- Checkmarx Documentation
- Checkmarx One
- Checkmarx One User Guide
- User Management and Access Control
- Managing Groups
Managing Groups
The Groups section allows you to manage a common set of attributes and role mappings for a set of users.
Users can be members of one or more groups.
Users inherit the attributes and role mappings assigned to each group.
It is possible to perform the following in the Groups section:
Manually create groups in Checkmarx One.
Manage the groups in Checkmarx One.
Represent the reflection of all the organization groups via LDAP\SAML\OpenID Connect.
For a detailed procedure on how to connect a provider (LDAP\SAML\OpenID Connect) see Configuring LDAP Integration or Managing Identity Providers pages.
Groups are hierarchical. A group can have many subgroups, but a group can only have one parent.
Subgroups inherit the attributes and role mappings from the parent. This applies to the users as well.
If you have a parent group and a child group, and a user that only belongs to the child group, the user inherits the attributes and role mappings of both the parent and child.
Notice
When logging in for the first time to Checkmarx One, the Groups screen will be empty.
Creating a New Group
To create a new group:
Click Create group
Enter a name for the group.
Click Create group
The Group screen expands to include the configuration sections of:
Role Mapping
Users
Managers
Role Mapping
Roles and actions can be set according to types. Role mapping consists of three role types:
Checkmarx One roles
CB roles
IAM roles
Checkmarx One roles consist of two types of roles:
Composite role
Action role
Checkmarx One roles
Composite role
A composite role has one or several roles associated with it. Each composite role is a combination of action roles. When a composite role is mapped to a user, the user gains the roles associated with that composite. This inheritance is recursive, meaning that any composites are inherited. There are eight composite roles included in the system:
Name | Description |
---|---|
ast-admin | Can do everything in the Checkmarx One app and manage users, groups and permission |
ast-viewer | Can view projects, scans and results |
manage-webhook | Can update, delete, create and view webhook |
queries-editor | Can view projects scans and results and update queries |
ast-risk-manager | Can manage applications, projects, scan, results, risks and policies |
manage-project | Can update, delete, create and view the project |
manage-application | Can update, delete, create and view the application |
ast-scanner | Can scan , manage results and manage projects |
For a list of the permissions for Checkmarx One roles see Managing Roles.
Action role
An action role is a single action. This role type defines permissions for actions in the system.
For the full list of the action roles that are provided for Checkmarx One, along with their respective permissions see Managing Roles.
IAM role
IAM roles are identity and access management roles or system roles. The two roles included for IAM are:
Name | Description |
---|---|
iam-admin | Manages users, client credentials, identity provider and user federation |
manage-users | Manages the users in the system |
Assigning a Role to a Group
Select the name of the group to assign the role to.
The Group Preview pane slides in from the left, displaying an overview of the three role types.
If any roles have been assigned to the group, they are displayed with the permissions listed.
The Members tab shows a list of users included in the group.
Click Edit Group
Select Role Mapping
Select the type of role to apply to the group from Checkmarx One roles, CB roles and IAM roles
Click Add
The role with all the Effective roles and Actions is added to the group.
Click Save
For additional information regarding roles & permissions, see Managing Roles
Adding a User to a Group
Expand the Users section.
Click Add Users
Add Users displays all the users in the system.
Select the user(s) to add to the group by clicking the relevant checkbox.
Click Add Users
The number of selected users will be indicated on the Add User button.
Deleting a User from a Group
To delete a user from a group:
Select the user by clicking the relevant checkbox.
Click Delete
Adding a Manager to a Group
Expand the Managers section.
Click Add Managers
Note
A manager will be able to manage all users that are a part of a Group and its subgroups.
Add Managers opens, presenting all the users in the system.
Mark the relevant users' checkboxes to add.
Click Add Managers
The Add Managers button will indicate the number of managers selected.
The selected user(s) will be added to the group as managers.
Click Save
Deleting a Manager from a Group
To delete a manager from a group:
Select the manager by clicking the relevant checkbox.
Click Delete
Creating a Sub Group
Sub groups inherit the attributes and role mappings from the parent. This applies to the user as well.
If you have a parent group and a child group, and a user that only belongs to the child group, the user inherits the attributes and role mappings of both the parent and child.
To create a Sub Group:
Click the ellipses at the end of the relevant group row to add the sub group to.
Click Create a Sub Group
Provide the name for the Sub group.
Click Create Group
The sub group is created below the parent. Users, Managers and Roles can be added to the sub group as covered in the sections above.
Assigning a User to a Specific Group
It is possible to assign a user to a particular group.
The admin who assigns the user to that group must give the user the following user roles:
AST Roles:
update-project-params-if-in-group
delete-scan-if-in-group
update-scan-if-in-group
update-project-if-in-group
update-result-if-in-group
view-projects-if-in-group
create-scan-if-in-group
view-scans-if-in-group
view-project-params
update-result-not-exploitable-if-in-group
delete-project-if-in-group
view-results-if-in-group
view-queries
view-project-params-if-in-group
view-tenant-params
IAM Roles:
user