Skip to main content

Managing Groups

The Groups section allows you to manage a common set of attributes and role mappings for a set of users.

Users can be members of one or more groups.

Users inherit the attributes and role mappings assigned to each group.

It is possible to perform the following in the Groups section:

  • Manually create groups in Checkmarx One.

  • Manage the groups in Checkmarx One.

  • Represent the reflection of all the organization groups via LDAP\SAML\OpenID Connect.

For a detailed procedure on how to connect a provider (LDAP\SAML\OpenID Connect) see Configuring LDAP Integration or Managing Identity Providers pages.

Groups are hierarchical. A group can have many subgroups, but a group can only have one parent.

Subgroups inherit the attributes and role mappings from the parent. This applies to the users as well.

If you have a parent group and a child group, and a user that only belongs to the child group, the user inherits the attributes and role mappings of both the parent and child.

Notice

When logging in for the first time to Checkmarx One, the Groups screen will be empty.

Creating a New Group

To create a new group:

  1. Click Create group

    6444844219.png
  2. Enter a name for the group.

  3. Click Create group

  4. The Group screen expands to include the configuration sections of:

    • Role Mapping

    • Users

    • Managers

    6120374509.png

Role Mapping

Roles and actions can be set according to types. Role mapping consists of three role types:

  • Checkmarx One roles

  • CB roles

  • IAM roles

Checkmarx One roles consist of two types of roles:

  • Composite role

  • Action role

Checkmarx One roles

Composite role

A composite role has one or several roles associated with it. Each composite role is a combination of action roles. When a composite role is mapped to a user, the user gains the roles associated with that composite. This inheritance is recursive, meaning that any composites are inherited. There are eight composite roles included in the system:

Name

Description

ast-admin

Can do everything in the Checkmarx One app and manage users, groups and permission

ast-viewer

Can view projects, scans and results

manage-webhook

Can update, delete, create and view webhook

queries-editor

Can view projects scans and results and update queries

ast-risk-manager

Can manage applications, projects, scan, results, risks and policies

manage-project

Can update, delete, create and view the project

manage-application

Can update, delete, create and view the application

ast-scanner

Can scan , manage results and manage projects

For a list of the permissions for Checkmarx One roles see Managing Roles.

Action role

An action role is a single action. This role type defines permissions for actions in the system.

For the full list of the action roles that are provided for Checkmarx One, along with their respective permissions see Managing Roles.

IAM role

IAM roles are identity and access management roles or system roles. The two roles included for IAM are:

Name

Description

iam-admin

Manages users, client credentials, identity provider and user federation

manage-users

Manages the users in the system

Assigning a Role to a Group

  1. Select the name of the group to assign the role to.

  2. The Group Preview pane slides in from the left, displaying an overview of the three role types.

    If any roles have been assigned to the group, they are displayed with the permissions listed.

    The Members tab shows a list of users included in the group.

  3. Click Edit Group

  4. Select Role Mapping

  5. Select the type of role to apply to the group from Checkmarx One roles, CB roles and IAM roles

  6. Click Add

    The role with all the Effective roles and Actions is added to the group.

    6444975269.png
  7. Click Save

    For additional information regarding roles & permissions, see Managing Roles

Adding a User to a Group

  1. Expand the Users section.

  2. Click Add Users

    6444844336.png

    Add Users displays all the users in the system.

    6444975313.png
  3. Select the user(s) to add to the group by clicking the relevant checkbox.

  4. Click Add Users

    The number of selected users will be indicated on the Add User button.

    6444975324.png

    6444844397.png

Deleting a User from a Group

To delete a user from a group:

  1. Select the user by clicking the relevant checkbox.

  2. Click Delete

    6444844409.png

Adding a Manager to a Group

  1. Expand the Managers section.

  2. Click Add Managers

    Note

    A manager will be able to manage all users that are a part of a Group and its subgroups.

    6444844422.png

    Add Managers opens, presenting all the users in the system.

  3. Mark the relevant users' checkboxes to add.

  4. Click Add Managers

    The Add Managers button will indicate the number of managers selected.

    6444713096.png

    The selected user(s) will be added to the group as managers.

    6445367935.png
  5. Click Save

Deleting a Manager from a Group

To delete a manager from a group:

  1. Select the manager by clicking the relevant checkbox.

  2. Click Delete

    6444713129.png

Creating a Sub Group

Sub groups inherit the attributes and role mappings from the parent. This applies to the user as well.

If you have a parent group and a child group, and a user that only belongs to the child group, the user inherits the attributes and role mappings of both the parent and child.

To create a Sub Group:

  1. Click the ellipses at the end of the relevant group row to add the sub group to.

  2. Click Create a Sub Group

    6445367955.png
  3. Provide the name for the Sub group.

  4. Click Create Group

    6444844469.png

    The sub group is created below the parent. Users, Managers and Roles can be added to the sub group as covered in the sections above.

Assigning a User to a Specific Group

It is possible to assign a user to a particular group.

The admin who assigns the user to that group must give the user the following user roles:

AST Roles:

  • update-project-params-if-in-group

  • delete-scan-if-in-group

  • update-scan-if-in-group

  • update-project-if-in-group

  • update-result-if-in-group

  • view-projects-if-in-group

  • create-scan-if-in-group

  • view-scans-if-in-group

  • view-project-params

  • update-result-not-exploitable-if-in-group

  • delete-project-if-in-group

  • view-results-if-in-group

  • view-queries

  • view-project-params-if-in-group

  • view-tenant-params

IAM Roles:

  • user