Role Assignment

Roles are what connects users to permissions. Adding or removing roles to and from users indirectly controls to what extend users can interact with your BOMnipotent Server instance.

For your convenience, several default roles are created upon starting BOMnipotent Server for the first time. In addition, BOMnipotent knows of the admin role , which receives some special treatment.

To modify or even view user roles, your user account needs the USER_MANAGEMENT permission.

List

To list all roles of all users, call

Input
bomnipotent_client user-role list
Output
[INFO] 
╭───────────────────┬──────────────┬─────────────────────────╮
│ Username          │ Role         │ Last Updated            │
├───────────────────┼──────────────┼─────────────────────────┤
│ admin@example.com │ admin        │ 2025-01-01 10:11:12 UTC │
│ example_robot     │ bom_manager  │ 2025-01-01 10:11:12 UTC │
│ example_robot     │ vuln_manager │ 2025-01-01 10:11:12 UTC │
│ user@example.com  │ rick_role    │ 2025-01-01 10:11:12 UTC │
╰───────────────────┴──────────────┴─────────────────────────╯

The output can be filtered by user or role:

Input (long variant)
bomnipotent_client user-role list --user=admin@example.com --role=admin
Input (short variant)
bomnipotent_client user-role list -u admin@example.com -r admin
Output
[INFO] 
╭───────────────────┬───────┬─────────────────────────╮
│ Username          │ Role  │ Last Updated            │
├───────────────────┼───────┼─────────────────────────┤
│ admin@example.com │ admin │ 2025-01-01 10:11:12 UTC │
╰───────────────────┴───────┴─────────────────────────╯

Add

To add a new role to a user, call

Input
bomnipotent_client user-role add user@example.com rick_role
Output
[INFO] Added role to user

The user account needs to exist on the server at this point, the role does not.

Only users with the admin role can add the admin role to other users.

Remove

To remove a role from a user, call:

Input
bomnipotent_client user-role remove user@example.com rick_role
Output
[INFO] Removed role rick_role from user user@example.com

This will show an error if either does not exist:

Input
bomnipotent_client user-role remove admin@example.com wrong_role;
bomnipotent_client user-role remove wrong_user admin
Output
[ERROR] Received response:
404 Not Found
User with username "admin@example.com" does not have role wrong_role.
[ERROR] Received response:
404 Not Found
No user with username "wrong_user" was found: Record not found

Only users with the admin role can remove the admin role from other users.

Existence

The "exists" subcommand checks whether or not at least one object on the server matches some filters. It is available for all commands that accept the "list" subcommand, and accepts the same filters.

Depending on the output mode, the client prints:

  • normal mode: a sentence including the number of found objects.
  • code: The string "200" if at least one item was found, or "404" if none were found.
  • raw: The string "true" if at least one item was found, or "false" if none were found.
Input (long variant)
bomnipotent_client user-role exists --role=bom_manager
Input (short variant)
bomnipotent_client user-role exists -r bom_manager
Output
[INFO] Yes, the server contains 1 user roles matching the filters.