Skip to main content


CxSAST Policy Management integrates the exact Access Control mechanism as CxSAST. Roles and Permissions define what a user can and cannot see or do in the Policy Management Portal and REST API.

Manage Permissions

Policy Management includes a new permission, Manage Policies. This permission allows its user to create, modify, or delete any policy, rule, or condition. Likewise, the new Security Risk Manager role has been added and only contains the Manage Policies permission. Assign this role to a user to allow them to manage policies.



Admin, SAST Admin , and Security Risk Manager are the only roles with the Manage Policies permission by default.

View Permissions

All users with at least one permission from the SAST Permission group, no matter what that permission is, may access the Policy Management Portal and view existing policies and incidents without being able to modify, delete, or create new ones.

Projects Permissions

You may not associate or dissociate a project from a policy if you cannot access that project in SAST. If you modify a given policy, you may not unlink any project that you do not have permission to see in CxSAST from that policy. Similarly, you may not see or link a new project for which you do not have permission.

However, if you delete a policy, all projects (even those you don't have access to) will no longer be linked to that policy.

Incidents Permissions

Like the Project permissions, users may not see Incidents without access to the relevant projects.