Group Management

Vigiles offers a collaborative group structure to users that makes it easier for you to work within teams (internal and external) while allowing you to restrict access of users on a need and requirement basis. The group structure is as follows:

Organization: The highest level of a group; ex. A whole company structure
- Organizations are only able to contain groups. To create a folder first a group must be created.
- Group: The second-highest level of group. A group can contain both subgroups and folders; ex. A division or department of a company
  - A primary group can have both folders and subgroups.
  - Subroup: One of the final levels of grouping; ex. A project or a organization team.
    - A Subgroup can be further divided by more subgroups or can be divided by folders.
- Folders: Another final level of grouping; ex. a groups release folder.
  - Folders can only contain sub-folders and cannot contain a group or subgroup

Organization

The Organization is at the top of the group structure, and serves as the object that most users will get their permissions from. Inside an organization, you can have varied levels of groups, subgroups, folders and sub-folders, and are able to grant or revoke permission to view, modify, or delete these substructures inside the "Organization Members" page if you are an organization admin.

Group and Subgroup Dashboard

The Group/Subgroup Dashboard is the primary storage location for both SBOMs and folders. Subgroups are displayed on the left side of the Group Dashboard in the "Subgroups" section with folders and SBOMs displayed in the main section on the right. From here you can create an upload a new SBOM using the "+" button on the Group Dashboard header, or view an existing one by clicking on the name of the SBOM, to view the SBOM Dashboard or by clicking on the "Latest" button to view the SBOM's latest Vulnerability Report

Folders and Subfolders

Folders act as a location to store similar SBOMs. This could be a group of SBOMs that, when viewed together, indicate a group or a revision. Folders are able to contain subfolders, but are not able to contain subgroups.

Folder Actions

You are able to manipulate and modify folders by navigating to the group that contains the folder and selecting the three vertical dots under the "Actions" column. Below are a list of the actions and their functions.

Delete folder - This action will wipe the entire contents of the folder
Move folder - Here you can choose to move the folder from one group to another. You can choose to copy the folder, the SBOM Linking settings, and the alert settings, rather than move the contents.
Rename folder or folder Description - Renames the folder or folder description.
Download Dashboard Config - This allows you to download a file to use with various Timesys tools such as Meta-Timesys, Vigiles Buildroot, Vigiles OpenWrt or the Vigiles CLI. For more information please see the Meta-Timesys Documentation
Folder Settings - Here you can download the above dashboard config, or select/deselect SBOM Linking
Alert Settings - This will take you to the Folder Compliance Settings

Private Workspaces

The private workspace is a default group that every user will have automatically. This is a personal group that is not shared between users. Here is where SBOMs uploaded via our build system tools or the Vigiles CLI will go by default. There is limited functionality in this group. You will not be able to add members, create subgroups, create folders or set compliance settings.

Member Management

Members and their roles can be edited from the Members page. To access this page, first, select the desired group/subgroup from the groups dashboard and then click the "Members" button on the side navigation bar.

Add/Remove members in an organization

Organization admins can add or remove members from organizations.

To add a member to an organization:

Switch to the desired organization by selecting it from the dropdown in the top navigation bar
Click Organization members from sidenav on Vigiles home (endpoint: /groups)
Select the user from the dropdown in the Add members subsection (endpoint: /groups//members)
Select the role that the new user should have for this group and click "Add user"
- The roles that can be added are:
  - Organization Admin
  - Maintainer
  - Developer
  - Guest
  - View the permissions matrix for a better breakdown of what these roles can do.

Added members can be viewed in the "Current Members" sub-section.

To remove a member from an organization, click on the remove icon in the action column of the table in the "Current Members" sub-section.

Add/Remove members in a group/subgroup

Users can add/remove the members in groups only if the user is given "Maintainer" privileges for the current group or "Organization Admin" privileges to the organization at-large.

To add a member to a group:

Click "Members" on the Sidenav for the group's home page(endpoint: /groups/)
Select the user from the dropdown in the Add members subsection (endpoint: /groups//members)
Select the role the user should have for this group and click "Add user"

Change member role

Members are assigned a role while adding users to the group, which can be changed later on the Members page.

To update the member's role:

Go to the Members page for the group
Select the role for the member user in the role column of the "Current Members" sub-section.
Changes will be saved automatically

Add or Remove Groups

Groups can be added/removed by a user with "Organization Admin" or "Maintainer" privileges

Add/remove group

Group can be added/removed by a user with "Maintainer" privileges for the group

To add a group:

On the Vigiles home page click the "Create Group" link on the left-side navigation bar

To remove a group:

On the Vigiles home page click the "X" icon on the actions column in the Groups table.

Add/remove subgroup

A subgroup can be added/removed by a user with "Maintainer" privileges for the subgroup

To add a subgroup:

On the groups dashboard click the "+" icon on the subgroups subsection

To remove a subgroup:

On the groups page click "..." against the subgroup to be removed on the subgroup's subsection
Select "Delete Subgroup" from the dropdown.

Add/remove a folder

To add a folder:

Select a subgroup if you would like to create a folder there
Click "+" dropdown icon on SBOM subsection
Select the New Folder option from the dropdown

To remove a folder:

On Groups Dashboard click "..." against the folder to be removed.
Click "Delete Folder" from the dropdown.

Manage Group settings

Group settings can be managed by a user with "Admin" "Organization Admin" or "Maintainer" privileges

Select Vulnerability identifiers

Vigiles allows users to customize how vulnerabilities are matched in CVE scans by selecting specific identifiers. One or more of the following identifiers can be selected:

CPE
PURL
CVE Product
Package Name

To select the vulnerability identifiers:

On the group page click group settings option from sidenav bar
Select one or more identifiers from the Select vulnerability identifiers dropdown
Save the settings

Note: CPE, PURL and CVE Product are selected by default. If selected identifiers are not found in the SBOM, the Package Name will be used as the default identifier.

Strict Vulnerability match

Vigiles also allows users to set strict vulnerability matching. When enabled, this option matches vulnerabilities against the product vendor together with the vulnerability identifier.

To enable/disable strict matching:

On the group page click group settings option from sidenav bar
Check Enable strict vulnerability matching option to enable strict vulnerability matching
Save the settings

Note: This option is enabled by default.

Configure Okta SSO

Companies that use the identity management system Okta can leverage its SSO functionality and have their team members log in to Vigiles using their Okta identity. While users using their SSO credentials will not be able to log into Vigiles using their local credentials, it does not prevent users without Okta from accessing the site as they had done previously.

Configure Okta for Vigiles

Okta Application Setup

Okta Dashboard
- Click "Applications" on the left-side menu and select "Application" in the sub menu
- Click "Create App Integration"
General Settings
- Select SAML 2.0 for the sign in method and click Next
- You can name your Okta application anything you wish in the "App Field" input, and click Next
Configure SAML
- Set your Single sign-on URL and Audience URI to be the following:
  - Single Sign-on URL: https://vigiles.lynx.com/users/saml/acs
  - Audience URI (SP Entity ID): lynx-a3c9f2d84e6a1b0cd2f3e98c
- Set the Name ID format to be "Email Address"
- Add the following Claims to the Attribute Statement Settings, and click Next
Feedback
- Finally, select the Checkbox "This is an internal app that we have created"

Assigning Users

After you finish creating the application, navigate to the "Assignments" Tab
Click the "Assign" button and select "Assign to People"
From here you can assign anyone who is in your Okta directory to the Vigiles SSO Application.
- You can create additional users by going to Directory >> People and clicking the "Add person" button, but these people must be registered in Vigiles first to login via Okta

Important Notes

You should copy your Metadata URL found in your application under the Sign On tab and in the SAML 2.0 section. This will be used to link Vigiles users with the Okta application.

Managing SSO Accounts

Organization Admins are able to add and delete SSO accounts for all members of organizations that they are Organization Admins of using the SSO Manager. It is accessed by navigating to the "Organization Members" page on the Vigiles homepage and clicking the "Manage SSO Accounts" button located in the "Current Members" section on the right side.

Manage SSO Accounts

SSO Manager

Metadata Form

At the top of the SSO manager page is Metadata URL form. The input will allow you to enter your IAM system's metadata URL. This input is checked upon submission to see if the metadata URL you have entered is valid or not, and is only required when a user wishes to add SSO accounts to a member of an organization.

SSO Accounts Table

Here a user can view the current SSO accounts assigned to members of their organization. It can be sorted by Email and the Team that the SSO account is assigned to.

Addings SSO Accounts

Select the requested users, then click the "Add SSO account for Users" button. If a user is selected that already has an SSO account with that team and metadata URL it will return an error message, but will not prevent the creation of SSO accounts for other users. Selecting the checkbox in the header will select all of the users of that team.

Deleting SSO Accounts

To delete SSO accounts, select the users you wish to delete and select the button of your preferred action. If a user does not have an SSO account an error message will be displayed, but will not prevent the action from being applied to valid users.

Role-Based Access Control

Vigiles provides four different types of members/users: 1. Organization Admin 2. Maintainer 3. Developer 4. Guest

Permissions

The following table describes the permissions granted by each role.

Action	Organization Admin	Maintainer	Developer	Guest
Organization Management	✓
Create Groups	✓	✓
Move Groups	✓	✓
Rename Groups	✓	✓
Delete Groups	✓	✓
Change Group Settings	✓	✓
Group Management	✓	✓	✓
Upload SBOMs	✓	✓	✓
Download SBOMs	✓	✓	✓	✓
Generate CVE Reports	✓	✓	✓
Use Notes	✓	✓	✓
Use Filters	✓	✓	✓
View Vigiles Pages	✓	✓	✓	✓
View Documentation	✓	✓	✓	✓
View Reports	✓	✓	✓	✓
Export Reports	✓	✓	✓	✓
Search Vulnerabilities	✓	✓	✓	✓
Compare SBOMs	✓	✓	✓
Access Jira Integration	✓	✓	✓
Modify or Add Compliance Settings	✓	✓	✓
Search SBOMs	✓	✓	✓
View SBOM History	✓	✓	✓
Add or Remove Users to or from Groups	✓	✓
See Users in A Group	✓	✓
Access Vigiles API	✓	✓	✓
Add or Remove Users from Organization	✓