Skip to main content

Managing Groups

The Groups section allows you to manage a common set of attributes and role mappings for a set of users.

Users can be members of one or more groups.

Users inherit the attributes and role mappings assigned to each group.

It is possible to perform the following in the Groups section:

  • Manually create groups in Checkmarx One.

  • Manage the groups in Checkmarx One.

  • Represent the reflection of all the organization groups via LDAP\SAML\OpenID Connect.

For a detailed procedure on how to connect a provider (LDAP\SAML\OpenID Connect) see Configuring LDAP Integration or Managing Identity Providers pages.

Groups are hierarchical. A group can have many subgroups, but a group can only have one parent.

Subgroups inherit the attributes and role mappings from the parent. This applies to the users as well.

If you have a parent group and a child group, and a user that only belongs to the child group, the user inherits the attributes and role mappings of both the parent and child.


When logging in for the first time to Checkmarx One, the Groups screen will be empty.

Creating a New Group

To create a new group, perform the following:

  1. Click Create group.

  2. Enter a name for the group.

  3. Click Create group.

  4. The Group screen expands to include the configuration sections of:

    • Role Mapping

    • Users

    • Managers


Role Mapping

Roles and actions can be set according to types. Role mapping consists of three role types:

  • Checkmarx One roles

  • CB roles

  • IAM roles

Checkmarx One roles consist of two types of roles:

  • Composite role

  • Action role

Checkmarx One roles

Composite role

A composite role has one or several roles associated with it. Each composite role is a combination of action roles. When a composite role is mapped to a user, the user gains the roles associated with that composite. This inheritance is recursive, meaning that any composites are inherited. There are eight composite roles included in the system:




Can do everything in the Checkmarx One app and manage users, groups and permission.


Can view projects, scans and results.


Can update, delete, create and view webhook.


Can view projects scans and results and update queries.


Can manage applications, projects, scan, results, risks and policies.


Can update, delete, create and view the project.


Can update, delete, create and view the application.


Can scan , manage results and manage projects.

For a list of the permissions for Checkmarx One roles see Managing Roles.

Action role

An action role is a single action. This role type defines permissions for actions in the system.

For the full list of the action roles that are provided for Checkmarx One, along with their respective permissions see Managing Roles.

IAM role

IAM roles are identity and access management roles or system roles. The two roles included for IAM are:




Manages users, client credentials, identity provider and user federation.


Manages the users in the system.

Assigning a Role to a Group

  1. Select the name of the group to assign the role to.

  2. The Group Preview pane slides in from the left, displaying an overview of the three role types.

    If any roles have been assigned to the group, they are displayed with the permissions listed.

    The Members tab shows a list of users included in the group.

  3. Click Edit Group.

  4. Select Role Mapping.

  5. Select the type of role to apply to the group from Checkmarx One roles, CB roles and IAM roles.

  6. Click Add.

    The role with all the Effective roles and Actions is added to the group.

  7. Click Save.

    For additional information regarding roles & permissions, see Managing Roles.

Adding a User to a Group

  1. Expand the Users section.

  2. Click Add Users.


    Add Users displays all the users in the system.

  3. Select the user(s) to add to the group by clicking the relevant checkbox.

  4. Click Add Users.

    The number of selected users will be indicated on the Add User button.


    The selected user(s) will be added to the group.


Deleting a User from a Group

To delete a user from a group:

  1. Select the user by clicking the relevant checkbox.

  2. Click Delete.


Adding Group Managers

The Group Manager feature is a distinct position with specialized permissions, based on the internal Keycloak permissions mechanism. A Group Manager has the authority to manage only the specific groups to which they are assigned. They can add or remove users from the group, view available users for adding to the group, and see the list of other groups.

Group Managers across all groups can be assigned or removed by users with the IAM role manage-groups, which is based on the Checkmarx One permissions mechanism.

When a user is assigned as a Group Manager, they automatically become the manager of all subgroups recursively, extending down the entire group tree. If a Group Manager is assigned to the highest group level, all subgroups inherit the managerial role, creating a hierarchical structure.

However, it is important to note that once a Group Manager is inherited by subgroups, it is not possible to remove them from lower levels, but only from the highest level.

To add Group Managers, perform the following:

  1. Expand the Managers section.

  2. Click Add Managers.


    Add Managers opens, presenting all the users in the system.

  3. Mark the relevant users' checkboxes to add.

  4. Click Add Managers.

    The Add Managers button will indicate the number of managers selected.


    The selected user(s) will be added to the group as managers.

  5. Click Save.

Deleting a Manager from a Group

To delete a manager from a group:

  1. Select the manager by clicking the relevant checkbox.

  2. Click Delete.


Creating a Sub Group

Sub groups inherit the attributes and role mappings from the parent. This applies to the user as well.

If you have a parent group and a child group, and a user that only belongs to the child group, the user inherits the attributes and role mappings of both the parent and child.

To create a Sub Group:

  1. Click the ellipses at the end of the relevant group row to add the sub group to.

  2. Click Create a Sub Group

  3. Provide the name for the Sub group.

  4. Click Create Group


    The sub group is created below the parent. Users, Managers and Roles can be added to the sub group as covered in the sections above.

Using Groups to Manage Access to Specific Projects

It is possible to use groups to manage access to specific projects. This is done by giving users the series of group-specific permissions, listed below. These users will have access only to projects that are assigned to a group in which they are a member.


Some entities such as queries, presets, tenant-params, applications etc. don't have group-specific roles associated with them. If you want a group-specific user to have access to these entities, then you need to assign the standard roles for these entities (e.g., view-query, update-query etc.).

Checkmarx One Group-specific Roles:

  • update-project-params-if-in-group

  • delete-scan-if-in-group

  • update-scan-if-in-group

  • update-project-if-in-group

  • update-result-if-in-group

  • view-projects-if-in-group

  • create-scan-if-in-group

  • view-scans-if-in-group

  • update-result-not-exploitable-if-in-group

  • delete-project-if-in-group

  • view-results-if-in-group

  • view-project-params-if-in-group

IAM Roles:

  • user