Roles

Different roles can be assigned to a given user.

Non admin user without any project roles

This type of user can only view their profile page.

All users who first connect to CTFreak with an external authentication provider are in this situation. It is then up to them to ask an administrator to assign them the appropriate roles.

Administrator

An administrator user has access to all the features of CTFreak, in particular this role allows managing:

  • Settings
  • Users
  • Teams
  • Credentials
  • Nodes
  • Databases
  • Projects

Role per project

To be able to perform actions on CTFreak, a non-administrator user needs to be assigned roles on certain projects (directly or indirectly through teams to simplify user management, especially in larger organizations).

Projects for which no role has been assigned to our user will not be visible to that user (this also applies to everything related to these projects: tasks, executions, notifiers, …). This allows for strict compartmentalization of projects.

Manager

A user with the role of manager on a given project can manage:

  • its tasks (except those of the local command or ansible playbook type)
  • its webhooks
  • its executions
  • its notifiers

From the moment a user has the role of manager on at least one project, that user can also consult the list of nodes and databases (which he will need to create certain type of task).

NB: This role allows your devops users to run scripts on your servers without having to reveal credentials to connect to them.

Advanced executor

A user with the role of advanced executor on a given project can only launch tasks associated with that project or view their executions (including logs).

Executor

A user with the role of executor on a given project can only launch tasks associated with that project or view their executions (excluding logs).

NB: This role is ideal for empowering business users to launch specific tasks without granting them access to other CTFreak features.

Viewer

A user with the role of viewer on a given project can only view the executions of tasks associated with that project (excluding logs).

NB: This role is ideal for restricting business users’ access to reports generated by SQL Report tasks.

Assigning Roles to Teams

Teams can be assigned roles on projects just like individual users. When a team is assigned a role on a project, all members of that team inherit that role.

To assign a role to a team on a project:

Go to Projects → {Requested project} → Access → Edit teams, add the team and select the appropriate role (Manager, Advanced executor, Executor, or Viewer)

Team Membership and Role Inheritance

  • A user can be a member of multiple teams
  • If a user is assigned several roles on the same project (directly and via the teams of which he/she is a member), the user will have the highest level of access among all his roles.
  • Changes to team membership are reflected immediately in users’ access rights