Understanding roles

Black Duck provides global and project roles which helps you control access and capabilities without impeding productivity. Roles define the tasks users can perform and the information users can view. Project-level roles provide the flexibility so that you can assign users individual roles per project - the roles only apply to the projects a user is assigned.

  • You can assign roles to either individual user accounts or to groups.

  • If you assign a role to a group, the entire group membership inherits the role and its permissions.

  • If you do not assign a role, users have read-only access to Black Duck and read-only access to the BOM and projects that user is assigned

For more information on the tasks that can be performed for each role, refer to the Black Duck user role matrix.

Global roles

The following global roles are available:

  • Component Manager

    The Component Manager is responsible for creating, editing, and/or deleting custom components and reviewing Black Duck KnowledgeBase components.

    This role is often assigned to a centralized group responsible for the management of custom components. In smaller organizations, this role can be given to subject matter experts (SMEs) or development managers.

  • Copyright Editor

    The Copyright Editor is responsible for creating or editing copyright statements for components.

    This role is often assigned to someone within the Legal department.

  • Custom Fields Administrator

    The Custom Fields Administrator is responsible for managing custom fields in projects.

  • Global Code Scanner

    The Global Code Scanner has access to all scans in Black Duck and can run, map, or delete scans for any existing project within the system.

    This role is often assigned to a user account used for continuous integration (CI) builds and sometimes, in smaller organizations, given to a release/build engineer who manages all builds for a company.

  • Global Notification Viewer

    This role has read only access to all projects and receives all system notifications regardless of user preferences.

  • Global Project Group Administrator

    The Global Project Group Administrator has access to all project groups and can:

    • view/create/modify/delete project groups, including adding users to any project group.

  • Global Project Administrator

    The Global Project Administrator has access to all Black Duck projects and can:

    • Create/modify/delete projects and project versions.

    • Add users with a defined role to projects as well as removing users from projects.

    • Manage tags.

    • Map or unmap scans to projects.

    • Run/delete project vulnerability and project version reports.

    • View BOMs.

    • Add/edit/view comments.

  • Global Project Manager

    The Global Project Manager is similar to the Global Project Administrator in that they have access to all Black Duck projects. However, they also have the ability to manage BOMs. Global Project Managers can:

    • Create/modify/delete projects and project versions.

    • Add/remove users from projects but cannot define their roles. Users added to projects by a global project manager will have read only access to the projects and will not be able to edit or modify the BOM.

    • Manage tags.

    • Map or unmap scans to projects.

    • Run/delete project vulnerability reports, project version reports (must be assigned to a project to view data).

    • View/create/modify/delete BOMs.

    • Add/edit/view comments.

  • Global Project Viewer

    The Global Project Viewer can view all projects. Users with this role can view all BOMs but cannot edit the BOM; they can only add or edit comments.

    When you assign a user this role, they automatically have read-only access to all projects – you do not have to assign the users to the projects.

    This role is often assigned to executives and users in the Legal department.

  • Global Release Creator

    The Global Release Creator can create releases or versions of projects.

    This role is often assigned to a user account used for continuous integration (CI) builds and sometimes, in smaller organizations, given to a release/build engineer who manages all builds for a company.

  • Global Security Manager

    This Security Manager can create, edit, or delete global remediation statuses for vulnerabilities associated with components.

    In smaller organizations this role is often assigned to the development manager while in larger enterprises this is commonly assigned to someone in the security group reporting to the CISO.

  • Integration Manager

    This role grants the ability to manage all integrations.

  • License Manager

    The License Manager is responsible for approving and/or rejecting licenses and managing the licenses that can be used in applications. Users with this role can create, edit, and delete custom licenses, custom license terms, and custom license families. They can also manage BlackDuck KnowledgeBase licenses and license terms.

    This role is often assigned to someone within the Legal department.

  • Lite Global Project Manager

    This role grants administration privileges to a Lightweight BOM.

  • Policy Manager

    The Policy Manager can create, edit, or delete global policy rules.

    The Policy Manager role should be assigned to users who are responsible for defining and managing all your OSS company policies. Often, these users are from the Legal/Compliance department or the IT/Security department. This user can also be the CTO overseeing all technology/development or the CISO who is responsible for all security practices.

  • Project Creator

    The Project Creator can create projects and can edit project and settings.

    The Project Creator role is often assigned to the Global Code Scanner or the Project Code scanner if that user needs to create new projects. The Global Code Scanner should almost always have the Project Creator role as well unless your organization has a centrally managed system for setting up new applications company wide.

  • System Administrator

    The System Administrator role can configure system settings.

    The System Administrator role is geared primarily to the user that installs, sets up, and configures the Black Duck application. Most of the time, this will be an IT person responsible for registering the product, configuring LDAP and SSO, and so on.

  • User Administrator

    The User Administrator manages users and groups, including resetting passwords. They can also manage access tokens.

    This role should be assigned to users who manage people and teams working in your organization, such as a development managers or supervisors.

Project roles

The following project roles are available:

  • BOM Annotator

    The BOM Annotator can add or edit comments in a BOM for a specific project, but cannot edit the BOM. Users with this role can also update BOM component custom fields.

  • BOM Manager

    The BOM Manager can modify the BOM for projects in which they are members or have project-group privileges, including modifying component identifications, ignoring components, updating the review status, adding comments, and running project version reports.

    This role is often assigned to a lead developer or developer manager for a project.

  • Project Code Scanner

    The Project Code Scanner only has access to specific project scans in Black Duck and can map or delete scans for that project within the system. Unlike the Global Code Scanner, the Project Code Scanner only has code scanning capability for a set of projects – users are restricted from all other projects. The Project Code Scanner can create project versions of projects they have access to but cannot create projects.

    This role is often used in larger enterprises where multiple groups are responsible for builds/releases. This role could be assigned to a release engineer for a specific business unit or for a CI account for that business unit.

  • Project Manager

    Similar to the Global Project Manager, the Project Manager has complete access to a specific Black Duck project. Project Managers can create/modify/delete versions for projects in which they are members or have project-group privileges but cannot create projects. Project Managers can run reports, modify BOM entries, and assign users to the project but cannot define their roles. Users added to projects by a project manager will have read only access to the projects and will not be able to edit or modify the BOM.

    By default Project Managers can manage policy violations and remediate security vulnerabilities. However, the system administrator can disable these capabilities.

    In smaller organizations this role is often assigned to the development manager or team lead and in larger enterprises this role could be assigned to the Director of engineering.

  • Project Group Administrator

    The Project Group Administrator can view/create/modify/delete sub-project groups, including adding users to the project group in which they are a member.

  • Project Administrator

    Similar to the Project Manager, the Project Administrator has to a specific Black Duck project group. Project Administrators can create/modify/delete versions for projects in which they are members or have project-group privileges but cannot create projects. This also includes managing tags on project versions.

  • Project Viewer

    The Project Viewer role provides read-only access to individual projects. This is the lowest level of access and is often assigned to users who need to view information and access reports but should not be allowed to change anything. Project Viewers can add comments to a BOM.

    This role is assigned to users by default if no other role is assigned to the user: a user without any project roles (no other project roles selected), will be a project viewer. This role is not shown as a selectable option.

  • Policy Violation Reviewer

    The Policy Violation Reviewer can override policies in projects in which they are members or have project-group privileges.

    In smaller organizations this role is often assigned to a development manager, Director or VP of engineering, or even a program manager. In larger enterprises this role is often assigned to users who manage the OSS policies across the entire system. These users verify that what was needed to obtain approval for an override was completed as well as vet the validity of the override for each instance.

  • Security Manager

    This Security Manager can modify remediation for vulnerabilities associated with components.

    In smaller organizations this role is often assigned to the development manager while in larger enterprises this is commonly assigned to someone in the security group reporting to the CISO.

Project Group roles

The following project group roles have the same permissions as their project-only counterparts, except they apply for every project in their assigned project group:

  • BOM Annotator

  • BOM Manager

  • Project Group Administrator

  • Project Code Scanner

  • Project Manager

  • Project Viewer

  • Policy Violation Reviewer

  • Security Manager

Direct Access vs Indirect Access

Concepts used in Project Groups are Direct Access and Indirect Access to a project. Direct Access refers to a user being directly linked to a project. This has been the normal behavior and remains unchanged with the advent of Project Groups. Indirect Access means that a user is linked to a project as a result of being in a user group that is linked to a project group, or because the project is in a project group to which this user is associated.