This section is aimed at managers of some part of a BOMnipotent system. A manager in this context means a user account that has the permissions to upload or modify supply chain security documents, or to manage access permissions of other users.
Most actions that add data to your BOMnipotent database require an active subscription, while reading and removing data do not. This policy ensures that your users do not loose access to the existing data should you one day choose to stop paying for the product.
Commercial entities like companies can acquire a subscription on bomnipotent.de . If you are a non-commercial entity, you can use BOMnipotent without any charge. Request access by sending an email to info@wwh-soft.com .
This page describes how you can use BOMnipotent Client and your subscription key to (de)activate an instance of BOMnipotent Server. The subscription itself, meaning payment, validation and trialing are all handled by the external company Paddle. Describing the management of these aspects would be beyond the scope of this documentation. Please refer to their help page if you require assistance.
Shortly after you have acquired a subscription, you will receive an email containing your subscription key.
Subscriptions can only be managed by a user with the “admin” role.
To activate your new subscription, simply call:
bomnipotent_client subscription activate <YOUR-SUBSCRIPTION-KEY>[INFO] Successfully stored subscription key.The server will tell you if something goes wrong during activation:
[ERROR] Received response:
404 Not Found
Failed to activate subscription key: The subscription is missing in the sever database. Please visit https://www.wwh-soft.com to acquire it.To get more information about your current subscription, call:
bomnipotent_client subscription statusโญโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Key โ Product โ Subscription Status โ Valid Until โ Last Updated โ Assessment โ
โโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ ***ccfb3 โ BOMnipotent โ active โ 2025-04-10 17:26:29 UTC โ 2025-03-10 16:26:29 UTC โ The subscription is valid โ
โ โ โ โ โ โ . โ
โฐโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏThis output contains an obfuscated print of your key, a status, and some additional information.
If you want to remove your subscription from an instance of BOMnipotent Server (because you for example want to use it for another instance), call
bomnipotent_client subscription remove <YOUR-SUBSCRIPTION-KEY>[INFO] Subscription key was removedTo avoid accidently deactivating a BOMnipotent Server instance that you have admin access to, this requires the correct key as an argument.
[ERROR] Received response:
403 Forbidden
Subscription key does not match stored keyBOMnipotent knows two types of supply chain security documents: Bills of Materials (BOMs) and Common Security Advisory Format (CSAF) documents. In addition, it can host information on vulnerabilities associated with a BOM.
A typical document management workflow looks like this:
Bills of Materials stand at the forefront of both BOMnipotents functionality and name. A BOM is a list of all components that make up a product. In the context of cybersecurity, the most prominent variant is the Software Bill of Materials (SBOM), but BOMs allow for more general considerations as well.
For BOM interactions beyond reading, you need the BOM_MANAGEMENT permission. The section about Access Management describes how it is granted.
To upload a BOM, call:
bomnipotent_client bom upload <PATH/TO/BOM>BOMnipotent expects its BOMs in the structured CycloneDX JSON format.
Consult the Syft tutorial to learn how to generate a BOM for your product.
The BOMnipotent Client will read the file at the provided path and upload its content. It can then be viewed by the consumers with appropriate permissions.
BOMs for Consumers describes how to list and download the BOMs on the server.
To add a BOM to the database, the BOMnipotent Client has to have some additional information: a name, a version, and optionally a TLP label. The identifiers name and version can either be inferred (recommended), or overwritten, as described below.
BOMnipotent uses name and version to identify a BOM. It tries to infer these from the provided CycloneDX JSON fields “metadata.component.name” and “metadata.component.version”. However, according to the CycloneDX specification , the metadata.component field is optional.
If no version is specified, BOMnipotent instead uses the date of “metadata.timestamp”, if available.
To avoid any complications, it is recommended that you specify a name and version when generating the BOM, as is shown in the Syft tutorial .
If for some reason your BOM lacks a name or version, or if it is incorrect, the BOMnipotent Client offers to remedy that via command line arguments:
bomnipotent_client bom upload <PATH/TO/BOM> --name-overwrite=<NEW-NAME> --version-overwrite=<NEW-VERSION>bomnipotent_client bom upload <PATH/TO/BOM> -n <NEW-NAME> -v <NEW-VERSION>Important: The BOMnipotent Client will in this case modify the data before sending it to the server. It does not modify the local file, as that would be overstepping. This means that your local file and the data on the server are now out-of-sync. What’s maybe worse, if you signed your BOM, your signature is now invalid.
If you do use this option, it is thus recommended that you immediately download the BOM from the server (as described in BOMs for Consumers ) and replace your local file with the result.
For consumers, BOMnipotent manages access to data using the Traffic Light Protocol (TLP) . The CycloneDX Format on the other hand does not currently support document classification.
To tell BOMnipotent how to classify a document, you have two options:
bomnipotent_client bom upload <PATH/TO/BOM> --tlp=<LABEL>bomnipotent_client bom upload <PATH/TO/BOM> -t <LABEL>If you do neither, BOMnipotent will treat any unclassified documents as if they were labelled TLP:RED, and will log a warning every time it has to do that.
In the simplest case, modifying an existing BOM works very much like uploading a new one.
bomnipotent_client bom modify <PATH/TO/BOM>This will infer the name and version from the document, and overwrite the existing content on the server. If the data does not exist on the server, it will return a 404 Not Found error.
If a TLP label had previously been assigned to the BOM, a modification of the contents will not automatically alter it.
If you want to specify a new TLP label, you can do so via argument:
bomnipotent_client bom modify <PATH/TO/BOM> --tlp=<LABEL>bomnipotent_client bom modify <PATH/TO/BOM> -t <LABEL>If the contents of the BOM have not changed and you just want to modify the TLP label, you do not need to upload the document again. Instead of providing a path to a file, you can specify name and version of the BOM you want to reclassify:
bomnipotent_client bom modify --name=<NAME> --version=<VERSION> --tlp=<LABEL>bomnipotent_client bom modify -n <name> -v <version> -t <label>If you specify “none”, “default” or “unlabelled” as the TLP label, any existing classification will be removed, and the server falls back to the default TLP Label of the server config:
bomnipotent_client bom modify <PATH/TO/BOM> --tlp=none
bomnipotent_client bom modify <PATH/TO/BOM> --tlp=default # Does the same
bomnipotent_client bom modify <PATH/TO/BOM> --tlp=unlabelled # Does the samebomnipotent_client bom modify <PATH/TO/BOM> -t none
bomnipotent_client bom modify <PATH/TO/BOM> -t default # Does the same
bomnipotent_client bom modify <PATH/TO/BOM> -t unlabelled # Does the sameIf the document you are uploading has a different name or version than the data it shall modify, you need to provide that information to the BOMnipotent Client using command line arguments:
bomnipotent_client bom modify <PATH/TO/BOM> --name=<OLD-NAME> --version=<OLD-VERSION>bomnipotent_client bom modify <PATH/TO/BOM> -n <OLD-NAME> -v <OLD-VERSION>BOMnipotent will infer the new data from the document you provide and change the database entries accordingly.
As with uploading, it is possible to overwrite the name and/or version stored in the local document:
bomnipotent_client bom modify <PATH/TO/BOM> --name-overwrite=<NEW-NAME> --version-overwrite=<NEW-VERSION>Important: As with uploading, this modifies the JSON data before uploading to the server! The same caveats apply.
If the data on the server has a different name and/or version than specified in the document, you can combine the specification with an overwrite of the data:
bomnipotent_client bom modify <PATH/TO/BOM> --name=<OLD-NAME> --version=<OLD-VERSION> --name-overwrite=<NEW-NAME> --version-overwrite=<NEW-VERSION>bomnipotent_client bom modify <PATH/TO/BOM> -n <OLD-NAME> -v <OLD-VERSION> --name-overwrite=<NEW-NAME> --version-overwrite=<NEW-VERSION>Changing name and/or version without providing the complete document is not supported.
Deleting a BOM is very straightforward:
bomnipotent_client bom delete <NAME> <VERSION>If the BOM does not exist, the server will return 404 Not Found. If it does exists, it is removed from the database.
An activity at the core of supply chain security is to compare the contents of a BOM, meaning all components of a product, to databases of known vulnerabilities.
For vulnerability interactions beyond reading, you need the VULN_MANAGEMENT permission. The section about Access Management describes how it is granted.
BOMnipotent does not itself detect new vulnerabilities. One tool that can be used in combination with BOMnipotent is grype , which takes a BOM as input and produces a list of vulnerabilities as output. The grype tutorial contains some additional information on its usage. Other tools can be used as long as they provide output in CycloneDX JSON format .
Using the BOMnipotent Client, you can directly print the contents of a BOM and pipe it to grype.
bomnipotent_client bom get <BOM-NAME> <BOM-VERSION> | grype --output cyclonedx-json=./vuln.cdx.jsonbomnipotent_client bom get <BOM-NAME> <BOM-VERSION> | grype -o cyclonedx-json=./vuln.cdx.jsonThis will check the software components agains several databases and add the result to the CycloneDX. It then stores all that in a file called “vuln.cdx.json” (or whichever other name you provide).
Grype currently has a small known bug that makes it forget the version of the main component when it adds the vulnerabilities. This is a bit problematic because BOMnipotent needs the version to uniquely identify a product. One possible workaround is to re-add the version to the document, for example via
jq '.metadata.component.version = "<VERSION>"' "vuln.cdx.json" > "vuln_with_version.cdx.json". Starting with BOMnipotent v0.3.1 you can instead directly provide the version during the vulnerability upload, as described below.
The command to update the vulnerabilities associated with a BOM is
bomnipotent_client vulnerability update <VULNERABILITIES>[INFO] Updated vulnerabilities of BOM vulny_0.1.0The “<VULNERABILITIES>” argument needs to be a path to a file in CycloneDX JSON format.
Ideally, this file contains the name and version of the associated BOM, in which case they will automatically be read. If one of the values is missing (due to a known bug in grype, for example), you can provide it with an optional argument:
bomnipotent_client vulnerability update <VULNERABILITIES> --name=<NAME> --version=<VERSION>bomnipotent_client vulnerability update <VULNERABILITIES> -n <NAME> -v <VERSION>[INFO] Updated vulnerabilities of BOM BOMnipotent_1.0.0Vulnerabilities are meant to updated periodically. Doing so will completely replace any previous vulnerabilities associated a BOM. The uploaded CycloneDX document thus needs to contain a full list of all known vulnerabilities.
You can only update vulnerabilities for a BOM that exists on the server:
[ERROR] Received response:
404 Not Found
BOM Schlagsahne_1.0.1 not found in databaseThe section about listing vulnerabilities in the documentation for consumers covers most aspects of listing vulnerabilities.
One aspect not mentioned there is the “–unassessed” option. With it, BOMnipotent Client lists only those vulnerabilities that have no CSAF document associated with it.
bomnipotent_client vulnerability list --unassessedbomnipotent_client vulnerability list -uโญโโโโโโโโโโโโโโฌโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฎ
โ Product โ Version โ Vulnerability โ Description โ Score โ Severity โ TLP โ CSAF Assessment โ
โโโโโโโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโโค
โ BOMnipotent โ 1.0.0 โ GHSA-qg5g-gv98-5ffh โ rustls network-reachable โ โ medium โ Default โ โ
โ โ โ โ panic in `Acceptor::accep โ โ โ โ โ
โ โ โ โ t` โ โ โ โ โ
โ vulny โ 0.1.0 โ GHSA-qg5g-gv98-5ffh โ rustls network-reachable โ โ medium โ Default โ โ
โ โ โ โ panic in `Acceptor::accep โ โ โ โ โ
โ โ โ โ t` โ โ โ โ โ
โฐโโโโโโโโโโโโโโดโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโดโโโโโโโโโโโโโโโโโโฏ
[ERROR] Found 2 unassessed vulnerabilities.In this mode, BOMnipotent Client exits with a code indicating an error if and only if there are unassessed vulnerabilites. This makes it easy to integrate this call in your periodic CI/CD.
You can freely combine this option with specifying a product name or version:
bomnipotent_client vulnerability list <NAME> <VERSION> --unassessedbomnipotent_client vulnerability list <NAME> <VERSION> -u[INFO] No unassessed vulnerabilities foundA Common Security Advisory Format (CSAF) document is a vendor’s response to a newly discovered vulnerability. It is a machine-readable format to spread information on how a user of your product should react: Do they need to update to a newer version? Do they need to modify a configuration? Is your product even truly affected, or does it maybe never call the affected part of the vulnerable library?
For CSAF interactions beyond reading, you need the CSAF_MANAGEMENT permission. The sectino about Access Management describes how it is granted.
To upload a CSAF document, call
bomnipotent_client csaf upload <PATH/TO/CSAF>[INFO] Uploaded CSAF with id WID-SEC-W-2024-3470Before your CSAF document is uploaded, BOMnipotent Client checks that it is valid according to the OASIS CSAF Standard .
You can view the result of the operation with
bomnipotent_client csaf listโญโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโฎ
โ ID โ Title โ Initial Release โ Current Release โ Status โ TLP โ
โโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโค
โ WID-SEC-W-2024-3470 โ binutils: Schwachstelle e โ 2024-11-14 23:00:00 UTC โ 2024-11-17 23:00:00 UTC โ final โ TLP:WHITE โ
โ โ rmรถglicht Denial of Servi โ โ โ โ โ
โ โ ce โ โ โ โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโฏAll data is taken from the CSAF document.
If the document does not have the optional TLP label entry, it is treated with the default tlp configured for the server.
...โฌโโโโโโโโโฌโโโโโโโโโโฎ
...โ Status โ TLP โ
...โผโโโโโโโโโผโโโโโโโโโโค
...โ final โ Default โ
...โดโโโโโโโโโดโโโโโโโโโโฏWhen the status of your document changes, if you want to reclassify it, or if new information has come to light, you may want to modify your document. To upload the new version, call:
bomnipotent_client csaf delete <PATH/TO/CSAF>[INFO] Modified CSAF with id BSI-2024-0001-unlabeledThe command can even modify the ID of the CSAF document. Because the old ID cannot be inferred from the new document in that case, it has to be provided as an optional argument:
bomnipotent_client csaf delete <PATH/TO/CSAF> --id=<OLD-ID>bomnipotent_client csaf delete <PATH/TO/CSAF> -i <OLD-ID>To delete a CSAF document from your server (which you should really only do if something went completely wrong), simply call:
bomnipotent_client csaf delete <CSAF-ID>[INFO] Deleted CSAF with id WID-SEC-W-2024-3470Supply chain security documents are the what of BOMnipotent, users are the who. Unless you explicitly state otherwise, the hosted documents are only visible to those user accounts you grant access to.
BOMnipotent uses role-based access control (RBAC): Users have roles, and roles have permissions . After setup, BOMnipotent contains a few default roles. These are sufficient for managing the server, but to start accepting user request, you will probably want to create at least one new role.
Once that is done, a typical workflow for introducing a new user to your BOMnipotent system is as follows:
In BOMnipotent, permissions are not directly associated with user accounts, but rather with roles. The section about role management covers how this association is managed, and the section about role assignment explains how roles (and thus ultimately permissions) are assigned to users.
The server has several permissions embedded in its code, some of which are hardcoded, some of which are configurable, and all of which are explained here. To learn how to actually create a permission associated with a role, please refer to the section dedicated to exactly that topic.
The permissions can mentally be split into permissions associated with consumers , managers , and some special tasks reserved for admins.
Your customers are typically associated with one or more of your products. They will want to view all types of documents and information for that particular product, but they are not automatically entitled to information about other products.
A permission with the value “PRODUCT_ACCESS(<PRODUCT>)” grants read permissions to any document associated with “<PRODUCT>”. This includes any BOM for that product, any vulnerabilities associated with these BOMs, and any CSAF documents covering this product.
For example, a role with the “PRODUCT_ACCESS(BOMnipotent)” could view (and only view) all documents associated with BOMnipotent.
It is possible to use the asterisk operator “*” to glob product names. In that case, the asterisk matches an arbitrary number of symbols. For example, the permission “PRODUCT_ACCESS(BOM*ent)” would match “BOMnipotent” as well as the (fictional) products “BOMent” and “BOM-burรกrum-ent”, but not “BOMtastic” (because the latter does not end on “ent”).
Consequently, “PRODUCT_ACCESS(*)” allows the viewing of all documents.
For managers of documents, the situation is usually reversed: They need the permission to not only view but also modify the contents in the database. Their scope is typically not restricted to a specific product, but instead to a specific type of document. This is why the segregation of manager permissions takes another perspective.
This permission allows the uploading, modifying and deleting of Bills of Materials (BOMs). It also automatically grants permission to view all hosted BOMs.
This permission allows to update and view the list of vulnerabilities associated with any BOM.
Unsurprisingly, this permission allows the uploading, modifying and deleting of Common Security Advisory Format (CSAF) documents. It also automatically grants view permissions to all hosted CSAF documents.
With this permission, a user can modify the permissions of roles, which can have far reaching consequences, because the changes potentially affect many users.
This permission is required to approve, deny or view users, or to individually assign roles to them.
BOMnipotent knows one hardcoded special role called “admin”. This role always has all permissions that can be given to users. Additionally, there are some tasks that can only be done by a user with the admin role:
BOMnipotent uses a role-based access model (RBAC), in which users are associated with roles, and roles with permissions. While permissions are largely hardcoded into BOMnipotent, roles can be managed (almost) freely. This section explains how to do that.
To modify or even view roles and their permissions, your user account needs the ROLE_MANAGEMENT permission.
When you spin up your BOMnipotent Server for the first time, it creates several colourfully named default roles in the database:
You can modify or delete these roles at will, they are merely suggestions.
If you do not like these roles, use the following calls to delete them:
bomnipotent_client role-permission remove bom_manager BOM_MANAGEMENT;
bomnipotent_client role-permission remove csaf_manager CSAF_MANAGEMENT;
bomnipotent_client role-permission remove role_manager ROLE_MANAGEMENT;
bomnipotent_client role-permission remove user_manager USER_MANAGEMENT;
bomnipotent_client role-permission remove vuln_manager VULN_MANAGEMENT;There is a special role called “admin”, which is not listed among the other roles. The reason is that it is not part of the database, but of the BOMnipotent code itself. As such, it cannot be modified.
bomnipotent_client role-permission remove admin BOM_MANAGEMENTbomnipotent_client role-permission add admin "PRODUCT_ACCESS(BOMnipotent)"[ERROR] Received response:
422 Unprocessable Entity
Cannot modify admin role permissionsThe admin role has all permissions that can be granted, and then some more .
To list all roles and their associated permissions, call:
bomnipotent_client role-permission listโญโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Role โ Permission โ Last Updated โ
โโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ bom_manager โ BOM_MANAGEMENT โ 2025-03-20 10:38:27.29648 โ
โ โ โ 0 UTC โ
โ csaf_manager โ CSAF_MANAGEMENT โ 2025-03-20 10:38:27.29695 โ
โ โ โ 2 UTC โ
โ role_manager โ ROLE_MANAGEMENT โ 2025-03-20 10:38:27.29621 โ
โ โ โ 3 UTC โ
โ user_manager โ USER_MANAGEMENT โ 2025-03-20 10:38:27.29562 โ
โ โ โ 0 UTC โ
โ vuln_manager โ VULN_MANAGEMENT โ 2025-03-20 10:38:27.29671 โ
โ โ โ 9 UTC โ
โฐโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏBecause roles without permissions are meaningless, the two always come in pairs. There is no dedicated mechanism to create a new role: rather, you add a permission to a role, and henceforth it exists.
The syntax to add a permission to a role is
bomnipotent_client role-permission add <ROLE> <PERMISSION>[INFO] Added permission BOM_MANAGEMENT to roleYou could for example unify several permissions into the roles “doc_manager” and “access_manager”:
bomnipotent_client role-permission add doc_manager BOM_MANAGEMENT;
bomnipotent_client role-permission add doc_manager CSAF_MANAGEMENT;
bomnipotent_client role-permission add doc_manager VULN_MANAGEMENT;
bomnipotent_client role-permission add access_manager ROLE_MANAGEMENT;
bomnipotent_client role-permission add access_manager USER_MANAGEMENT;If you have removed the default roles as described above, this leaves you with:
bomnipotent_client role-permission listโญโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Role โ Permission โ Last Updated โ
โโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ access_manager โ ROLE_MANAGEMENT โ 2025-03-20 11:05:42.06443 โ
โ โ โ 7 UTC โ
โ access_manager โ USER_MANAGEMENT โ 2025-03-20 11:04:57.51274 โ
โ โ โ 7 UTC โ
โ doc_manager โ BOM_MANAGEMENT โ 2025-03-20 11:05:55.15986 โ
โ โ โ 0 UTC โ
โ doc_manager โ CSAF_MANAGEMENT โ 2025-03-20 11:05:50.92466 โ
โ โ โ 9 UTC โ
โ doc_manager โ VULN_MANAGEMENT โ 2025-03-20 11:05:47.35620 โ
โ โ โ 9 UTC โ
โฐโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏIf the permission you want to add does not exist or is malformed, you will receive an error:
bomnipotent_client role-permission add clam_manager CLAM_MANAGEMENT[ERROR] Received response:
422 Unprocessable Entity
Failed to parse permission: Invalid UserPermission string: CLAM_MANAGEMENTTo remove a permission from a role, simply call:
bomnipotent_client role-permission remove <ROLE> <PERMISSION>[INFO] Removed permission VULN_MANAGEMENT from role vuln_managerOnce you have removed the last role from a permission, that role does no longer exist.
To prevent oopsie-moments, BOMnipotent does not support deleting whole batches of role-permissions.
The first step when creating a new user is to request a new account. This step is described elsewhere , because it is relevant for managers and consumers alike.
From BOMnipotent’s point of view, a user is associated with a unique email address, which is used as an identifier, and a public key, which is used for authentication. This is all the data sent during the creation of a new user account.
After a new account has been requested, it is up to a user manager to approve or deny the request.
For most user interactions, including listing, you need the USER_MANAGEMENT permission.
To list all users in your database, call
bomnipotent_client user listโญโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ User Email โ Status โ Expires โ Last Updated โ
โโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ admin@wwh-soft.com โ APPROVED โ 2026-03-23 04:51:26 UTC โ 2025-03-22 04:51:26 UTC โ
โ info@wildeheide.de โ REQUESTED โ 2026-03-23 03:52:21 UTC โ 2025-03-22 03:52:21 UTC โ
โฐโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโฏYou can see the email addresses of the users and their stati.
A user that does not have the status APPROVED has no special permissions, no matter which roles they have.
An expiration date is also associated with each user, which is the point in time at which the public key is considered invalid and has to be renewed. The period for which a key is considered valid can be freely configured in the server config.
If you were expecting the user request, you can approve it via
bomnipotent_client user approve <EMAIL>[INFO] Changed status of info@wildeheide.de to APPROVEDAnalogously, you can decide agains allowing this user any special access:
bomnipotent_client user deny <EMAIL>[INFO] Changed status of info@wildeheide.de to DENIEDIt is possible to deny a user that has already been approved, effectively revoking the account.
If you want to get rid of a user account alltogether, call
bomnipotent_client user remove <EMAIL>[INFO] Deleted user info@wildeheide.deRoles are what connects users to permissions. Adding or removing roles to and from users indirectly controls to what extend users can interact with your BOMnipotent Server instance.
For your convenience, several default roles are created upon starting BOMnipotent Server for the first time. In addition, BOMnipotent knows of the admin role , which receives some special treatment.
To modify or even view user roles, your user account needs the USER_MANAGEMENT permission.
To list all roles of all users, call
bomnipotent_client user-role listโญโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ User Email โ User Role โ Last Updated โ
โโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ info@quantumwire โ bom_manager โ 2025-03-22 04:27:33.71579 โ
โ โ โ 7 UTC โ
โ info@wildeheide โ bom_manager โ 2025-03-22 04:26:08.83708 โ
โ โ โ 3 UTC โ
โฐโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏTo add a new role to a user, call
bomnipotent_client user-role add <EMAIL> <ROLE>[INFO] Added role to userThe user account needs to exist on the server at this point, the role does not.
Only users with the admin role can add the admin role to other users.
To remove a role from a user, call
bomnipotent_client user-role remove <EMAIL> <ROLE>[INFO] Removed role bom_manager from user info@wildeheideThis will show an error if either does not exist:
[ERROR] Received response:
404 Not Found
User with email info@wildeheide does not have role bom_managerOnly users with the admin role can remove the admin role from other users.