Thank you. As for analyzing the security issues our groups logged into the interface to view them, see notes, see test coverage, etc. We did not uses any framework for that. We talked on using the API interface for automating more things. I am not there so I am not sure where that went.

I did this very thing in the article for a platform we were building for a very large organization. We used Keycloak for SAML based authentication and the roles in the Keycloak realm we designated for authorization into only specific projects people could use. We had a naming standard for the groups matched to projects.