- Checkmarx Documentation
- Checkmarx One
- Checkmarx One User Guide
- User Management and Access Control
- Managing Roles
Managing Roles
This section describes the roles and permissions associated with Checkmarx One.
Checkmarx One user management (IAM) includes 3 role types:
Checkmarx One roles - This role type is divided into Composite roles & Action roles.
Composite roles - A role that has one or more additional roles associated with it.
When a composite role is mapped to the user, the user also gains the roles associated with that composite.
This inheritance is recursive, so any composite of composites also gets inherited.
Action role - A single action role. This role type defines permissions for actions in the system.
IAM (Identity and Access Management) roles - System roles.
Composite Roles
A composite role is an aggregation of single actions combined into 1 role type.
For example:
ast-viewer role allows the user the ability to view all projects related data including:
View Projects
View scans
View scan results
Checkmarx IAM comes with a set of out-of-the-box roles - Composite Roles.
These roles can be used in the following options:
The roles can be modified according to specific needs.
New customized composite roles can be added to the existing roles list if needed.
The Roles screen includes the following default composite roles.
![]() |
Note
For more information See Creating New Composite Roles
The following table lists the predefined roles that are provided for IAM, along with their respective permissions:
Role | Description | Permissions |
---|---|---|
ast-admin | Can do everything in Checkmarx One app |
|
ast-risk-manager | Manage applications, projects, scans, results, risks, and policies |
|
ast-scanner | Scan, manage results, manage projects |
|
ast-viewer | View projects, scans, and results |
|
manage-application | Update, delete, create, and view the application |
|
manage-project | Update, delete, create, and view the project |
|
manage-webhook | Update, delete, create, and view webhook |
|
queries-editor | View projects, scans, and results, update queries |
|
Creating New Composite Roles
To create new composite roles, please perform the following steps:
Click
Name the role and click
Write the roles' Description (Optional) - Recommended to remember what purpose you created the role for.
Expand the Role Mapping section.
Add roles (Composite and/or Actions) by clicking on the relevant Add buttons.
Click
The new composite role is added to the composite roles list.
Action Roles
An action role is a single action role. This role type defines permissions for actions in the system.
The following table lists the action roles that are provided for Checkmarx One, along with their respective permissions:
Roles | Related Activity | Description |
---|---|---|
create-application | Application | Create an application |
delete-application | Applications | Delete an application |
update-application | Application | Update an application |
view-applications | Application | View applications |
view-engines | Engines | View engines |
create-pool | Pool | Create a pool |
delete-pool | Pool | Delete a pool |
update-pool | Pool | Update a pool |
view-pools | Pool | View pools |
create-policy-management | Policy Management | Create policies |
delete-policy-management | Policy Management | Delete policies |
manage-policy-management | Policy Management | Update, delete, create and view policies |
update-policy-management | Policy Management | Update policies |
view-policy-management | Policy Management | View policies |
create-project | Project | Create a project |
delete-project | Project | Delete a project |
delete-project-if-in-group | Project | Delete a project only if a user is a member of a project group |
update-project | Project | Update a project |
update-project-if-in-group | Project | Update a project only if a user is a member of a project group |
view-projects | Project | View projects |
view-projects-if-in-group | Project | View projects only if a user is a member of a project group |
create-query | Query | Create a query |
delete-query | Query | Delete a query |
update-query | Query | Update a query |
view-queries | Query | View queries |
update-result | Results | Update results |
update-result-if-in-group | Results | Update results only if a user is a member of a project group |
update-result-not-exploitable | Results | Update results state to Not exploitable |
view-results | Results | View results |
view-results-if-in-group | Results | View results only if a user is a member of a project group |
update-result-not-exploitable-if-in-group | Results | Update results state to Not exploitable (Only if the user is a member of a project group) |
create-scan | Scan | Initiate a scan |
create-scan-if-in-group | Scan | Initiate a scan only if a user is a member of a project group |
delete-scan | Scan | Delete a scan |
delete-scan-if-in-group | Scan | Delete a scan only if a user is a member of a project group |
update-scan | Scan | Cancel a scan |
update-scan-if-in-group | Scan | Cancel a scan only if a user is a member of a project group |
view-scans | Scan | View scans |
view-scans-if-in-group | Scan | View scans only if a user is a member of a project group |
dast-admin | Environment | Manage Environments, Scans, update results and execute other actions in DAST |
dast-update-scan | Environment | The user is able to update a Scan's properties in DAST |
dast-update-results | Environment | The user is able to update results in DAST (severity, comments, etc.) |
dast-create-scan | Environment | The user is able to create a new Scan in DAST |
dast-delete-scan | Environment | The user is able to delete a Scan in DAST |
dast-update-environment | Environment | The user is able to update an Environment in DAST |
dast-create-environment | Environment | The user is able to create a new Environment in DAST |
dast-external-scans | Environment | CI/CD user for executing actions related to External Workers |
dast-delete-environment | Environment | The user is able to delete an Environment in DAST |
dast-cancel-scan | Environment | The user is able to cancel a Scan in DAST |
create-feedbackapp | Feedback Apps | Create a feedback app and feedback app profile |
manage-feedbackapp | Feedback Apps | Update, delete, create and view feedback app and feedback app profile |
update-feedbackapp | Feedback Apps | Update a feedback app and feedback app profile |
view-feedbackapp | Feedback Apps | View feedback app and feedback app profile |
delete-feedbackapp | Feedback Apps | Delete a feedback app and feedback app profile |
open-support-ticket | Support | Open support ticket |
open-feature-request | Support | Allow service users to open feature request |
IAM Roles
IAM roles are related to the actions that are available as a part of the User and Access Management console.
The following table lists the action roles that are provided for Checkmarx One, along with their respective permissions:
Checkmarx One IAM Roles | Permissions |
---|---|
iam-admin |
|
manage-clients | Manage clients |
manage-keys | Manage keys |
manage-groups | Manages groups in the system |
manage-users | Manages the users in the system |