Users and organizations

All users in 42Crunch API Security Platform have a user account that allows them to access the platform, its services, and resources that have been allocated to them. All users are properly authenticated and their authorization checked when they log in on the platform. For auditing purposes, the actions users take on the platform are logged with their user IDs. This way, harmful user actions can be traced back to the compromised user account and the account locked to prevent any further damage.

User accounts

There are two types of user accounts in 42Crunch Platform, community users and business users. You can check which one your account is based on the organization it belongs to: all community users belong to the free Community organization.

All users can manage their own account settings.

Users cannot change their username (the email address they use to log in to the platform) or the organization they belong to.

Community users

Community users can sign up for a free account to platform at platform.42crunch.com. You can self-register using existing GitHub, Google, or Azure account, or create a separate account on the login page of the platform.

The accounts of all community users belong to the free Community organization that is managed by 42Crunch.

Some features of the platform may have limitations for community users or might not be available at all. However, you can upgrade to business user and choose a suitable subsciption plan for your needs at any time.

Business users

Business users are onboarded to the platform.

For businesses, 42Crunch creates a dedicated organization for the company in questions as well as an account for an organization administrator. It is the organization administrator who then onboards the rest of the users to the organization. All onboarded accounts belong to the organization of the company.

Business users can use all the features in the platform. The subscription plan (Teams or Enterprise) may impose limits to things like number of users or APIs in an organization. Again, the subscription plan may be upgraded at any time.

Permissions

Access to some functions in 42Crunch Platform, like running API Conformance Scan or sharing API collections, is controlled with permissions. To be able to perform the action, your user account must have permission to do so. What you can do by default depends on the type of your account:

  • If you are a self-registered user in the free community organization, by default you cannot run Conformance Scan in 42Crunch Platform or share API collections. You can still run Conformance Scan on premises. For more details, see API Conformance Scan.
  • If you are an organization administrator, you have all permissions by default.
  • If you are an onboarded user in the organization of a specific company but not an organization administrator, your default permissions depend on what your organization administrator has defined for you.

The permissions are managed by organization administrators. If you need a permission you do not currently have, contact your organization administrator.

If you are an organization administrator and want to see who can do what in your organization, you can search users by permission. For more details, see Manage user permissions.

Organizations

In 42Crunch Platform, both users and resources always belong to organizations that are managed by organization administrators.

When an user account is created, it is always created in an organization. The resources (API collections and APIs) users create or import also belong to the same organization as them. Both accounts and resources can only belong to one organization that cannot be changed.

Sharing API collections is also done at the organization level: when you share an API collection, you can choose who in your organization can view or edit the APIs in it.

For self-registered users in the community organization, 42Crunch is the organization administrator. For businesses, 42Crunch creates an organization and an organization administrator account.

Organization administrators

In addition to their own account, organization administrators can manage other users in their organizations, onboard the rest of the users in their company that need an account to the platform, and manage the subscription plan of their organization.

A screenshot showing User Management tab from the account settings.

Organization administrators can:

  • Add or delete user accounts in their organization
  • Promote users to organization administrators
  • Force password reset for a user account
  • Lock a user account that shows suspicious or harmful activity.

Organization administrators can see how many collections and APIs each user in their organization has. Organization administrators can also manage all API collections in their organization, and create a scan configuration and run Conformance Scan on premises on any APIs in their organization.

Organization administrators have access to view and modify all API collections in their organization. This means that all API collections in an organization are visible to all organization administrators like the collections were their own, both on the API Collections page and in the monitoring dashboards. If an organization has several API collections, we recommend using more descriptive collection names that just organization and company name to be able to tell all collections apart.

To ensure that an organization always has at least one organization administrator, organization administrators cannot lock or delete their own account, nor can they remove their administrative rights. However, they can still do this to other organization administrators in their organization.

Teams

Users in an organization are grouped into teams that have access to API collections shared with them. By default, each organization always has a team that includes everyone in that organization. In addition, organization administrators can create other teams for specific groups of users.

Teams are not available in the free community organization.

An example screenshot showing a sample team with two users, one of whom is the team leader.

Each team has a number of team members and a team leader. Team members can view who is in their teams, but cannot edit the team in any way. Team leaders can add or remove users from their team, but cannot change the name of the team or the team leader. Only organization administrators can change team name, the team leader, or remove a team from the organization.

Because a team must always have a team leader, team leaders cannot be removed from their teams. Organization administrators must first set another user as the team leader.

In addition to sharing API collections with individual users, collections can also be shared with whole teams at one go. When you share an API collection, you can choose which team or users you want to share it with. You can also give different access rights to your collection for different groups.

An example screenshot on editing the sharing of an API collection. The collection has been shared with one user and one team. The user has been granted Read/Write access to the collection, but the team only has Read-Only access to it.

Removing a team from the organization does not delete the user accounts of the team members, but it does remove their access to API collections shared with that specific team.

Single sign-on integration for businesses

42Crunch Platform uses OpenID Connect (OIDC) for single sign-on (SSO). Companies on the Enterprise plan can integrate the platform with their SSO solution and employees of the company log in to the platform using their work emails. Companies can also still create non-SSO accounts when needed, for example, for consultants external to the company.

Self-registering with a work email can be enabled, so that employees can create their accounts themselves, or it can be switched off completely. In this case, employees must either be onboarded or invited to the platform.

Signing in to the platform with a 3rd-party account (social login) is switched off by default.

When SSO is enabled, employees of the company that try to log in with any other option than the Enterprise SSO will fail to access the platform. Employees must only log in through SSO. Employees cannot change their passwords in 42Crunch Platform.

If you are interested in integrating 42Crunch Platform with your SSO solution, or you would like to change your existing integration with us, contact our support or your 42Crunch account manager.

Invitations

By default, new users are either added when they self-register to the platform, or when organization administrators manually create accounts for them. But there is a third way: with user invitations, organization administrators can invite people to join their organization.

An example screenshot of the invitation dialog

When you invite users to join your organization, you predefine some settings for their user accounts, such as permissions, and whether they are organization administrators, just like when you manually create an account. When a user follows the invitation to log in to the platform, the user account is created in your organization.

There are two ways to invite people to your organization:

  • Email: An invitation mail with a client token is send to the email address of your user. This saves you the trouble of having to send a notification mail with the account details yourself. The email address also becomes the username of that user, because the client token is only valid for that email. This is the default and more secure option.
  • Link: An invitation link with a client token is generated and you can copy and share it to your user as you want. Anyone with a valid invitation link can log in to the platform, so be mindful how you share the link.

You can choose if you want to allow both invitation methods. Both invitation mails and links expire after a specified time. For invitation mails, you can choose the expiration time from five minutes to a week. Invitation links always expire after 15 minutes.

Mail invitations can be combined with SSO, and there are multiple options on how that can be done:

  • The invitations can be restricted to only email addresses that are outside your SSO domains. Users in your SSO domain cannot be invited to join your organization but must self-register or be created manually.
  • The invitations can be restricted to only email addresses within your SSO domains. Users outside your SSO domain cannot be invited to join your organization but must be created manually.
  • Anyone can be invited to join your organization, regardless of the domain of their email address.

For invitation links in SSO, you must select which SSO domain the link applies to. Only users from that particular email domain can register through the invitation link.

User invitations are switched off by default, and you cannot change the settings for invitation method yourself. If you would like to enable this feature in your organization or change its settings, contact 42Crunch support and let us know what kind of configuration (invitation mails or links, SSO or not) you would like to have.

Adding user accounts manually still has its place, too. For example, if you need to add an account that a service can use to access 42Crunch Platform, you must do that manually, because there is no recipient to complete the account creation.

Platform URL

Platform URL is the URL where you access 42Crunch Platform. For users in most organizations (including the free Community organization) that is https://platform.42crunch.com. However, enterprise customers can get a dedicated platform instance, with its own custom platform URL.

If your organization has a dedicated platform URL and you do not access the platform at https://platform.42crunch.com, this also has implications to configuring some features:

  • You must replace the default URL https://platform.42crunch.com with your platform URL in your CI/CD plugins.
  • You must replace the hostname 42crunch.com with the hostname of your platform URL (for example, acme.platform.com) when you configure the following endpoints:
Default endpoint Custom endpoint Description
protection.42crunch.com protection.acme.platform.com The endpoint used by API Firewall
services.42crunch.com services.acme.platform.com The endpoint used by Conformance Scan when run on-premises

If you are not sure what your platform URL is, contact our support.