Managing Roles

This section describes the roles and permissions associated with Checkmarx One.

Checkmarx One user management (IAM) includes 3 role types:

Checkmarx One roles - This role type is divided into Composite roles & Action roles.
- Composite roles - A role that has one or more additional roles associated with it.
  When a composite role is mapped to the user, the user also gains the roles associated with that composite.
  This inheritance is recursive, so any composite of composites also gets inherited.
- Action role - A single action role. This role type defines permissions for actions in the system.
IAM (Identity and Access Management) roles - System roles.

Composite Roles

A composite role is an aggregation of single actions combined into 1 role type.

For example:

ast-viewer role allows the user the ability to view all projects related data including:

View Projects
View scans
View scan results

Checkmarx IAM comes with a set of out-of-the-box roles - Composite Roles.

These roles can be used in the following options:

The roles can be modified according to specific needs.
New customized composite roles can be added to the existing roles list if needed.

The Roles screen includes the following default composite roles.

Note

For more information See Creating New Composite Roles

The following table lists the predefined roles that are provided for IAM, along with their respective permissions:

Role	Description	Permissions
ast-admin	Can do everything in Checkmarx One app	create-application view-projects update-scan create-scan delete-webhook delete-application view-queries view-license view-applications view-engines order-services view-project-params create-query update-query update-tenant-params view-scans delete-scan update-pool update-project update-result create-pool view-results view-webhooks create-project view-pools update-project-params update-application create-webhook delete-pool update-webhook delete-project view-tenant-params dast-admin
ast-risk-manager	Manage applications, projects, scans, results, risks, and policies	view-projects update-scan create-scan view-queries view-applications view-project-params view-scans delete-scan update-project update-result view-results create-project update-project-params delete-project view-tenant-params
ast-scanner	Scan, manage results, manage projects	view-projects create-scan view-queries view-applications view-scans update-project view-results create-project
ast-viewer	View projects, scans, and results	view-projects view-queries view-applications view-engines view-project-params view-scans view-results view-tenant-params
manage-application	Update, delete, create, and view the application	create-application view-projects update-scan create-scan delete-application view-applications view-scans delete-scan update-project update-result view-results create-project update-application delete-project update-result-not-exploitable
manage-project	Update, delete, create, and view the project	view-projects update-scan create-scan view-queries view-applications view-project-params view-scans delete-scan update-project update-result view-results create-project update-project-params delete-project view-tenant-params update-result-not-exploitable
manage-webhook	Update, delete, create, and view webhook	delete-webhook view-webhooks create-webhook update-webhook
queries-editor	View projects, scans, and results, update queries	ast-viewer view-applications view-results view-scans view-engines view-projects view-tenant-params view-queries view-project-params update-query

Creating New Composite Roles

To create new composite roles, please perform the following steps:

Click
Name the role and click
Write the roles' Description (Optional) - Recommended to remember what purpose you created the role for.
Expand the Role Mapping section.
Add roles (Composite and/or Actions) by clicking on the relevant Add buttons.
Click
The new composite role is added to the composite roles list.

Action Roles

An action role is a single action role. This role type defines permissions for actions in the system.

The following table lists the action roles that are provided for Checkmarx One, along with their respective permissions:

Roles	Related Activity	Description
create-application	Application	Create an application
delete-application	Applications	Delete an application
update-application	Application	Update an application
view-applications	Application	View applications
view-engines	Engines	View engines
create-pool	Pool	Create a pool
delete-pool	Pool	Delete a pool
update-pool	Pool	Update a pool
view-pools	Pool	View pools
create-policy-management	Policy Management	Create policies
delete-policy-management	Policy Management	Delete policies
manage-policy-management	Policy Management	Update, delete, create and view policies
update-policy-management	Policy Management	Update policies
view-policy-management	Policy Management	View policies
create-project	Project	Create a project
delete-project	Project	Delete a project
delete-project-if-in-group	Project	Delete a project only if a user is a member of a project group
update-project	Project	Update a project
update-project-if-in-group	Project	Update a project only if a user is a member of a project group
view-projects	Project	View projects
view-projects-if-in-group	Project	View projects only if a user is a member of a project group
create-query	Query	Create a query
delete-query	Query	Delete a query
update-query	Query	Update a query
view-queries	Query	View queries
update-result	Results	Update results
update-result-if-in-group	Results	Update results only if a user is a member of a project group
update-result-not-exploitable	Results	Update results state to Not exploitable
view-results	Results	View results
view-results-if-in-group	Results	View results only if a user is a member of a project group
update-result-not-exploitable-if-in-group	Results	Update results state to Not exploitable (Only if the user is a member of a project group)
create-scan	Scan	Initiate a scan
create-scan-if-in-group	Scan	Initiate a scan only if a user is a member of a project group
delete-scan	Scan	Delete a scan
delete-scan-if-in-group	Scan	Delete a scan only if a user is a member of a project group
update-scan	Scan	Cancel a scan
update-scan-if-in-group	Scan	Cancel a scan only if a user is a member of a project group
view-scans	Scan	View scans
view-scans-if-in-group	Scan	View scans only if a user is a member of a project group
dast-admin	Environment	Manage Environments, Scans, update results and execute other actions in DAST
dast-update-scan	Environment	The user is able to update a Scan's properties in DAST
dast-update-results	Environment	The user is able to update results in DAST (severity, comments, etc.)
dast-create-scan	Environment	The user is able to create a new Scan in DAST
dast-delete-scan	Environment	The user is able to delete a Scan in DAST
dast-update-environment	Environment	The user is able to update an Environment in DAST
dast-create-environment	Environment	The user is able to create a new Environment in DAST
dast-external-scans	Environment	CI/CD user for executing actions related to External Workers
dast-delete-environment	Environment	The user is able to delete an Environment in DAST
dast-cancel-scan	Environment	The user is able to cancel a Scan in DAST
create-feedbackapp	Feedback Apps	Create a feedback app and feedback app profile
manage-feedbackapp	Feedback Apps	Update, delete, create and view feedback app and feedback app profile
update-feedbackapp	Feedback Apps	Update a feedback app and feedback app profile
view-feedbackapp	Feedback Apps	View feedback app and feedback app profile
delete-feedbackapp	Feedback Apps	Delete a feedback app and feedback app profile
open-support-ticket	Support	Open support ticket
open-feature-request	Support	Allow service users to open feature request

IAM Roles

IAM roles are related to the actions that are available as a part of the User and Access Management console.