User Roles and Permissions
Depending on your role, you may have access to an organization, specific pentests, or both.
| Roles and Key Permissions | |
|---|---|
User Roles | Pentest level:
Organization level:
Pentest + organization level:
|
Pentester Roles | Cobalt pentesters:
Customer pentesters:
|
Administrative Role |
|
Pentest Team Member
A Pentest Team Member is a customer (organization) representative during a specific pentest. In the UI, you see this role as “Team Member.”
- A Pentest Team Member does not have to be an Organization Owner or an Organization Member.
- When an Organization Owner invites a user to an organization, the user also becomes a Pentest Team Member on all pentests of the organization.
- An Organization Owner can remove a Pentest Team Member from all pentests they collaborate on.
- Any Pentest Team Member can add users to a specific pentest or remove them.
A Pentest Team Member has access to a specific pentest with the following permissions:
- View and edit pentest details.
- Manage findings for a pentest.
- Collaborate on a pentest in the Cobalt app and in Slack.
- Manage users for a pentest.
- View pentest activity updates and pentester updates.
- Manage integrations for a pentest: Jira and GitHub.
A Pentest Team Member has no access to any information related to the organization, unless they’re also an Organization Owner or Member.
Organization Roles
When a customer starts their journey with Cobalt, we add an Organization Owner who then invites other users. Here is an overview of organization roles and permissions.
| Permission | Organization Member | Organization Owner |
|---|---|---|
| Create assets and pentests, edit assets | ✓ | ✓ |
| Change the group an asset is associated with | — | ✓ |
| View all findings reported within an organization on the Findings page, within group permissions | ✓ | ✓ |
| View organization users and pentest collaborators on the People page | ✓ | ✓ |
| Manage integrations for an organization | ✓ | ✓ |
| Edit the organization profile | ✓ | ✓ |
| View the credits ledger | ✓ | ✓ |
| View the Insights page | ✓ | ✓ |
| Manage users for an organization | — | ✓ |
| Create and manage groups | — | ✓ |
| Manage security settings for an organization: two-factor authentication and SAML | — | ✓ |
| Enable co-branded reports (for Cobalt partners) | — | ✓ |
Organization Owner
An Organization Owner is the administrator for a customer organization within the Cobalt app. In the UI, you see this role as “Owner.”
An Organization Owner has the following permissions:
- Create assets and pentests, edit assets.
- Manage users for an organization on the People page:
- Invite and remove users.
- Switch user roles.
- View users’ email addresses.
- Remove Pentest Team Members from all pentests they collaborate on.
- Create, edit, and manage groups.
- Manage security settings for an organization: two-factor authentication and SAML.
- Enable co-branded reports (for Cobalt partners).
- Manage integrations for an organization.
- Edit the organization profile.
- View the credits ledger.
- View the Insights page.
An Organization Owner may also be a Pentest Team Member.
Organization Member
An Organization Member is a customer representative who manages pentests and assets for their organization on the Cobalt platform but has less permissions compared to an Organization Owner. In the UI, you see this role as “Member.”
An Organization Member has the following permissions:
- Create assets and pentests, edit assets, within group permissions.
- View users and pentest collaborators on the People page.
- Manage integrations for an organization.
- Edit the organization profile.
- View the credits ledger.
- View the Insights page.
An Organization Member may also be a Pentest Team Member.
Cobalt Pentesters
When you run pentests using the Cobalt Pentest as a Service (PtaaS) platform, Cobalt pentesters participate in the process. This group includes the following roles:
Pentester
A Pentester is a Cobalt pentester who completes pentests for Cobalt customers.
The responsibilities of a Pentester include:
- Thoroughly test an asset for vulnerabilities based on the pentest scope and requirements.
- Submit vulnerabilities (findings) and provide remediation tips.
- Retest findings that the customer has remediated within a pentest.
- Collaborate with the customer throughout a pentest.
Some Cobalt pentesters may be a Lead in one test, a Pentester in a second test, and possibly no role and no involvement in your other pentests.
Lead
A pentest Lead is a Cobalt pentester who leads other Cobalt pentesters in their efforts to complete a Comprehensive pentest. A pentest Lead also drafts a pentest report.
For Agile pentests, the corresponding role is Coordinator.
Coordinator
A pentest Coordinator is a Cobalt pentester who leads other Cobalt pentesters in their efforts to complete an Agile pentest.
For Comprehensive pentests, the corresponding role is Lead.
In-House Pentester
An In-House Pentester is a pentester invited by a customer (organization) to perform In-House pentests on the Cobalt Pentest Management Platform (PMP). An In-House Pentester role has the same privileges as a Pentest Team Member, with additional access to pentester functionality.
A customer can invite pentesters from their organization, a third-party company, or both to complete In-House pentests on the Cobalt Pentest Management Platform (PMP).
Learn how to complete an In-House pentest.
Cobalt Staff
Select Cobalt Staff members have administrative access to your organization and pentests. If needed, they can help you:
- Manage users in your organization
- Manage work on your pentests