Background: Understand: SD Elements Permissions
SD Elements comes with a set of predefined roles at both the global and project scopes. In larger deployments, you will likely want to define custom roles unique to the environment.
Before creating custom roles, you should know which stakeholders in your organization plan on using sd elements. From the project context, you should consult the SD Elements process integration documentation to determine which project roles you will need in the system. From the global context you should survey the organization to determine who will want access to SD Elements and what kind of access they need.
Common roles include:
- Application or product security lead / analyst / engineer
- Other information security team members
- CIO / CTO/ other technology leadership
- Enterprise architects / other architects
- Project managers / scrum masters
- Application / product owners (ie business
- SDLC process specialists
- Compliance / risk / audit professionals
- Application Lifecycle Management (ALM) tool administrators
For each role you identify in the company, review the list of standard global roles to see if there is an existing fit. For example, is the “administrator” role well-suited for the intended uses of application security analysts?
- Which global roles in the organization need access to sd elements?
- What permissions does each role need to have? Can leverage standard roles or do you have to create custom ones?
- What kind of access do you want the default user to have when they login? Out of the box they have no permissions globally apart from being able to edit their own personal settings and access to projects where they have specifically been granted access. Does your organization require broader access?
- Who will be responsible for creating applications and projects in your organization?
- Are there any users who will be responsible for custom content but will not otherwise need administrative privileges?
- Will global configuration of ALM and security tool integration be handled by a dedicated individual who does not otherwise need access?
- Are there any global audit type roles that need read only access to all projects?