Role Management
BOMnipotent uses a role-based access model (RBAC), in which users are associated with roles, and roles with permissions. While permissions are largely hardcoded into BOMnipotent, roles can be managed (almost) freely. This section explains how to do that.
To modify or even view roles and their permissions, your user account needs the ROLE_MANAGEMENT permission.
Default Roles
When you spin up your BOMnipotent Server for the first time, it creates several colourfully named default roles in the database:
- “bom_manager”, with the BOM_MANAGEMENT permission.
- “csaf_manager”, with the CSAF_MANAGEMENT permission.
- “role_manager”, with the ROLE_MANAGEMENT permission.
- “user_manager”, with the USER_MANAGEMENT permission.
- “vuln_manager”, with the VULN_MANAGEMENT permission.
You can modify or delete these roles at will, they are merely suggestions.
If you do not like these roles, use the following calls to delete them:
bomnipotent_client role-permission remove bom_manager BOM_MANAGEMENT;
bomnipotent_client role-permission remove csaf_manager CSAF_MANAGEMENT;
bomnipotent_client role-permission remove role_manager ROLE_MANAGEMENT;
bomnipotent_client role-permission remove user_manager USER_MANAGEMENT;
bomnipotent_client role-permission remove vuln_manager VULN_MANAGEMENT;
[INFO] Removed permission BOM_MANAGEMENT from role bom_manager
[INFO] Removed permission CSAF_MANAGEMENT from role csaf_manager
[INFO] Removed permission ROLE_MANAGEMENT from role role_manager
[INFO] Removed permission USER_MANAGEMENT from role user_manager
[INFO] Removed permission VULN_MANAGEMENT from role vuln_manager
Admin Role
There is a special role called “admin”, which is not listed among the other roles. The reason is that it is not part of the database, but of the BOMnipotent code itself. As such, it cannot be modified.
bomnipotent_client role-permission remove admin BOM_MANAGEMENT
[ERROR] Received response:
422 Unprocessable Entity
Cannot modify admin role permissions
The admin role has all permissions that can be granted, and then some more .
List
To list all roles and their associated permissions, call:
bomnipotent_client role-permission list
[INFO]
╭──────────────┬─────────────────┬─────────────────────────╮
│ Role │ Permission │ Last Updated │
├──────────────┼─────────────────┼─────────────────────────┤
│ bom_manager │ BOM_MANAGEMENT │ 2025-01-01 10:11:12 UTC │
│ csaf_manager │ CSAF_MANAGEMENT │ 2025-01-01 10:11:12 UTC │
│ role_manager │ ROLE_MANAGEMENT │ 2025-01-01 10:11:12 UTC │
│ user_manager │ USER_MANAGEMENT │ 2025-01-01 10:11:12 UTC │
│ vuln_manager │ VULN_MANAGEMENT │ 2025-01-01 10:11:12 UTC │
╰──────────────┴─────────────────┴─────────────────────────╯
The output can be filtered by role or permission:
bomnipotent_client role-permission list --role=bom_manager --permission=BOM_MANAGEMENT
bomnipotent_client role-permission list -r bom_manager -p BOM_MANAGEMENT
[INFO]
╭─────────────┬────────────────┬─────────────────────────╮
│ Role │ Permission │ Last Updated │
├─────────────┼────────────────┼─────────────────────────┤
│ bom_manager │ BOM_MANAGEMENT │ 2025-01-01 10:11:12 UTC │
╰─────────────┴────────────────┴─────────────────────────╯
Add
Because roles without permissions are meaningless, the two always come in pairs. There is no dedicated mechanism to create a new role: rather, you add a permission to a role, and henceforth it exists.
The syntax to add a permission to a role is
bomnipotent_client role-permission add rick_role "PRODUCT_ACCESS(BOMnipotent)"
[INFO] Added permission PRODUCT_ACCESS(BOMnipotent) to role
You could for example unify several permissions into the roles “doc_manager” and “access_manager”:
bomnipotent_client role-permission add doc_manager BOM_MANAGEMENT;
bomnipotent_client role-permission add doc_manager CSAF_MANAGEMENT;
bomnipotent_client role-permission add doc_manager VULN_MANAGEMENT;
bomnipotent_client role-permission add access_manager ROLE_MANAGEMENT;
bomnipotent_client role-permission add access_manager USER_MANAGEMENT;
[INFO] Added permission BOM_MANAGEMENT to role
[INFO] Added permission CSAF_MANAGEMENT to role
[INFO] Added permission VULN_MANAGEMENT to role
[INFO] Added permission ROLE_MANAGEMENT to role
[INFO] Added permission USER_MANAGEMENT to role
If you have removed the default roles as described above, this leaves you with:
bomnipotent_client role-permission list
[INFO]
╭────────────────┬─────────────────┬─────────────────────────╮
│ Role │ Permission │ Last Updated │
├────────────────┼─────────────────┼─────────────────────────┤
│ access_manager │ ROLE_MANAGEMENT │ 2025-01-01 10:11:12 UTC │
│ access_manager │ USER_MANAGEMENT │ 2025-01-01 10:11:12 UTC │
│ doc_manager │ BOM_MANAGEMENT │ 2025-01-01 10:11:12 UTC │
│ doc_manager │ CSAF_MANAGEMENT │ 2025-01-01 10:11:12 UTC │
│ doc_manager │ VULN_MANAGEMENT │ 2025-01-01 10:11:12 UTC │
╰────────────────┴─────────────────┴─────────────────────────╯
If the permission you want to add does not exist or is malformed, you will receive an error:
bomnipotent_client role-permission add clam_manager CLAM_MANAGEMENT
[ERROR] Received response:
422 Unprocessable Entity
Failed to parse permission: Invalid UserPermission string: CLAM_MANAGEMENT
Remove
To remove a permission from a role, simply call:
bomnipotent_client role-permission remove rick_role "PRODUCT_ACCESS(BOMnipotent)"
[INFO] Removed permission PRODUCT_ACCESS(BOMnipotent) from role rick_role
Once you have removed the last role from a permission, that role does no longer exist.
To prevent oopsie-moments, BOMnipotent does not support deleting whole batches of role-permissions.
Existence
The "exists" subcommand checks whether or not at least one object on the server matches some filters. It is available for all commands that accept the "list" subcommand, and accepts the same filters.
Depending on the output mode, the client prints:
- normal mode: a sentence including the number of found objects.
- code: The string "200" if at least one item was found, or "404" if none were found.
- raw: The string "true" if at least one item was found, or "false" if none were found.
bomnipotent_client role-permission exists --role=bom_manager
bomnipotent_client role-permission exists -r bom_manager
[INFO] Yes, the server contains 1 role permissions matching the filters.