How to Create a WAS-Only User

Document created by Parag Baxi on Oct 23, 2013Last modified by Dave Ferguson on Feb 9, 2017
Version 3Show Document
  • View in full screen mode

This article describes how to create a "WAS-only" with no capabilities in other Qualys modules or products.  This is for the purpose of maintaining least privileges and is typical for developers or QA personnel who run WAS scans.



  1. In the VM module, create an asset group with 0 IPs and call it "WAS only".
  2. Under Users in the VM module, assign user the "Reader" role.
  3. On the Asset Groups tab, assign user the "WAS only" asset group.
    image (1).png
  4. On the Permissions tab, check "Manage VM module" only.  This is needed for historical reasons.  There's no need to check Manage web applications or Create web applications – these options are not actually related to WAS.
  5. Open the Administration module (located at the bottom of the main dropdown menu).
    download (4).png
  6. Find the user in the list and select Edit.
  7. On the Roles & Scopes tab:
    • Uncheck "Allow user full permissions and scope"
    • Add WAS-specific roles as needed.  More information about roles and permissions can be found at
    • If appropriate for this user, uncheck "Allow user view access to all objects" and assign tags to set the scope of what the user can see. 
1 person found this helpful