Skip to main content

Managing Roles

This section describes the roles and permissions associated with Checkmarx One.

Checkmarx One user management (IAM) includes 3 role types:

  1. Checkmarx One roles - These role type is divided to Composite roles & Action roles.

    • Composite roles - A role that has one or more additional roles associated with it.

      When a composite role is mapped to the user, the user also gains the roles associated with that composite.

      This inheritance is recursive, so any composite of composites also gets inherited.

    • Action role - A single action role. This role type defines permissions for actions in the system.

  2. CB roles - Codebashing roles.

  3. IAM (Identity and Access Management) roles - System roles.

Composite Roles

A composite role is an aggregation of single actions combined into 1 role type.

For example:

ast-viewer role allows the user the ability to view all projects related data including:

  • View Projects

  • View scans

  • View scan results

Checkmarx IAM comes with a set of out of the box roles - Composite Roles.

These roles can used in the following options:

  • The roles can be modified according to specific needs.

  • New customized composite roles can be added to the existing roles list if needed.

The Roles screen includes the following default composite roles.

6194761102.png

Note

For more information See Creating New Composite Roles

The following table lists the predefined roles that are provided for IAM, along with their respective permissions:

Role

Description

Permissions

ast-admin

Can do everything in Checkmarx One app + manage users, groups, and permission

  • create-application

  • view-projects

  • update-scan

  • create-scan

  • delete-webhook

  • delete-application

  • view-queries

  • view-license

  • view-applications

  • view-engines

  • order-services

  • view-project-params

  • create-query

  • update-query

  • update-tenant-params

  • view-scans

  • delete-scan

  • update-pool

  • update-project

  • update-result

  • create-pool

  • view-results

  • view-webhooks

  • create-project

  • view-pools

  • update-project-params

  • update-application

  • create-webhook

  • delete-pool

  • update-webhook

  • delete-project

  • view-tenant-params

ast-risk-manager

Manage applications, projects, scan, results, risks, and policies

  • view-projects

  • update-scan

  • create-scan

  • view-queries

  • view-applications

  • view-project-params

  • view-scans

  • delete-scan

  • update-project

  • update-result

  • view-results

  • create-project

  • update-project-params

  • delete-project

  • view-tenant-params

ast-scanner

Scan, manage results, manage projects

  • view-projects

  • create-scan

  • view-queries

  • view-applications

  • view-scans

  • update-project

  • view-results

  • create-project

ast-viewer

View projects, scans, and results

  • view-projects

  • view-queries

  • view-applications

  • view-engines

  • view-project-params

  • view-scans

  • view-results

  • view-tenant-params

manage-application

Update, delete, create, and view application

  • create-application

  • view-projects

  • update-scan

  • create-scan

  • delete-application

  • view-applications

  • view-scans

  • delete-scan

  • update-project

  • update-result

  • view-results

  • create-project

  • update-application

  • delete-project

  • update-result-not-exploitable

manage-project

Update, delete, create, and view project

  • view-projects

  • update-scan

  • create-scan

  • view-queries

  • view-applications

  • view-project-params

  • view-scans

  • delete-scan

  • update-project

  • update-result

  • view-results

  • create-project

  • update-project-params

  • delete-project

  • view-tenant-params

  • update-result-not-exploitable

manage-webhook

Update, delete, create and view webhook

  • delete-webhook

  • view-webhooks

  • create-webhook

  • update-webhook

queries-editor

View projects, scans and results, update queries

  • ast-viewer

    • view-applications

    • view-results

    • view-scans

    • view-engines

    • view-projects

    • view-tenant-params

    • view-queries

    • view-project-params

  • update-query

Creating New Composite Roles

To create new composite roles, please perform the following steps:

  1. Click

  2. Name the role and click

    6195052746.png
  3. Write the roles' Description (Optional) - Recommended to remember what purpose you created the role for.

  4. Expand the Role Mapping section.

    6194954492.png
  5. Add roles (Composite and/or Actions) by clicking on the relevant Add buttons.

    6195249325.png
  6. Click

  7. The new composite role is added to the composite roles list.

    6195314820.png

Action Roles

An action role is a single action role. This role type defines permissions for actions in the system.

The following table lists the action roles that are provided for Checkmarx One, along with their respective permissions:

Roles

Related Activity

Description

create-application

Application

Create an application

delete-application

Applications

Delete an application

update-application

Application

Update an application

view-applications

Application

View applications

view-engines

Engines

View engines

create-pool

Pool

Create a pool

delete-pool

Pool

Delete a pool

update-pool

Pool

Update a pool

view-pools

Pool

View pools

create-project

Project

Create a project

delete-project

Project

Delete a project

delete-project-if-in-group

Project

Delete a project only if a user is a member of a project group

update-project

Project

Update a project

update-project-if-in-group

Project

Update a project only if a user is a member of a project group

view-projects

Project

View projects

view-projects-if-in-group

Project

View projects only if a user is a member of a project group

create-query

Query

Create a query

delete-query

Query

Delete a query

update-query

Query

Update a query

view-queries

Query

View queries

update-result

Results

Update results

update-result-if-in-group

Results

Update results only if a user is a member of a project group

update-result-not-exploitable

Results

Update results state to Not exploitable

view-results

Results

View results

view-results-if-in-group

Results

View results only if a user is a member of a project group

update-result-not-exploitable-if-in-group

Results

Update results state to Not exploitable (Only if the a user is a member of a project group)

create-scan

Scan

Initiate a scan

create-scan-if-in-group

Scan

Initiate a scan only if a user is a member of a project group

delete-scan

Scan

Delete a scan

delete-scan-if-in-group

Scan

Delete a scan only if a user is a member of a project group

update-scan

Scan

Cancel a scan

update-scan-if-in-group

Scan

Cancel a scan only if a user is a member of a project group

view-scans

Scan

View scans

view-scans-if-in-group

Scan

View scans only if a user is a member of a project group

IAM Roles

IAM roles are related to the actions that are available as a part of the User and Access Management console.

The following table lists the action roles that are provided for Checkmarx One, along with their respective permissions:

Checkmarx One IAM Roles

Permissions

iam-admin

  • Manages users, client credentials, identity provider and user federation

  • iam-admin also inherits the ast-admin role (by design)

manage-users

Manages the users in the system