Skip to content

User Management

Organisations are the entity or workspace that hosts and confines all the Scanning Activity, Monitoring Rules, Assets, Policies, Ticket, Subscriptions, etc.

Organisation management is part of the community platform and offers the following capabilities:

  • Multiuser access to the same organisation with Role-based-Access-Control
  • Multi-organisation access and the ability to create new ones.
  • Add and invite users and manage invitations

Roles

Ostorlab defines two simple roles to manage access to the platform:

  • ADMIN : Can manage the organisation access, like adding users, revoking access, changing roles in addition to all the permissions granted to USER.
  • USER : Can create a scan, access results, create monitoring rules and benefit from the all the features of the platform.

Roles can be modified from the Access Section (Side menu -> Settings -> Access)

Risk Ratings

Add Users

To grant a user access to an organisation, the user can either have an existing account, then the user will be added automatically. If the use don't have a valid account, an invitation is sent that needs to be approved by and ADMIN at the Invitation Section:

Risk Ratings

Manage Users and Permissions

Users access can be managed from the users' list expansion panel:

Risk Ratings

Switch Organisation

Users can easily switch active organisation from the upper menu:

Risk Ratings

Two-factor Authentication

Ostorlab support two-factor authentication based on the time-based one-time password algorithm (TOTP). To enable two-factor authentication, access the Account Security menu from the Settings menu. Click on the slider next to enable 2FA and follow the guided steps.

Risk Ratings

2FA can be forced on all users in order to be able to join an organisation, to do so, simply enable the flag Require Two-Factor Authentication at the Organisation settings menu.

Risk Ratings

Single Sign-On

Ostorlab support single sign-on via SAML 2.0. Organisation's admin can easily enable the feature with the following steps.

From the Saml integrations menu, select the configuration tab and fill in the following values:

Saml configuration

  1. Idp Identifier : URI - Identifier of the IdP entity;

    e.g., https://your_domain.com/saml/metadata/ 2. SAML 2.0 Endpoint : URL Target of the IdP where the Authentication Request Message will be sent;

    e.g., https://your_domain.com/saml2/http-post/sso/ 3. X.509 Certificate : Public X.509 certificate of the IdP.

In your SAML identifier configuration, make sure to use the following settings for the Service provider of Ostorlab:

"entityId": "https://api.ostorlab.co/saml/metadata/",
"assertionConsumerService": {
    "url": "https://report.ostorlab.co/login/saml/acs/",
    "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

New accesses without an existing account will automatically provision a new account with proper access to the SSO organization

For existing accounts, users must whitelist the identity provider to enable logging using the SSO. To do so: 1. Go to the Account security menu; 2. In the Single Sign-On sub-menu, select the organisation from the list of supported identity providers.

whitelist organisation