Qualys Getting Web Application started guide
Upcoming SlideShare
Loading in...5
×
 

Qualys Getting Web Application started guide

on

  • 1,151 views

Getting started guide for vulnerability management for Web Applications.

Getting started guide for vulnerability management for Web Applications.

Statistics

Views

Total Views
1,151
Views on SlideShare
1,150
Embed Views
1

Actions

Likes
0
Downloads
16
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Qualys Getting Web Application started guide Qualys Getting Web Application started guide Document Transcript

  • QUALYSGUARD® WAS 2.3 GETTING STARTED GUIDEJuly 20, 2012 Verity Confidential
  • Copyright 2011-2012 by Qualys, Inc. All Rights Reserved.Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property oftheir respective owners.Qualys, Inc.1600 Bridge ParkwayRedwood Shores, CA 940651 (650) 801 6100
  • Table of ContentsWelcome to WAS v2 ....................................................................................... 4QualysGuard WAS v2 Features ............................................................................................................ 4About the New Platform: Benefits for Users....................................................................................... 5Let’s Begin ....................................................................................................... 6Access WAS ............................................................................................................................................. 6Add New Web Application ................................................................................................................... 7Launch Discovery Scan .......................................................................................................................... 8View Discovery Scan Results .............................................................................................................. 10Launch Vulnerability Scan................................................................................................................... 13View Vulnerability Scan Results......................................................................................................... 15Create Schedules ................................................................................................................................... 17Your Dashboard............................................................................................. 18Reporting ....................................................................................................... 20Available Reports .................................................................................................................................. 21Generating a Report.............................................................................................................................. 21Sample Scan Report .............................................................................................................................. 22Using Tags ..................................................................................................... 24Tags You Start With .............................................................................................................................. 24Create a New Tag.................................................................................................................................. 25Assign a Tag to a Web Application .................................................................................................... 26Assign a Tag to a Report ...................................................................................................................... 27Assign a Tag to a User .......................................................................................................................... 27User Accounts ............................................................................................... 28Overview ................................................................................................................................................ 28Assigned User Roles ............................................................................................................................. 30Assigned Scopes .................................................................................................................................... 30Edit User Roles and Scopes.................................................................................................................. 31Contact Support ............................................................................................ 32 3
  • Welcome to WAS v2QualysGuard® Web Application Scanning (WAS) enables organizations to assess, track andremediate web application vulnerabilities. Delivered on demand, the service allows users to: • Crawl web applications and scan them for vulnerabilities • Identify web applications’ handling of sensitive or secret data • Customization: authentication, black/white lists, robots.txt, sitemap.xml and more • View reports with recommended security coding practice and configurationQualysGuard WAS v2 provides several major enhancements to help customers catalog their webapplications on a global scale and scan them for vulnerabilities that can lead to exploitation. Thenew release, delivered via the QualysGuard Cloud Platform and its new Java-based backendcomes with a new Web User Interface (UI) that raises the bar in terms of ease-of-use, flexiblereporting and automation of scanning tasks.Web Application Scanning LifecycleThe web application scanning lifecycle assists users with managing security and compliancethrough web application creation, scanning, reporting and remediation.QualysGuard WAS v2 FeaturesMajor features in QualysGuard WAS v2 include: • Cataloging and scanning of web applications in the enterprise (Intranet, Internet) • Fully interactive UI with flexible workflows and reporting • Supports scanning HTML web applications with JavaScript and embedded Flash 4
  • QualysGuard WAS Getting Started Guide Welcome to WAS v2 • Comprehensive detection of custom web application vulnerabilities including: – OWASP Top 10 Vulnerabilities: SQL injection, cross-site scripting (XSS), source disclosure, directory traversal – Checks web applications’ handling of sensitive or secret data – Reports on recommended secure coding practice and configuration – Differentiates exploitable fault-injection problems from simple information disclosure • Customizable scanning options – Customized crawling using Black/White lists, Robots.txt and Sitemap.xml files – Supports common authentication schemes – Performs brute force attacks using pre-defined and custom password lists – Profiles custom web application behaviors – Configures scanning performance with customizable performance levelAbout the New Platform: Benefits for UsersNew technologies implemented in the new Java-based backend offer many benefits for users: • New UI with dynamic and interactive interfaces, wizards and new report templates to present scan data with a wide range of presentation options to match users’ needs. • New customizable template-driven reporting engine outputs reports in a variety of formats (html, pdf, encrypted pdf, xls, doc and ppt) based on users’ criteria. • Fast searching of several extensive Qualys data sets, including scan results, asset data, scan profiles, users and vulnerabilities. • Hierarchical dynamic asset tagging and role-based user access. • Dynamic distribution of scans on multiple scanners based on availability and load to optimize scanning of large networks, drastically reducing the overall scan time required to complete large scan jobs. 5
  • Let’s BeginWelcome to WAS v2. As you are getting started we recommend you first review the WAS featuresand become familiar with the user interface.Access WASYou can access the WAS application from within your QualysGuard Suite account. Click theapplication picker at the top of the window and then select the WAS application.Your WAS dashboard will be blank until you (or another user) adds a web application and scansare completed in your account. Security status will appear after scans are completed. 6
  • QualysGuard WAS Getting Started Guide Let’s BeginAdd New Web ApplicationUse the wizard to add your first web application.1. Application detailsEnter the starting URL (required)and specify the crawling scope forscanning the web application.Assign tags to the web applicationso you can grant users access to it.2. Scan settingsDefine scan settings (optional): a.) Default option profile. An optionprofile is a set of scan options. Theservice provides the profile “InitialWAS Options” to help you getstarted. If you select this profile asthe default, it is applied to scansautomatically. b.) Default scannerappliance. Select cloud scanner forexternal scanning or a scannerappliance for internal scanning. c.) Observe robot.txt, sitemap.xml,and to use header injection.3. Crawl SettingsUpload Selenium scripts toconfigure crawling (optional). Eachscript has recorded paths throughthe application that you want the Turn help tips on in the title bar and get help for eachscanning engine to crawl in addition setting while walking through the wizard. As you mouseto standard crawling performed by over each field name, help tips appear in a yellow bubble.the service. This enables the serviceto crawl complex workflows, such asselecting user input combinationsthat require certain knowledgeand/or user interaction.4. AuthenticationSupply authentication credentials ifauthenticated scanning will be used(optional). You can define both formand server authentication records.Form and Server authentication issupported.5. Crawl exclusion listsAdd black & white lists asappropriate (optional).6. CommentsAdd comments to be saved with theweb application (optional). 7
  • QualysGuard WAS Getting Started GuideLet’s BeginAfter you add a web application it appears in the Web Application Management section. Fromhere you can edit the web application or launch a scan on it.Warning about Scans and their Potential Impact: Web application scans submit forms withtest data. If this is not desired you should add configurations for black lists, POST data black lists,and/or select the GET only method within the option profile. Keep in mind when theseconfigurations are used, testing of certain areas of the web application is not included and anyvulnerabilities that exist in these areas may not be detected.Launch Discovery ScanWe recommend that you start by running a discovery scan. A discovery scan finds informationabout your web application without performing vulnerability testing. This is a good way tounderstand where the scan will go and whether there are URIs you should blacklist forvulnerability scans.Select Web Applications (on thetop menu). Click the WebApplications tab and then selectNew scan > Discovery Scan.What is the web application catalog?The Catalog is the staging area for web applications you can choose to add to your subscription.Catalog entries are web applications that have been processed from completed maps andvulnerability scans in your account.What are maps?You can create maps using the VM application. A map provides full information on yourdomains (DNS records and topology) and identifies active hosts located in your Internet/Intranetperimeter, depending on the map request. As new maps are completed in your account, they willappear on the Web Applications > Maps tab (note there may be a short lag time). You can processmaps to newly discovered web applications to your catalog. 8
  • QualysGuard WAS Getting Started Guide Let’s BeginUse the launch scan wizard to specify the scan settings.1. TargetA scan name is provided andyou can enter a custom one.For Web Application, youmust select a web applicationin your account. ForAuthentication Record, selecta record defined for theselected web application(includes form and/or servercredentials) if authenticationis required for scanning. Ifthe web application hasdefaults, these appear forOption Profile and ScannerAppliance. If there are nodefaults, you must makeselections. What is an option profile? An option profile is a set of scan configuration options. We recommend “Initial WAS Optons” to get started. Editing options in the profile allows you to customize crawling and to use password bruteforcing. What is a scanner appliance? The service provides cloud scanners for external scanning on the network perimeter, and scanner appliances for scanning the internal network. 2. Review and Confirm Review your settings. If you want to make changes, click Previous. When you’re ready to launch the scan, click Finish. 9
  • QualysGuard WAS Getting Started GuideLet’s BeginMonitor StatusYour scan appears in the scan list where you can view its status.The status “Running”indicates the scan isin progress. You cancancel a running scanat any time. To do thisclick to select the scanand then selectActions > Cancel.View Discovery Scan ResultsWhen the scan is completed, the scan status changes from Running to Finished. There aremultiple ways to view discovery scan results.WAS Scan ViewDouble click the finished discovery scan in the scan list to display the scan view. Overview Shows the scan findings and graphs depicting the total number of sensitive content and information gathered found by the scan. Information gathered identifies information gathered during the scan process, such as links crawled, the external links discovered, external form actions discovered, host information, and scan diagnostics. Click the View Report button to launch an interactive scan results report. 10
  • QualysGuard WAS Getting Started Guide Let’s BeginScan detailsShows basic informationincluding the date and time ofthe scan, type (in this casediscovery), the web applicationname, the virtual host and theoption profile.Scan SettingsShows the various scanoptions selected for the scan:crawling settings, detectionscope, sensitive content searchand password bruteforcing. 11
  • QualysGuard WAS Getting Started GuideLet’s BeginScan Results ReportSelect the finished discovery scan in the scan list to display a preview of the scan results belowthe list area. Click the View Report button to launch an interactive scan results report.Click View Report in the preview to view the interactive scan report. You can view the reportonline, change its settings to update it and then save it to multiple formats.The Results section shows the scan findings. Each QID represents a security check from theKnowledgeBase. The Severity column indicates the level of severity: minimal, medium andserious.While viewing the report, be sure to check QID 150009 Links Crawled and QID 150021 ScanDiagnostics. Click a QID row to view details in the preview.See User Accounts for more information. 12
  • QualysGuard WAS Getting Started Guide Let’s BeginLaunch Vulnerability ScanA vulnerability scan performs vulnerability checks and information gathered checks.Vulnerability checks may include: cross-site vulnerability checks (persistent, reflected, header,browser-specific) and SQL injection vulnerabilities (regular and blind). Sensitive content checksmay include: Social Security number - US Format, credit card numbers and custom defined.Select Scans on the topmenu. Click the Scan Listtab and then select Newscan > VulnerabilityScan.1. TargetThe target for a vulnerabilityscan is the same as for adiscovery scan. Theseconfiguration settings arerequired: Option Profile andScanner Appliance. Thesettings will be pre-populatedwith defaults defined for theweb application. If there areno defaults, you must makeselections. What is an option profile? An option profile is a set of scan configuration options. We recommend “Initial WAS Optons” to get started. Using this profile all vulnerabilities in the KnowledgeBase will be tested during the scan. Editing options in the profile allows you to customize crawling, restrict scanning to specific vulnerabilities (using search lists), and to use password bruteforcing. What is a scanner appliance? The service provides cloud scanners for external scanning on the network perimeter, and scanner appliances for scanning the internal network. 13
  • QualysGuard WAS Getting Started GuideLet’s Begin2. Review and ConfirmReview your settings. If youwant to make changes, clickPrevious. When you’re readyto launch the scan, clickFinish.Taking ActionsTo take actions on multiple scans, select the scans then select from the Actions menu above the listarea.To take actions on a specific scan, mouse over the name of the scan and click the expander iconto display the Quick Actions menu. 14
  • QualysGuard WAS Getting Started Guide Let’s BeginView Vulnerability Scan ResultsThere are multiple ways to view vulnerability scan results.Scan PreviewSelect the finished vulnerability scan in the scan list to display a preview of the scanresults below the list area.WAS Scan ViewTo view the results of a completed vulnerability scan, double click the scan.OverviewThis section displays a scansummary and graphsshowing the results. Thefirst graph shows the totalnumber of vulnerabilities,sensitive content, andinformation gathered found.The second graph showsthe number of vulnerabilitiesfor each threat level. Click the View Report button to launch a scan report. 15
  • QualysGuard WAS Getting Started GuideLet’s BeginThe vulnerability checks (QIDs) performed by the service for a web application scan are listed inthe KnowledgeBase. The KnowledgeBase is constantly updated by the service as new securityinformation becomes available.To view theKnowledgeBase, clickKnowledgeBase on thetop menu.Vulnerability checks (in Red) include OWASP Top 10 Vulnerabilities: SQL injection, cross-sitescripting (XSS), source disclosure and directory traversal.Information gathered checks (in Blue) identify information gathered during the scan process.This includes information about the web application and about the scan process itself.Red vulnerability severity levels 1-5: minimal, medium, serious, critical, urgentBlue information gathered severity levels 1-3:minimal, medium, seriousScan Results ReportBelow is an example of the Results tab of the scan report for a vulnerability scan.All detected vulnerabilitiesare displayed. Click avulnerability row to viewthe Details pane belowthe list area. 16
  • QualysGuard WAS Getting Started Guide Let’s BeginCreate SchedulesThe Schedules section is where you manage scheduled scans to run at a future time or on arecurring basis - daily, weekly, monthly or one time only. You can deactivate schedules. Thisprovides you with a way to suspend scheduled scanning for periods such as for maintenance orduring holiday season blackout periods. Also you can download schedules in iCalendar formatand then import them to your favorite calendar application, like Microsoft Outlook, GoogleCalendar and Apple iCal.Select Scans on the topmenu and then click theSchedules tab. 17
  • Your DashboardTo go to the dashboard, select Dashboard from the top menu. The dashboard helps youunderstand the overall security status of your web applications and provides an interactive wayto take actions within your account. The dashboard shows current vulnerability counts based onthe most recent scan results on all your web applications. 1 Current vulnerability counts based on the most recent scan results on all your web applications. See Vulnerability Counts. 2 Most Vulnerable Web Applications. Shows the most vulnerable web applications according to current scan data. Click “View all” to go to Web Application Management. 3 Catalog. Displays a chart showing the number of web applications in your network by status. Click “View all” to go to the catalog list. 4 Your Last Scans. Shows the most recently completed scans. Mouse over the Scan Date to view complete date and time information. Click “View all” to go to Scan Management. 5 Your Upcoming Scans. Shows your current scan schedules. Click a scheduled scan to open the schedule in the wizard. Click “View all” to go to the schedules list. 6 Latest Reports. Shows a list of your latest saved reports. Click to view and download reports. Click “View all” to go to Report Management where you can view the Report List and generate new reports. 18
  • QualysGuard WAS Getting Started Guide Your DashboardVulnerability CountsAll Vulnerabilities shows the total number of current vulnerabilities. High Severity shows thetotal current vulnerabilities assigned severity levels 4 and 5, Med Severity shows the total currentvulnerabilities assigned severity level 3, and Low Severity shows the total current vulnerabilitiesassigned severity levels 1 and 2. Current vulnerability counts are refreshed as web applicationscans are completed. 19
  • ReportingSeveral reports are available to report on web applications and scan results in your account.To manage web application reports, select Reports to go to Report Management. This is whereyou view your report history, generate new reports, and download reports. 1 Menu Bar. Launch new reports, save and download reports or delete selected reports. 2 List Area. View your report history. Click column headings to sort reports by name, format, type, status and generation date. Mouse over a report to take quick actions. 3 Preview Pane. Select one report and view it in the preview pane below the list. Use the actions menu in the preview pane to download or delete the selected report. 4 Search and filter your results. Search and apply filters to quickly find reports you’re looking for. 20
  • QualysGuard WAS Getting Started Guide ReportingAvailable ReportsAll WAS reports are interactive. Interactive reports are reports you can generate online. You canchange the report parameters and settings and see results instantly. This enables you to view yourdata in various ways. You can save reports and download them in multiple formats.Scan Report. The Scan Report identifies vulnerabilities and sensitive content detected by a scan.You select a particular scan task to report on.Web Application Report. The Web Application Report identifies vulnerabilities and sensitivecontent detected by the most recent scan of a selected web application. This report allows you tokeep changing the report settings to get different views of your web application scan data.Scorecard Report. The Scorecard Report is provided by the service for reporting on webapplication scan data for different business groups and functions. You may run the scorecardreport with its predefined report settings and/or user-defined scorecard reports with customizedsettings. A scorecard report identifies the vulnerabilities and sensitive contents detected for oneor more target web applications. The scorecard report includes the most recent scan data for thetarget web applications.Catalog Report. The Catalog Report provides a listing of catalog entries that match your reportcriteria. You can report on entries added during a specific time period and select a catalog entrystatus to include in the report: New, Rogue, Approved, Ignored or Subscription.Generating a ReportSelect Reports on the top menu to go to Report Management. Then select New report from themenu above the list area or click the + button.Define your new reportReport type. Select areport type from the menuprovided.Information source. Theinformation sourcedepends on the reporttype. For example, for ascan report, you’ll selecta scan from the scans list.Click Create to launchthe report.Your report will appear on its own tab within Report Management. 21
  • QualysGuard WAS Getting Started GuideReportingSample Scan ReportBelow is a sample scan report.SummaryVulnerabilities by Group / LevelVulnerability by OWASP / WASC Threats 22
  • QualysGuard WAS Getting Started Guide ReportingResultsThe Results tab of the scan report includes each vulnerability (QID) detected along with itsdescription. Click a vulnerability row to view the impact, payload and result in the Details panebelow the QID list. 23
  • Using TagsTags are keywords that you assign to objects in your subscription. Business units have uniquetags and you can apply tags to users, web applications, option profiles, search lists and scannerappliances. You can link tags together in a hierarchy to organize objects. For example a businessunit tag may have child tags assigned to groups of objects that belong to that business unit. Usersassigned to that business unit will have access to those objects.Tags You Start WithThe service creates a tag for each asset group and business unit in your subscription. These tagsare automatically assigned to users’ scopes (in user settings in the Roles and Scopes section) sothat users continue to have the same access they had before.One “Asset Group” tag is created for each asset group in the subscription. When you have theasset group tag in your scope that means you have access to all assets in the group, including IPaddresses, domains and scanner appliances.A “Business Unit” tag is created for each business unit in the subscription. For example, if youhad a business unit called “EU Datacenter” you will have a tag called “EU Datacenter” on thenew portal platform. All users in the business unit will have this tag assigned to themautomatically.An “Unassigned Business Unit” tag is created for every subscription and represents the“Unassigned” business unit. All users who were not in a business unit, including all Managersand Auditors, are assigned the “Unassigned Business Unit” tag automatically. Asset groups andobjects created by users outside of a business unit are also given the “Unassigned Business Unit”tag. 24
  • QualysGuard WAS Getting Started Guide Using TagsCreate a New TagYou can create new tags for any number of purposes. For example, you may want to make aspecific set of assets available to users in a particular business unit.Select Configuration from the top menu, click the Tag Management tab and then select New Tag.Tag detailsEnter a name for the tag and,optionally, select a color. You cankeep the tag at the root level ornest it by selecting a parent tag.The new tag in this example is forthe NW Data Center, so wereselecting the NW Operations tagunder Business Units as theparent tag. All users in the NWOperations business unit will haveaccess to the assets assigned thenew NW Data Center tag.Define a Tag RuleYou have the option to apply a tag rule. When you define a rule for a tag, the serviceautomatically assigns the tag to the assets in your account that match the tag rule.Tag RuleSelect a Rule Engine from themenu provided. Parameter fieldsappear specific to the selectedrule engine. Define theparameters of your tag rule. Youhave the option to select assets totest the applicability of the rule.Select assets from the Add Assetmenu to see if the tag rule applies.Selected asstes appear below theAdd Assets menu. Those the ruleapplies to display a green checkmark. Those the rule does notapply to display a red X. 25
  • QualysGuard WAS Getting Started GuideUsing TagsWhen finished, the tag appears in the Tag Management list. You can apply the tag to specificbusiness objects and then grant appropriate users access to those objects by assigning the tag totheir scopes.Assign a Tag to a Web ApplicationWhen you assign a tag to a web application, all users with that tag in their scopes have access tothat web application.Edit the web application. Select Web Applications from the top menu and click the WebApplications tab. Mouse over a web application’s row and select Edit from the Quick Actionsmenu.Application detailsUnder Tags click to expand thetags list. Select the tag you wantto assign to the web application.In this example, we’ve selectedan asset group tag. All usersassigned the same tag in theirscopes will have access to theweb application. 26
  • QualysGuard WAS Getting Started Guide Using TagsAssign a Tag to a ReportSelect Reports from the top menu to go to the reports list. Mouse over a report’s row and selectAdd Tags from the Quick Actions menu.Search and add tagLocate the tag you want to assignto the report. Tip: Start typing atag name in the text field todisplay matching tags.Click to select a tag for the webapplication. Tags you selectappear to the right under Tags tobe applied to record(s).Assign a Tag to a UserSelect Users from the top menu and click the User Management tab. Mouse over a user’s rowand select Edit from the Quick Actions menu.Roles and ScopesUnder Apply scope across all rolesclick to expand the tags list. Tagscurrently assigned to the user’sscope appear highlighted. Selectthe tag you want to add to theuser’s scope. In this example,we’ve selected an asset grouptag.The user will have access of allassets that are assigned to thatasset group. 27
  • User AccountsThe WAS v2 application gives users much greater control over managing each user’s permissionsand granting them access to various parts of the application. Each user account is defined by rolescontaining multiple permissions (what the user can do) and scopes (what the user can access).Users are defined in the VM application and user account updates are reflected in the WAS v2application.OverviewTo manage user accounts, select Users to go to User Management.This section displays the user accounts you have permission to view. From this list, you can drilldown into user details, view or edit a users roles and permissions (what the user can do), anddefine a users scope (what the user can access).To review and edit a user’s account settings, select the user and then select Edit from the Actionsmenu.These user account settings can be edited: Locale, Tags, and Roles and Scope. 28
  • QualysGuard WAS Getting Started Guide User AccountsInitially Managers and Unit Managers have permision to edit user account settings, unless thispermission is removed using the WAS or Admin applications. Managers can edit all useraccounts in the subscription. Unit Managers can edit the user accounts in their business units.WAS v2 user permissions granted within user roles determine whether users have permission toedit user account settings. Managers have permision to edit user account settings, unless thispermission is removed using the WAS or Admin applications.User InformationIdentityDisplays the user’s Identityinformation. This informationis automatically updatedwithin WAS when it ischanged within the VMapplication.LocaleSelect a time zone option fordates the user views in theUI: browser time zone or aselected time zone.AddressDisplays the user’s businessaddress. When edited in theVM application thisinformation is automaticallyupdated within WAS.TagsAssign tags to the useraccount to give other usersaccess to this account. Userswith tags in common haveaccess to one another. 29
  • QualysGuard WAS Getting Started GuideUser AccountsAssigned User RolesEach user is automatically assigned one or more user roles. User roles contain sets of permissionsand they can be edited to grant users more or fewer privileges, at a very granular level. See thetable below to see the role assigned. WAS v1 Role WAS v2 Role Manager (no role assigned) Unit Manager UNIT MANAGER Scanner SCANNER Reader READER Auditor AUDITOR Contact CONTACTAssigned ScopesScopes define the business objects users are able to access within the application. Each user isassigned an initial scope as described below.ManagersManagers are not assigned a role or scope initially. They have full permissions and all scopes.Unit ManagersUnit Managers are assigned a single business unit tag. The tag name corresponds to the businessunit title as defined in the VM application. For example, if the user is in the business unit “NWOperations” then the users initial scope is assigned the tag “NW Operations”.Auditors, Scanners, Readers and ContactsAuditors, Scanners, Readers and Contacts are assigned a business unit tag or the tag “UnassignedBusiness Unit” (if the user was not part of a business unit) depending on the user’s business unitin the VM application. If a business unit tag, the tag name corresponds to the business unit title asdefined in the VM application. 30
  • QualysGuard WAS Getting Started Guide User AccountsEdit User Roles and ScopesRoles define the users permissions to act on the business objects in the subscription. Each roleincludes a specified set of permissions.Scope determines which business objects the user can access in the subscription. Business objectsthat can be added to the scope include assets (web applications and scanner appliances), users,option profiles, search lists, password bruteforce lists and reports. Each user is assigned an initialscope to get started. Managers and users whose scopes include the “Edit User Role” permissioncan edit user roles and scopes.Edit Role(s) and ScopesAllow user full permissions andscopeSelect to grant the user unlimitedpermissions to all businessobjects in the subscription.New roleClick to define a new role andselect the permissions it provides.Assigned rolesEach assigned role grants theuser specific permissions. Youcan add and remove assignedroles, create new roles andchange a role’s permissions.Edit ScopeAllow user view access to allobjectsSelect to allow the user viewaccess to all assets in thesubscription.Apply scope across all rolesAssign tags to specify thebusiness objects the user can 31
  • QualysGuard WAS Getting Started GuideContact SupportWarnings about Editing RolesPlease note the following when editing roles. 1) Some roles do not allow UI access and areassigned with other roles which do allow UI access. If you remove a users role that includes UIaccess without assigning another role that includes UI access to the user, this may cause the userto lose the ability to use the application except the API. 2) If you delete a role from thesubscription and that role is currently assigned to users, the role is automatically deleted fromthese users accounts and they may lose the ability to perform functions that were permitted inthe role that was deleted.Managing Assigned PermissionsName and Permissions AssignedPermissions available for a role aresorted in groups. Click group titles toview available permissions. Selectpermissions to add to or removefrom the role. The changes youmake will apply to all users assignedthis role.Quick setupClick the “Quick setup” icon on thegroup title bar to toggle between Allassigned and None assigned.Status for each group’s permissionsis displayed: All assigned, Noneassigned, Custom (some assigned).Permission SummaryAs you add and remove permissionsthe permission summary dynamicallydisplays the assigned permissions.Contact SupportQualys is committed to providing you with the most thorough support. Through onlinedocumentation, telephone help, and direct email support, Qualys ensures that your questionswill be answered in the fastest time possible. We support you 7 days a week, 24 hours a day.Access online support information at www.qualys.com/support/. 32