Skip to main content

Authorization troubleshooting for access control (Preview) Hosted customers only

You can retrieve a user's role-based access control permissions by using the Contrast API. This information can help you diagnose authorization issues.

Note

Role-based access control is supported for hosted customers only and is in preview mode. If you want to be an early adopter, contact Contrast support.

Authorization for access control

Authorization for access control determines the actions a user can take for a specific resource. If a user receives a 403 (Forbidden message), Contrast access control has determined that the user does not have enough permissions to perform the requested operation. Access control considers these elements during authorization:

  • User: The person performing a request.

  • Action: The operation you want to perform. For example, viewing, editing, or managing.

  • Resource: The resource that access control protects from unauthorized access. For example, applications, Scan projects, serverless functions, user access groups, resource groups, and roles.

Access control: troubleshooting steps

  1. Verify the user exists.

    1. In the Contrast web interface, under Organization settings, select Access control.

    2. In the Users tab, search for the user.

    3. If the user exists, go to the next step. Otherwise, add the user.

  2. Check the user permissions.

    1. In the User access groups tab, edit the group assigned to the user and note the roles that the group provides to its assigned users.

    2. In the Roles tab, edit the role assigned to the user and note the resource groups and actions assigned to this role.

    3. In the Resource group tab, edit the resource group assigned to the user and note the resources assigned to the group.

    4. If the user is assigned the correct roles and resources, go to the next step. Otherwise, update the user settings.

  3. Check effective user permissions.

    The Contrast web interface shows what the user permissions should be, however, the Contrast API can return more immediate information for the effective user permissions, such as:

    • Resources (applications, Scan projects, and functions) that the user can access.

    • The actions assigned to the user.

    • The role, user access group, and resource group combination that provides the user permissions.

    Access control queries provides examples of how to use the Contrast API to check user settings and permissions.

    If the user settings and permissions look correct, contact Contrast support for additional help. Otherwise, update the user settings and permissions.

In this section: