1. Is it required to have Administration permission for the authentication? Or just only normal user?
2. Assume we have many user profile, do I need to input all user profile (user accounts) in the authentication records?
For WAS authentication, normal user permissions with any login that has access to the web app is usually sufficient. One login for the web app should give you all the results needed. There should be no need to enter multiple user accounts. The only caveat to this is if an admin user has access to additional links that you want tested. If this is the case and the only way to get to there, then an admin login would be preferred.
Also, be aware if you use an Administrator account which has access to additional functions the scanner will click links that it finds. The reason I bring this up, if for example you provide an admin user account which has access to remove an item from your store or remove a page from your site, the scanner will more then likely click it and do something that you may not have intended on doing. In other words be aware of the level of access you are allowing. You will be giving access to the scanner which does not have a brain to determine if it should or shouldn't click a link and that there is no discrimination unless you use black lists to block specific areas or links.
I will use standard account, thanks for heads up
Admin, just signed up few min ago, already enjoy site and tools can hardly wait to use. Name is Judy and love messing around with my laptop to see how everything works. Thanks for opportunity to be part of community,
I am sure you have got your answer already... I will just add to what experts have already said...
Just use an account that has the access to the most number of pages and the max number of application workflows and functionality.
Admin/non-admin makes a difference when it comes to our VM scanner that will need a certain level of privilege on the target system to run scripts remotely but in case of a web app authentication, it is not a level of privilege kind of requirement but an increase in crawl scope kind of requirement. Finally the WAS engine scans what pages it finds. If pages/resources are accessible after a certain auth, we need to use them. In all practicality you may have to use more than 1 user accounts at times to completely cover the entire web app and all its functionality.
Retrieving data ...