Skip to main content

Managing Roles

This section describes the roles and permissions associated with Checkmarx One.

Checkmarx One user management (IAM) includes 3 role types:

  1. Checkmarx One roles - This role type is divided into Composite roles & Action roles.

    • Composite roles - A role that has one or more additional roles associated with it.

      When a composite role is mapped to the user, the user also gains the roles associated with that composite.

      This inheritance is recursive, so any composite of composites also gets inherited.

    • Action role - A single action role. This role type defines permissions for actions in the system.

  2. IAM (Identity and Access Management) roles - System roles.

Composite Roles

A composite role is an aggregation of single actions combined into 1 role type.

For example:

ast-viewer role allows the user the ability to view all projects related data including:

  • View Projects

  • View scans

  • View scan results

Checkmarx IAM comes with a set of out-of-the-box roles - Composite Roles.

These roles can be used in the following options:

  • The roles can be modified according to specific needs.

  • New customized composite roles can be added to the existing roles list if needed.

The Roles screen includes the following default composite roles.

Default_Composite_Roles.png

Note

For more information See Creating New Composite Roles

The following table lists the predefined roles that are provided for IAM, along with their respective permissions:

Role

Description

Permissions

ast-admin

Can do everything in Checkmarx One app

  • create-application

  • view-projects

  • update-scan

  • create-scan

  • delete-webhook

  • delete-application

  • view-queries

  • view-license

  • view-applications

  • view-engines

  • order-services

  • view-project-params

  • create-query

  • update-query

  • update-tenant-params

  • view-scans

  • delete-scan

  • update-pool

  • update-project

  • update-result

  • create-pool

  • view-results

  • view-webhooks

  • create-project

  • view-pools

  • update-project-params

  • update-application

  • create-webhook

  • delete-pool

  • update-webhook

  • delete-project

  • view-tenant-params

  • dast-admin

ast-risk-manager

Manage applications, projects, scans, results, risks, and policies

  • view-projects

  • update-scan

  • create-scan

  • view-queries

  • view-applications

  • view-project-params

  • view-scans

  • delete-scan

  • update-project

  • update-result

  • view-results

  • create-project

  • update-project-params

  • delete-project

  • view-tenant-params

ast-scanner

Scan, manage results, manage projects

  • view-projects

  • create-scan

  • view-queries

  • view-applications

  • view-scans

  • update-project

  • view-results

  • create-project

ast-viewer

View projects, scans, and results

  • view-projects

  • view-queries

  • view-applications

  • view-engines

  • view-project-params

  • view-scans

  • view-results

  • view-tenant-params

manage-application

Update, delete, create, and view the application

  • create-application

  • view-projects

  • update-scan

  • create-scan

  • delete-application

  • view-applications

  • view-scans

  • delete-scan

  • update-project

  • update-result

  • view-results

  • create-project

  • update-application

  • delete-project

  • update-result-not-exploitable

manage-project

Update, delete, create, and view the project

  • view-projects

  • update-scan

  • create-scan

  • view-queries

  • view-applications

  • view-project-params

  • view-scans

  • delete-scan

  • update-project

  • update-result

  • view-results

  • create-project

  • update-project-params

  • delete-project

  • view-tenant-params

  • update-result-not-exploitable

manage-webhook

Update, delete, create, and view webhook

  • delete-webhook

  • view-webhooks

  • create-webhook

  • update-webhook

queries-editor

View projects, scans, and results, update queries

  • ast-viewer

    • view-applications

    • view-results

    • view-scans

    • view-engines

    • view-projects

    • view-tenant-params

    • view-queries

    • view-project-params

  • update-query

Creating New Composite Roles

To create new composite roles, please perform the following steps:

  1. Click Create_Role.png

  2. Name the role and click Create_Role.png

    6195052746.png
  3. Write the roles' Description (Optional) - Recommended to remember what purpose you created the role for.

  4. Expand the Role Mapping section.

    Create_Role3.png
  5. Add roles (Composite and/or Actions) by clicking on the relevant Add buttons.

    Create_Role4.png
  6. Click Save_Role.png

  7. The new composite role is added to the composite roles list.

    New_Composite_Role.png

Action Roles

An action role is a single action role. This role type defines permissions for actions in the system.

The following table lists the action roles that are provided for Checkmarx One, along with their respective permissions:

Roles

Related Activity

Description

analytics-reports-admin

Analytics

View all analytics dashboards and reports

analytics-scan-dashboard-view

Analytics

View scan dashboard

analytics-vulnerability-dashboard-view

Analytics

View vulnerability dashboard

analytics-ciso-dashboard-view

Analytics

View CISO dashboard

Manage-reports

Analytics

Export, share the dashboard, and generate a report

create-application

Application

Create an application

delete-application

Applications

Delete an application

update-application

Application

Update an application

view-applications

Application

View applications

view-engines

Engines

View engines

create-pool

Pool

Create a pool

delete-pool

Pool

Delete a pool

update-pool

Pool

Update a pool

view-pools

Pool

View pools

create-policy-management

Policy Management

Create policies

delete-policy-management

Policy Management

Delete policies

manage-policy-management

Policy Management

Update, delete, create and view policies

update-policy-management

Policy Management

Update policies

view-policy-management

Policy Management

View policies

create-project

Project

Create a project

delete-project

Project

Delete a project

delete-project-if-in-group

Project

Delete a project only if a user is a member of a project group

update-project

Project

Update a project

update-project-if-in-group

Project

Update a project only if a user is a member of a project group

view-projects

Project

View projects

view-projects-if-in-group

Project

View projects only if a user is a member of a project group

create-query

Query

Create a query

delete-query

Query

Delete a query

update-query

Query

Update a query

view-queries

Query

View queries

update-result

Results

Update results

update-result-if-in-group

Results

Update results only if a user is a member of a project group

update-result-not-exploitable

Results

Update results state to Not exploitable

view-results

Results

View results

view-results-if-in-group

Results

View results only if a user is a member of a project group

update-result-not-exploitable-if-in-group

Results

Update results state to Not exploitable (Only if the user is a member of a project group)

create-scan

Scan

Initiate a scan

create-scan-if-in-group

Scan

Initiate a scan only if a user is a member of a project group

delete-scan

Scan

Delete a scan

delete-scan-if-in-group

Scan

Delete a scan only if a user is a member of a project group

update-scan

Scan

Cancel a scan

update-scan-if-in-group

Scan

Cancel a scan only if a user is a member of a project group

view-scans

Scan

View scans

view-scans-if-in-group

Scan

View scans only if a user is a member of a project group

dast-admin

Environment

Manage Environments, Scans, update results and execute other actions in DAST

dast-update-scan

Environment

The user is able to update a Scan's properties in DAST

dast-update-results

Environment

The user is able to update results in DAST (severity, comments, etc.)

dast-create-scan

Environment

The user is able to create a new Scan in DAST

dast-delete-scan

Environment

The user is able to delete a Scan in DAST

dast-update-environment

Environment

The user is able to update an Environment in DAST

dast-create-environment

Environment

The user is able to create a new Environment in DAST

dast-external-scans

Environment

CI/CD user for executing actions related to External Workers

dast-delete-environment

Environment

The user is able to delete an Environment in DAST

dast-cancel-scan

Environment

The user is able to cancel a Scan in DAST

create-feedbackapp

Feedback Apps

Create a feedback app and feedback app profile

manage-feedbackapp

Feedback Apps

Update, delete, create and view feedback app and feedback app profile

update-feedbackapp

Feedback Apps

Update a feedback app and feedback app profile

view-feedbackapp

Feedback Apps

View feedback app and feedback app profile

delete-feedbackapp

Feedback Apps

Delete a feedback app and feedback app profile

open-support-ticket

Support

Open support ticket

open-feature-request

Support

Allow service users to open feature request

IAM Roles

IAM roles are related to the actions that are available as a part of the User and Access Management console.

The following table lists the action roles that are provided for Checkmarx One, along with their respective permissions:

Checkmarx One IAM Roles

Permissions

iam-admin

  • Manages general settings, users, client credentials, identity provider, and user federation

  • iam-admin also inherits the ast-admin role (by design)

manage-clients

Manage clients

manage-keys

Manage keys

manage-groups

Manages groups in the system

manage-users

Manages the users in the system