- Checkmarx Documentation
- Checkmarx SAST
- SAST User Guide
- User Administration
- CxSAST / CxOSA Roles and Permissions
CxSAST / CxOSA Roles and Permissions
This section describes the roles and permissions associated with CxSAST / CxOSA that are effective after performing the data migration procedure and upgrading to CxSAST/CxOSA v9.0.0 and up.
Provided CxSAST / CxOSA Roles
The following table lists the predefined roles that are provided for CxSAST / CxOSA v9.0.0 and up, along with their respective permissions:
Notice
Provided roles cannot be updated or deleted.
Provided Roles for CxSAST / CxOSA | Description | Permissions per Role |
|---|---|---|
Scanner | Permissions to create and manage projects, and run scans | save-sast-scan save-osa-scan open-issue-tracking-tickets save-project create-project view-failed-sast-scan download-scan-log see-support-link |
Reviewer | Read-only permissions to view scan results and generate reports | manage-result-comment manage-data-analysis-templates generate-scan-report export-scan-results see-support-link |
Auditor | Permissions to manage vulnerability queries and use CxAudit | use-cxaudit create-preset update-and-delete-preset manage-custom-description save-sast-scan save-project |
Results Updater | Permissions to update the properties of scan results | manage-results-state-and-assignee manage-result-comment manage-result-severity |
Results Verifier | Permissions to set the state of scan results to "Not Exploitable" | manage-result-exploitability |
Data Cleaner | Permissions to delete projects and scans | delete-sast-scan delete-project |
SAST Admin | Full permissions | All SAST permissions, excluding use-cxaudit |
CxSAST / CxOSA Permissions
The following table describes the permissions associated with CxSAST / CxOSA v9.0.0 and up:
Permission | Category | Description |
|---|---|---|
manage-authentication-providers | General/Access Control | Manage authentication providers |
manage-clients | General/Access Control | Manage clients and their settings |
manage-roles | General/Access Control | Manage custom roles |
manage-system-settings | General/Access Control | Manage general system settings |
manage-users | General/Access Control | Manage Users |
save-sast-scan | Projects & Scans |
|
delete-sast-scan | Projects & Scans |
|
save-project | Projects & Scans |
|
delete-project | Projects & Scans | Delete project |
view-failed-sast-scan | Projects & Scans | View faild scans |
save-osa-scan | Projects & Scans | Run CxOSA scan |
download-scan-log | Projects & Scans | Download scan log |
manage-result-assignee | Scan Results | Assign user |
manage-result-comment | Scan Results | Add new result comment |
manage-result-severity | Scan Results | Change result severity |
open-issue-tracking-tickets | Scan Results | Create ticket for result |
export-scan-results | Scan Results | Export scan results |
view-results | Scan Results | This permission separates the view-results ability from any other permission. This is added to any predefined role and is available from CxSAST 9.0 HF5. |
set-result-state-to-verify | Scan Results | Set the result state to Verify |
set-result-state-notexploitable | Scan Results | Set the result state to Not Exploitable |
set-result-state-confirmed | Scan Results | Set the result state to Confirmed |
set-result-state-urgent | Scan Results | Set the result state to Urgent |
set-result-state-proposednotexploitable | Scan Results | Set the result state to Proposed Not Exploitable |
manage-data-analysis-templates | Reports | create and delete templates |
generate-scan-report | Reports | Generate scan reports |
export-scan-results | Reports | Export to CSV from the results viewer |
manage-custom-description | Vulnerability Queries | Manage custom query descriptions (create, export and import) |
create-preset | Vulnerability Queries | Create a new preset, save it, update it, delete it |
manage-queries | Vulnerability Queries | Created and manage queries customization in the CxAudit |
update-and-delete-preset | Vulnerability Queries | Edit and delete all presets (including Cx out-of-the-box presets) |
use-cxaudit | Vulnerability Queries | Login to CxAudit Note: This permission is counted against the license. |
manage-data-retention | System Configuration | Manage data retention |
manage-engine-servers | System Configuration | Manage engine servers |
manage-system-settings | System Configuration |
|
manage-external-services-settings | System Configuration | Configure external service settings |
manage-custom-fields | System Configuration | Create/update/delete custom fields |
manage-issue-tracking-systems | System Configuration | Manage issue-tracking system |
manage-pre-post-scan-actions | System Configuration | Configure pre- and post-scan actions |
download-system-logs | System Configuration | View installation details page Download application logs Note: only available from 9.0 HF1 |
view-appsec-coach-statistics | System Configuration | Ability to set the Codebashing integration |
use-odata | API | Fetch all data via OData API (no filter per current user's team) |
see-support-link | Other | View and use "Services & Support" button |
manage-global-policies-settings | Security Risk Management | Manage Global Policies Settings |
manage-policies | Security Risk Management | Manage Policies |
manage-remediation-intelligence | Security Risk Management | Manage Remediation Intelligence |
view-analytics | Security Risk Management | View Analytics |
Permissions per User Interface Screen
The following permissions are required to open the following CxSAST / CxOSA user interface screens.
UI Screen | Required permission to open the screen |
|---|---|
Dashboard/Project state | - |
Dashboard/Failed scans | view-failed-sast-scan |
Dashboard/Utilization | manage-system-settings |
Dashboard/Risk | - |
Dashboard/Data Analysis | |
Projects & Scans/Create new project | |
Projects & Scans/Queue | |
Projects & Scans/Projects | - |
Projects & Scans/All scans | - |
Management/Scan settings/Query viewer | - |
Management/Scan settings/Preset manager | - |
Management/Scan settings/Pre-post actions | manage-pre-post-scan-actions |
Management/Scan settings/Source control users | manage-system-settings |
Management/Application settings/General | manage-system-settings |
Management/Application settings/License | manage-system-settings |
Management/Application settings/OSA settings | manage-system-settings |
Management/Application settings/Installation | manage-system-settings |
Management/Application settings/External services | manage-external-services-settings |
Management/Application settings/Engine management | manage-engine-servers |
Management/Application settings/Data retention | manage-data-retention |
Management/Application settings/Issue tracking | manage-issue-tracking-systems |
Management/Manage custom fields | manage-custom-fields |
Access Control | manage-users (AC permission) |
M&O/Analytics | view-analytics (M&O permission) |
M&O/Remediation Intelligence | (M&O permission) |
M&O/Policy Violations | - |
M&O/Policy Manager | - |
My Profile | - |
Services & Support | see-support-link |