This article describes how to create a "WAS-only" user with no capabilities in other Qualys modules or products. This is for the purpose of maintaining least privileges and is typical for developers or QA personnel who only use the Web Application Scanning product within Qualys.
- In the VM module, create an asset group with 0 IPs and call it "WAS only". This only needs to be done once.
- Under Users in the VM module, assign the new user the "Reader" role.
- On the Asset Groups tab, assign user the "WAS only" asset group.
- On the Permissions tab, check "Manage VM module" only. This is needed for historical reasons. There's no need to check "Manage web applications" as this option is not actually related to WAS functionality.
- Open Administration under Utilities (located at the bottom of the main dropdown menu).
- Find the user in the list and select Edit.
- On the Roles & Scopes tab:
- You can either check the "Allow user full permissions and scope" box to give the user full permissions in WAS or you can uncheck the box to assign roles as desired. More information about roles and permissions can be found at https://discussions.qualys.com/docs/DOC-5786.
- If required for this user, uncheck "Allow user view access to all objects" and assign tags to set the scope of what the user can see.