Multi-User Collaboration

Multi-User Collaboration

Pulsar is designed for team-based environments, allowing Red Teams and Bounty Hunters to share discovery data, scan policies, and vulnerability results across an organization. Collaboration is managed through a combination of individual ownership and group-based access control.

Team and Group Management

Pulsar leverages the standard authentication and authorization framework. Users are organized into Groups, which serve as the primary unit for collaboration.

• Users: Individual accounts with their own dashboards.
• Groups: Logical collections of users (e.g., "Web Security Team," "External Audit").

To enable collaboration, an administrator must assign users to the same group. Once grouped, resources can be shared across the team.

Resource Sharing via Assets

The core of Pulsar's collaboration logic resides in the Asset model. An Asset (a collection of domains, IPs, and scan results) can be shared with multiple groups.

How it works:

1. Ownership: When a user creates an asset, they are designated as the owner.
2. Collaborations: The owner or an administrator can add one or more Groups to the asset's collaborations field.
3. Inherited Visibility: All sub-resources related to that asset—including discovered subdomains, IP addresses, and vulnerability findings—automatically inherit these visibility settings.

Access Control Logic

Pulsar implements strict server-side filtering to ensure data isolation. The BaseViewSet ensures that a user can only interact with data they own or data shared with a group they belong to.

# Internal query logic for visibility:
assets = AssetInstance.objects.filter(
    Q(owner=user) | Q(collaborations__in=user.groups.all())
)

| Action | Owner | Group Member | Other Users | | :--- | :--- | :--- | :--- | | View Results | Yes | Yes | No | | Modify Asset | Yes | Yes* | No | | Delete Asset | Yes | No | No |

*Subject to specific group permission settings in the Django admin.

Notification Workflows

Collaboration often requires automated updates when scans finish or new vulnerabilities are found. Pulsar supports email notifications for team-wide awareness.

Configuration

Before notifications can be used, the SMTP settings must be configured in portal/portal/settings.py:

EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
EMAIL_HOST = 'smtp.yourserver.com'
EMAIL_PORT = 587
EMAIL_USE_TLS = True
EMAIL_HOST_USER = 'notifications@pulsar.local'
EMAIL_HOST_PASSWORD = 'yourpassword'

Once configured, scan results and alerts can be dispatched to specific users or team aliases defined in the scan policy.

API Collaboration

For teams using custom tooling or CI/CD pipelines, collaboration can be managed via the REST API.

Sharing an Asset via API

To share an existing asset with a team (Group ID), send a PATCH request to the asset endpoint:

Endpoint: PATCH /api/assets/{id}/

Request Body:

{
    "collaborations": [1, 5] 
}

Note: 1 and 5 represent the IDs of the teams/groups authorized to view the asset.

Authentication

The API supports multiple authentication methods for multi-user environments:

• Token Authentication: Ideal for automated scripts and CI/CD.
• Session Authentication: Used by the Vue.js frontend for logged-in users.
• Basic Authentication: Supported for quick debugging and legacy integrations.

All API responses are filtered based on the requester's permissions, ensuring that automated tools only see the data their associated user account is authorized to access.