This article describes how to create a "WAS-only" with no capabilities in other Qualys modules or products. This is for the purpose of maintaining least privileges and is typical for developers or QA personnel who run WAS scans.
- In the VM module, create an asset group with 0 IPs and call it "WAS only".
- Under Users in the VM module, assign user the "Reader" role.
- On the Asset Groups tab, assign user the "WAS only" asset group.
- On the Permissions tab, check "Manage VM module" only. This is needed for historical reasons. There's no need to check Manage web applications or Create web applications – these options are not actually related to WAS.
- Open the Administration module (located at the bottom of the main dropdown menu).
- Find the user in the list and select Edit.
- On the Roles & Scopes tab:
- Uncheck "Allow user full permissions and scope"
- Add WAS-specific roles as needed. More information about roles and permissions can be found at https://discussions.qualys.com/docs/DOC-5786.
- If appropriate for this user, uncheck "Allow user view access to all objects" and assign tags to set the scope of what the user can see.