• Product

      Product

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary Webinars Whitepapers Workshops Latest Blogs Documentation
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost
      Next-Gen AppSec Series
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
  • LOGIN
Cisco Logo Deepfactor is now part of Cisco | Learn more
Learn more
Deepfactor Logo
  • Product

      Product

      Use Cases

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary
      Webinars Whitepapers Workshops Latest Blogs Documentation
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps
      Whitepaper
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
LOGIN
Deepfactor's Application Security Platform will no longer be offered for sale or renewal effective September 20, 2024.

Getting Started

  • QuickStart Guide
  • Install Deepfactor CLI
  • Deepfactor Support Matrix

Tutorials

  • SBOM & SCA
    • Artifact Releases
    • Deepfactor Scanner
    • Integrate Deepfactor scanner in your CI/CD pipelines
    • Scanning container images from private registries using Deepfactor CLI
    • Scan container images in K8s cluster
      • Scanning images from private registries in K8s cluster using Deepfactor
      • Scanning container images from private registries with basic authentication support in K8s
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS Fargate
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS EC2
  • Runtime Security
    • Introduction to Deepfactor Runtime Security
    • Deepfactor CLI Reference
    • Kubernetes workload
      • Run your Kubernetes workload with Deepfactor
      • Install Deepfactor Mutating Webhook
      • Configure Deepfactor Kubernetes admission webhook
      • Install Deepfactor K8s webhook on EKS Fargate
      • Selecting the pods you want to run with Deepfactor
      • Configuring application name, component name and component version in K8s webhook
      • Install Deepfactor mutating admission webhook using Argo CD
      • Install Deepfactor portal & webhook using Argo CD and vault
      • Use image pull secret for Runtime images
    • Containers/Other orchestration platforms
      • Run your Container Images with Deepfactor
      • Run containers in ECS with Deepfactor
    • Non-containerized workloads
      • Running non-containerized applications with Deepfactor

Deepfactor Platform

  • Introduction to Deepfactor
  • Alert Policies
  • Alert States and Triaging Flows
  • Deepfactor’s Correlation Capabilities
  • Organization and Teams
  • Role Based Access Control
  • Insights Knowledge Base
    • Privilege Separation and Privilege Dropping
    • Buffer Overflow Alerts
  • Knowledge Base
    • Deepfactor scan errors
    • K8s Webhook & Runtime Troubleshooting Guide
    • Tools for viewing CycloneDX and SPDX SBOMs
    • Graceful handling of pod restarts
    • Deepfactor telemetry events
    • Deepfactor Instrumentation Warning Messages
    • Best Practices for running your applications with Deepfactor in production environments
    • Golang Specific Notes
    • How to access Deepfactor Portal in different AWS subnet types
    • How the Deepfactor Management Portal Communicates With The Outside World
    • Language Specific Agents (LSA)
    • Mixed libc environments
    • Sensitive Information and Secrets in Process Environment Remediation
    • Running HAProxy with Deepfactor
    • Augmenting Alert Evidence with Runtime Stack Traces
  • FAQs
    • General FAQs
    • Open Source Disclosure

Integrations

  • Single Sign On (SSO) for authentication to Deepfactor
  • Integrate Jira with Deepfactor
  • Integrate Slack with Deepfactor
  • Okta
  • Deepfactor HTTPS webhook

Self managed Deepfactor portal

  • Deepfactor Portal architecture & deployment options
  • Install Self managed Deepfactor portal
    • Kubernetes Cluster
      • Prerequisites for deploying Deepfactor portal in Kubernetes Cluster
      • Deploying Deepfactor Portal in your Kubernetes Cluster
      • Install Deepfactor portal using Helm
      • Customizing Deepfactor portal deployment
        • Customizing your Deepfactor Portal Deployment in K8s
        • Deploy Deepfactor Portal With Resource Limits
        • Deploying Deepfactor Portal using external IP
        • Deepfactor Portal Installation with Existing Ingress Controller
    • AWS EC2
      • Prerequisites for installing Deepfactor Portal in AWS Cloud
      • Deploying Deepfactor on AWS using CFT
      • Install AWS Certificate Manager(ACM) certificate on Deepfactor portal EC2 instance
    • VMWare vSphere
      • Deepfactor Portal Proxy Configuration for OVA deployments
      • Prerequisites for deploying Deepfactor portal in VWware vSphere
      • Deploying Deepfactor on VMware vSphere
  • Manage Deepfactor Portal
    • Using Deepfactor APIs
    • Managing Users
    • Updating your Deepfactor Portal
    • Updating Deepfactor portal certificate
  • Deepfactor Portal Certificate
    • Generate certificate using cert-manager for Deepfactor portal
    • Create self-signed certificate for Deepfactor Portal on your K8s cluster
    • Create AWS Private CA Certificate for Deepfactor Portal on your K8s cluster
    • Create Let’s Encrypt certificate for Deepfactor Portal on your K8s cluster

Release Notes

  • Deepfactor Release Notes
  • Home
  • Docs
  • Deepfactor Platform

Organization and Teams

Introduction #

Deepfactor allows admins to structure their users into multiple teams within their account. The following diagram shows the relation between teams and users using the example of a sample Acme organization.

Teams heirarchy

Please note that

  1. A user can be part of multiple teams and have different roles per team. Ex. John is a developer in the API service team and a viewer in the product service team.
  2. It is possible for a user to not be a part of any team. In such a case, the user can login to the Deepfactor account but will not be able to view/scan/run any applications with Deepfactor until the admin adds the user to a team. Ex. Elle is not part of any team.
  3. A default team is created in every account and all existing users/applications are added to the default team. Admins who do not want to create multiple teams can continue to have all users/applications within the default team. This is the most liberal structure where all users have access to all applications as per their role.
  4. The different type of roles and their privileges are described in detail in the following article
    Role based access control
  5. Organization admins have team admin level privileges for all teams.
  6. Team memberships of SCIM provisioned users cannot be changed from the Deepfactor portal UI. Users should be added to /removed from required groups in the SSO provider and Deepfactor will sync those changes automatically.

Teams feature allows admins to achieve the following goals

  1. Principle of least privilege: Users of one team cannot view applications of other teams ensuring users have access only to the vulnerabilities associated with their applications.
  2. Reduce clutter: Ensure users view only the vulnerabilities that are relevant to them, reducing noise and clutter and helping them direct their focus on actionable insights.
  3. Different Integrations per team: Deepfactor allows teams to have integrations of their own. Example: Different teams can integrate with different jira accounts.
  4. Manage memberships from the Identity provider (idp): Deepfactor allows admins to manage team memberships from their idp, ensuring access to Deepfactor teams is managed centrally from the idp tool.

#

User & Team management #

Organization admins have the privileges to manage teams. They can create / delete teams, assign existing users / invite new users to teams and change org role and team role for users. Team admins cannot create / delete teams but can manage users within their team.

View teams #

In order to view all teams, org admins can navigate to ‘User Management’ (from left sidebar) -> ‘Teams’ (from left sidebar).

List of teams

List of teams

 

Create a team #

In order to create a team, org admins can navigate to ‘User Management’ (from left sidebar) -> ‘Teams’ (from left sidebar) and click on  + Add Team button on the teams table. In the dialog, please enter the following details.

  • Name
  • Description
  • Slug: A unique short name for the team. This can be used to pass team memberships from the idp as described in this section.

Create team

 

Delete a team #

Organization admins can delete a team by clicking on the delete (trash can icon) in the team row.

Delete team

Please note:

  1. This action is irreversible and cannot be undone.
  2. All members of the team will be removed from the team.
  3. All the applications and artifacts associated with the deleted team will be marked for deletion and will not be accessible to any user in the organization. Existing instrumented applications will stop sending telemetry to the portal.
  4. If required, organization admins can create a new team with the same team name in the future. However, this would be a new team and members will need to be re-added to the team.

 

Add members to a team #

Organization and team admins can add existing users or invite new users to the team by clicking on the desired team and then clicking on the ‘Add members’ button. Invited users will receive an email and once they accept the invite, they will automatically be added to the invited team. Please note, SCIM provisioned users cannot be added to teams from the Deepfactor portal UI. They should be added to the appropriate groups in the SSO provider and Deepfactor will automatically sync the changes.

Add users to team

Add existing users to a team

Invite users to team

Invite new users to a team

#

Remove members from a team #

Organization and team admins can remove existing from the team by clicking on the desired team, selecting the users that need to be removed and then clicking on the ‘Remove members’ button. Please note:

  1. Once you remove these users from the team, they will not be able to view the artifacts and applications associated with the team.
  2. They will continue to see artifacts and applications from the other teams they are a member of.
  3. Their run tokens associated with this team will be invalidated. All applications instrumented using such tokens will stop sending telemetry to the portal and they will need to be re-instrumented with a valid run token.
  4. If required, organization or team admins can re-add these users to the team in the future.
  5. SCIM provisioned users cannot be removed from teams from the Deepfactor portal UI. They should be removed from the appropriate groups in the SSO provider and Deepfactor will automatically sync the changes.
Remove members from team

Remove members from a team

#

Configure team memberships and roles from idp #

Deepfactor allows organizations to manage team memberships from either the Deepfactor portal or from the SSO tool for Just in time (JIT) provisioned users. For the latter, you will need to configure a custom claim in the SSO provider.

As mentioned before, a few points of relevance regarding Deepfactor teams are

  1. A user can belong to zero, one or more teams.
  2. A user can have different roles per team
  3. Organization admins have team admin level privileges for all teams.

There are a couple of different ways for admins to manage team and role configuration of users from the idp tool.

  1. Default team and default role: When you integrate the idp tool with Deepfactor, you can provide a default team and default role for users who login using the idp tool.
  2. df_access: You can configure the idp to send df_access claim in the token sent to Deepfactor to express the team and role configuration for every user who logs in using the idp.

The following are the properties of the df_access claim.

  1. The claim df_access is of type string array.
  2. For org admins, df_access should be set to [df-orgadmin].
  3. For non org admins, each element in the array should specify a single team-role combination in the format df-{teamslug}-{role} where teamslug is the slug provided while creating the team and role is one of the team level roles specified in this document.
  4. Since df_access is an array, you can specify multiple team role combinations.

Some examples are given below:

df_access Team Role combinations Notes
[df-orgadmin] Org admin
[df-orgadmin, df-apisvc-developer] Org admin Since df-orgadmin is present in the df_access array, all other entries (df-apisvc-developer) will be ignored.
[df-apisvc-developer, df-transactionsvc-viewer] Developer in API Service
Viewer in Transaction Service
[df-apisvc-invalidrole, df-transactionsvc-viewer] Viewer in Transaction Service df-apisvc-invalidrole is ignored as invalidrole does not match with any of the allowed team roles.
[df-apisvc-invalidrole, df-transactsvc-viewer] None df-apisvc-invalidrole is ignored as invalidrole does not match any of the allowed team roles.
df-transactsvc-viewer is ignored as transactsvc does not match any of the team slugs.
[df-apisvc-invalidrole] None df-apisvc-invalidrole is ignored as invalidrole does not match any of the allowed team roles and the user is not added to any team
[] None Since no team-role combination is sent in the df_access attribute, the user will not be added to any team.
Default role in default team If df_access claim is not sent in the token received from the idp, Deepfactor will automatically add the user to the default team with the default role selected during the setup of the idp integration.
Was this article helpful?
Still stuck? How can we help?

How can we help?

Updated on July 12, 2024
Deepfactor’s Correlation CapabilitiesRole Based Access Control

Powered by BetterDocs

Table of Contents
  • Introduction
  • User & Team management
    • View teams
    • Create a team
    • Delete a team
    • Add members to a team
    • Remove members from a team
  • Configure team memberships and roles from idp
Deepfactor Icon

Deepfactor is a next-gen application security platform, using static container scan data + runtime analysis to prioritize vulnerabilities to those representing true risk to a business—based on reachability, runtime usage, deployment context, and exploit maturity.

Product Pricing Resources Company Documentation Login

SUBSCRIBE TO OUR NEWSLETTER!

Sign Up
LinkedIn Icon YouTube Icon GitHub Icon Twitter Icon

© 2025 Deepfactor, Inc. All Rights Reserved.

Privacy Statement | Terms of Service | Open Source Disclosure