses by the SuperAdmin for Enterprise-on-Premises (EOP) installations and by the Contrast team for SaaS. A SuperAdmin can designate how an organization's licenses are applied. They may require users to manually apply allocated licenses or automatically apply allocated licenses as new assets (applications and server) are onboarded.

Allocate licenses

If you're administering an EOP installation, you can allocate both Assess and Protect licenses to specific organizations. (This allows OrgAdmins and users with the proper role to license applications and servers within their organization.)

In the Organizations grid, find the organization and choose Allocate Licenses in the row action menu. Define the the number of licenses as well as expiration dates in the dialog that appears.

Enable Protect

Contrast Protect customers can enable organizations to use Protect after the organization is created and/or licensed. Go to the Organizations page, and use the toggle in the grid enable or disable coverage. Once Protect is enabled, Contrast asks you to select which users within the organization will receive Protect permissions.

Organization Administration

To view the UI for a particular organization, go to the user menu and select the organization name. For more information, read about how to Manage Organizations.

Create Access Groups

Contrast provides role-based access control (RBAC) capabilities through groups. Administrators can create these groups to provide or restrict system, organization, and application access and privileges to users in Contrast.

Contrast has two types of access control groups: System and Organization. System groups, which are only available to Enterprise-on-Premises (EOP) customers, allow for delegated system administration. Organization groups allow for cross-organization access and application access rules.

System Administration Groups

A system group is a convenient way to manage administrative tasks across users and organizations. Users can belong to many groups; you can configure them with a single role and single organization, a single role with multiple organizations, or multiple roles with multiple organizations.

You can also grant a user access to an organization in which they were not created. When you add a user to a System Administration group that contains one or more organizations outside their default organization, the user then has access to the System Administration UI. The SuperAdmin option in the user menu becomes available to them for managing the organization(s), applications, users and groups associated with the defined organization(s).

Add a new group

To add a new group, go to the user menu > SuperAdmin > Groups page. Choose the button to Add Group and complete the following fields in the configuration dialog.

  • Add an unique string naming the system Group (i.e., "My Company").
  • Select System from the Type menu.
  • In the System Access fields, choose a pairing of one or more organizations and one of the following roles:

    • System: Administrative privileges in the System Administration UI.
    • Observer: View-only privileges in the System Administration UI.
    • No Access: Restricts access to an organization.
  • To add another role and organization(s) pairing, select the link to Add system access.

  • In the Members field, select one or more Contrast users to assign to the group.
  • Once the group information is complete, click the Add button.

The completed group will appear in the Groups grid.

Default Organization Groups

Use an organization group to assign authorized users access to organizations and applications. Contrast provides four default groups within each organization to help you get started. These groups provide access to all applications in the organization with the associated role. That role grants or restricts what the user can do with the application. The four roles are:

  • View: See an application's score, libraries and vulnerabilities, and add comments.
  • Edit: Manage an application's vulnerabilities and basic application functions.
  • Rules Admin: Capability of the Edit role as well as the ability to manage security rules for an application.
  • Admin: Full access to configure an application.

Custom Organization Groups

If you need more granular control, create organization groups in the System Administration interface (available only to EOP customers and System Administrators) for cross-organizational access control. As an Admin for the organization (OrgAdmin), you can also create a group in the Organization Settings page. Groups created in Organization Settings only impact the roles and permissions of the organization in which they are created.

Note: You can also choose to have Applications onboarded to group, which allows you to grant group access to individual applications during the onboarding process.

Add a new group

System Administration

To add a new group as a SuperAdmin, go to the user menu > SuperAdmin > Groups page. Choose the button to Add Group and complete the following fields.

  • Add a unique string for the Group Name (i.e., "My Test Group").
  • From the Type menu, select Organizational.

  • In the Organization menu, select one or more organizations. These organizations will be associated with one or more roles.

  • Choose an Organization Role from the dropdown menu. (The Edit role is appropriate for most Contrast users.)

  • In the Application Access fields, choose a pairing of one or more application(s) and one role.
    • Click Add Access link to define separate application and role assignment(s).
  • In the Members field, select one or more Contrast users to assign to the group.

Example: In the first line of the Application Access section, add access to App1 and App2 with the "Admin" role. Click the link to Add access to App3 and App4 with the role "Edit" on the next line. Therefore, the group provides the "Admin" role for App1 and App2, but the "Edit" role for App3 and App4, to the Contrast users that you designated in the Members field.

  • Once the group information is complete, click the Add button.

The completed group will appear in the Groups grid.

Organization Settings

To add a new group as an OrgAdmin, go to the user menu > Organization Settings > Groups tab. Select the button to Add Group and complete the following fields.

  • Add a unique string for the Group Name (i.e., "My Org").
  • In the Application Access fields, choose a pairing of one or more application(s) and a role. (See the Example above.)
    • Click Add Access link to define separate application and role assignment(s) in a separate line.
  • In the Members field, select one or more Contrast users to assign to the group.
  • Once the group information is complete, click the Add button.

The completed group will appear in the Groups grid.

Learn More

Create Users

System and Organization Administrators can create users individually, in groups, or through Microsoft Active Directory (AD) or LDAP integrations. All users are required to have a default organization and a default role within that organization.

Note: Verify the Roles that you want to assign to users so that they have the appropriate level of functionality.

You may decide to designate an Application Access Group, which defines more administrative functionality or greater access restrictions for the users for specific applications.

System Settings

As an Enterprise-on-Premises (EOP) customer, you can delegate users to perform system administration functions across organizations - such as managing users, groups, applications, licenses, API keys and security policies - if you created multiple organizations in Contrast as part of a multi-tenant deployment. See Granting and Revoking SuperAdmin Permissions to get started.

To create users as a System Administrator, go to the User menu and choose SuperAdmin in the Use Contrast Security as section. Select the Users page in the top navigation.

Individual users

To add a single user, complete the following steps.

  • Click the button above the grid to Add User.
  • Enter the user's First Name, Last Name and Email Address in the provided fields.
  • Check the box if you want to Require email activation instead of requiring a password.
  • Choose which of the System Roles should apply to the user in the dropdown menu. The default is None.
  • Choose the Organization to which the user belongs.
  • Choose the default Organization Role in the dropdown menu as well as an Application Access Group in the multiselect field.
  • Choose the Date Format, Time Format and Time Zone in the dropdown menus.
  • The box to Use Organization Settings is checked by default. Uncheck the box to Use Organization Settings to create your own settings using the Access toggle, or to enable the checkbox to make user API only.
  • Use the toggle to enable Protect access for the user. The toggle is off by default.
  • Click the Add button to save the information and create the user.

Multiple users

To bulk add users, click the upload icon above the grid in the Users page to import a spreadsheet with the users' information. The spreadsheet must be CSV format, and include the following fields for each user. All field headings and values in the spreadsheet must be formatted as shown.

Required information

The following fields must be included in the spreadsheet. See the Templates section to download spreadsheets in CSV format.

  • First Name
  • Last Name
  • Email or Username
    See the Authentication section below for more requirements.
  • Organization UUID
  • Organization Role
    Values can be "View", "Edit", "Rules_admin" or "Admin".

Note: Find the Organization UUID in the Contrast UI by impersonating the appropriate organization, and then going to Organization Settings > Organization tab > General Information section.

Optional information

To include the following fields in the spreadsheet, add a new column and value(s) for each as written below.

  • Email Activation
    If the value is "None", the default is "Required Password".
  • System Administration
    The default value is "Off".
  • Groups
    Values can be "View", "Edit", "Rules Admin", "Admin" or custom group names. Format multiple group names as "GroupA&&GroupB&&GroupC".
  • Date Format
    The default value is the organization setting, such as "MM/dd/YYYY".
  • Time Format
    The default value is the organization setting, such as "hh:mm a".
  • Timezone
    The default value is the organization time zone.
  • Access
    The default value is "On".
  • API only
    The default value is "Off".
  • Protect
    The default value is "Off".

Authentication methods

For users who have HTTP Header, LDAP or AD authentication configured, you must use the field heading Username instead of Email in the spreadsheet. (If using the provided CSV template, you must replace the Email field heading with Username.) The username values entered in the spreadsheet and the authentication configuration must match exactly.

Templates

Download CSV templates directly from the Contrast UI by hovering over the upload icon and clicking the link in the tooltip, or by clicking the links below.

Upload progress

Once the spreadsheet upload is in progress, you can leave the page and continue with other tasks in Contrast. If the upload is successful, you'll see a confirmation message in the UI that includes the number of users uploaded. If the upload failed, you'll see an error message that includes the source of the error in the spreadsheet.

Organization Settings

To create users as an Organization Administrator, go to the User menu > Organization Settings > Users tab.

Individual users

To add a single user, complete the following steps.

  • Click the button to Add User above the grid.
  • Enter the user's First Name, Last Name and Email Address in the provided fields.
  • Choose the user's Organization Role in the dropdown menu.
  • Select an Application Access Group to which to add the user in the dropdown menu, if desired.
  • Choose Date Format, Time Format and Time Zone settings in the dropdown menus.
  • If you want to disable the user's access to your organization in the Contrast UI, use the Access toggle. (The user has access by default.)
  • Check the box if you want the user to have API Only access.
    (The user will have access Contrast's REST API, but won't have access to the Contrast UI.)
  • Use the toggle to enable Protect access for the user. The toggle is off by default.
  • Click the Add button to save the information and create the user.

Multiple users

To bulk add users, click the upload icon above the grid in the Users page to import a spreadsheet with the users' information. The spreadsheet must be CSV format, and include the following fields for each user. All field headings and values in the spreadsheet must be formatted as shown.

Required information

The following fields must be included in the spreadsheet. See the Templates section to download spreadsheets in CSV format.

  • First Name
  • Last Name
  • Email or Username
    See the Authentication section below for more requirements.
  • Organization Role
    Values can be "View", "Edit", "Rules_admin" or "Admin".

Optional information

To include the following fields in the spreadsheet, add a new column and value(s) for each as written below.

  • Groups
    Values can be "View", "Edit", "Rules Admin", "Admin" or custom group names. Format multiple group names as "GroupA&&GroupB&&GroupC".
  • Date Format
    The default value is the organization setting, such as "MM/dd/YYYY".
  • Time Format
    The default value is the organization setting, such as "hh:mm a".
  • Timezone
    The default value is the organization time zone.
  • API only
    The default value is "Off".
  • Access
    The default value is "On".
  • Protect
    The default value is "Off".

Authentication methods

For users who have HTTP Header, LDAP or AD authentication configured, you must use the field heading Username instead of Email in the spreadsheet. (If using the provided CSV template, you must replace the Email field heading with Username.) The username values entered in the spreadsheet and the authentication configuration must match exactly.

Templates

Download CSV-formatted templates directly from the Contrast UI by hovering over the upload icon and clicking the link in the tooltip, or by clicking the links below.

Upload progress

Once the spreadsheet upload is in progress, you can leave the page and continue with other tasks in Contrast. If the upload is successful, Contrast shows you a confirmation message with the number of users uploaded. If the upload failed, Contrast shows you an error message with the source of the error on the spreadsheet.

User Status

Once added, each user's status is displayed on the main Users page so that you can see who's awaiting activation, active or inactive, or locked out of their account based on a security policy. For more information about user administration, read how to Manage Users.