Skip to main content

Configuring built-in Authentication and Authorization

In Checkmarx, you can use the built-in Identity and Access Management console to create and manage users.

This feature provides you with built-in Authentication for users, allowing them to log into the Checkmarx One platform using the browser.


When the user inserts their username and password details in the login fields, the backend code hits the database to look up and see if that user exists.

If the user exists, it will then confirm the password as well. If the username and password match, the login is successful.

Now let´s take a look at Authorization.

When Admins manage users, they also need to define the role of each and what access they should have.

In Checkmarx, Authorization is managed using Groups and Roles that restrict or allow end-users permissions and access to perform specific actions.

The Groups section allows you to manage a set of attributes and role mappings for a set of users.

Users can be members of zero or more groups, and they can inherit the attributes and role mappings assigned to each group.

It is possible to perform the following tasks in the Groups section:

  • Manually create groups in the platform.

  • Manage the groups in the platform.

  • Represent the reflection of all the organization groups via LDAP, SAML, or OpenID Connect.

For a detailed procedure on how to configure a provider LDAP, SAML, or OpenID Connect see Managing Identity Providers pages.

Groups are hierarchical and can have many subgroups, but a group can only have one parent. Subgroups inherit the attributes and role mappings from the parent. This rule applies to the users as well. So, if you have a parent group and a child group and a user that only belongs to the child group, the user inherits the attributes and role mappings of both the parent and child.

There are three types of roles. AST roles, CB roles, and IAM roles.

  1. AST roles – There are two types of AST roles, Composite roles & Action roles.

    1. Composite roles - This is a role with one or more additional roles associated with it. When a composite role is mapped to the user, the user also gains the roles associated with that composite. This inheritance is recursive, so any composite of composites also gets inherited.

    2. Action role - A single-action role. This role type defines permissions for actions in the system.

  2. CB roles - Codebashing roles.

  3. IAM (Identity and Access Management) roles - System roles.

A Composite role is an aggregation of single actions combined into one role type.

For example, the ast-viewer role allows users to view all project-related data, such as viewing projects, scans, and scan results.

The Identity and Access Management console comes with out-of-the-box roles, called Composite roles. You can modify these roles according to your specific needs, and new customized composite roles can be added to the existing roles list if needed.

An Action role is a single action role. This role type defines permissions for actions in the system.

The IAM roles are related to the actions available for the Identity and Access Management console. The IAM roles types are: iam-admin used to manage users, client credentials, identity providers, and user federation. The manage-users role for managing the users in the system.

For a more detailed list of the predefined roles provided for Checkmarx One, along with their respective permissions, see Managing Roles.