Organizations
Organizations are used to share your API Targets and Run results with other users. You may belong to any number of Organizations. As an Organization owner, you can invite others to join you and create service accounts to integrate Mayhem for API into your DevOps pipeline.
When you sign up you will be prompted to create a new Organization. You will be the Owner of this Organization.
Authorization
Mayhem for API implements a form of Role Based Access Control (RBAC).
All resources are scoped to an Organization. API Targets, for example, are assigned to one, and only one Organization. In order to view an API Target, you must belong to the same Organization as that API Target (unless the Target has been marked as "public").
Access to Organization resources are controlled with roles.
Owner: Organization Owners have full control over Organizations, Members and API Targets
Member: Organization Members may create API Targets and view Job results, but may not manage other members.
| Action | Owner | Member |
|---|---|---|
| Organization Settings | - | - |
| Create organization invitation | ✔ | |
| Remove member | ✔ | ( ✔ can remove self ) |
| Create Service Accounts | ✔ | |
| Change Member Roles | ✔ | |
| API Target Settings | - | - |
| Create Target | ✔ | ✔ |
| Update Target | ✔ | |
| Delete Target | ✔ | |
| Change Target Settings | ✔ | |
| Change Target access | ✔ | |
| Jobs | - | - |
| Scan an API | ✔ | ✔ |
| View Jobs | ✔ | ✔ |
| Delete Jobs | ✔ | ✔ |
You can change the roles of Organization members with the mapi organization set-role command or from your Organization
Settings page.
Inviting others to join your Organization
From your Browser
As an organization owner, you can send an email invitation to your organization directly
from your browser. Navigate to the Members tab on your Organization page and hit the Invite
button to send an invitation to any email recipient that you wish to join your
Organization.
From the mapi CLI
Organization Owners can create a new invitation with the mapi organization invite command
using the name of their Organization.
Invitations are only valid for one claim and will expire after two days by
default. You can extend the number of claims and duration with the --max-claims and
expiration-min options respectively. For example:
mapi organization invite --max-claims 5 --expiration-min 2880 my-organization
This will present you a message that you can send to whomever you would like to invite to your Organization via Email/Slack/SMS/etc:
A new invitation has been created for organization <your-organization>>!
Up to 1 user(s) can join the organization by going to 'https://mayhem4api.forallsecure.com/join/uGb79...'.
The invitation link is valid for 1 day.
Anyone that accepts your invite will join with the Member role.
Service Accounts
Organization owners may create service accounts for accessing the API as part of automation to avoid using API Tokens from individual accounts. You may create as many service accounts as you require in your organization.
Service accounts do not count toward developer count for the purpose of billing.
To create a new service account, use the mapi CLI:
mapi organization service-account create <my-organization> <service-account-name>
The service account will be added to your organization - and an API token will be presented once. You must record this token as it will not be shown again.
New Service Account named '<service-account-name>' created! A new API token has been
created.
SWOJg...
You can use this token in the environment variable, MAPI_TOKEN, to access
the API Fuzzer API as the Service Account. We will not display this value
again.
You may now use the API token presented in the response to access targets and run fuzzing jobs in your Organization.
Removing a Service Account
To delete a service account (and invalidate its API Token) you must remove the account from your organization. Find the ID of your service account by listing organization members:
mapi organization list-members <my-organization>
ID Name Role
1 foo Owner
2 bar Member
3 <service-account> Member <<<<<
Now remove the service account from your organization:
mapi organization remove-member <my-organization> <service-account-id>
Successfully removed Organization '<my-organization>>' member '3'!
Target Access Control
By default, Targets are only visible to members of their Organization. Organization owners can make targets publicly visible to unauthenticated visitors and members of other organizations by changing Access Control setting of a Target from "Private" to "Public".
