New Access Management Capabilities
Checkmarx One's Access Management has undergone significant improvements. The new approach offers more granular and precise control over user access and permissions, focusing on simplicity, usability, and intuitiveness. Users, groups, and clients can now be assigned to various resources, which will determine their hierarchical access levels within the system.
The existing Access Management model lacks the flexibility large organizations need, resulting in inefficiencies and security risks. Its limited hierarchy, absence of role reuse, and poor alignment with real-world organizations make access difficult to control, govern, and audit. Two solutions have been introduced to address these gaps: hierarchical access control using resource levels and a universal role system with inherited privileges.
Resource Levels
One of the new features in Access Management involves assigning entities (Users, Groups, and Clients) with various resources and determining their hierarchical access levels within Checkmarx One. Three resource levels are introduced: Tenant, Application, and Project. Users with manage-access permissions can assign users, groups, and clients to a resource level through its Authorization tab.
Every resource level's Authorization tab has an identical table view of its assigned entities, entity type, and roles.
Below is a breakdown of the different resource levels and how to navigate to their Authorization tab:
Tenant Level: Users assigned at the tenant level can access all components across Checkmarx One. To view assignments at this level, perform the following:
Go to Settings.
Select Global Settings.
Click Authorization.
Application Level: Users assigned at the application level gain access to all projects associated with that application. To view assignments at this level, perform the following:
Navigate to the Applications page.
At the end of the desired application's row, click
.Select Application Settings.
Click Authorization.
Project Level: Users assigned at the project level have access only to the specified project. To view assignments at this level, perform the following:
Go to the Projects page.
At the end of the desired project’s row, click
.Select Project Settings.
Click Authorization.
Managing the Authorization Table
To add an entity to the resource, perform the following:
Click + Add Users/Groups/Clients.
Search for and select the desired entity.
Click Done to confirm.
Entities can be deleted (unassigned) from a resource by clicking at the end of its row and 
Delete.
The table is searchable 
, and can be filtered and sorted according to your needs.
Before filtering the columns, adjust the table Rows view to your liking. The table's default setting displays 10 rows of results per page, as indicated in the Rows dropdown. Select the dropdown to toggle the view to 20, 50, or 100 rows.
Hover over a column header, click the filtering icon 
, and select your filter(s) from the dropdown list or search. Applied filters are listed in the Groups & Filters bar.
Hover over a column header and click the sorting icon 
to toggle between sorting in ascending or descending order.
Universal Roles and Privilege Inheritance
Admins can now use the centralized Identity and Access Management (IAM) module to ensure users' roles are universal across the platform and align with their access in Checkmarx One.
Roles are not project-specific but rather platform-wide. For example, a user is associated with Application A and assigned the role of ast-scanner. In this case, the user assumes this role universally across all projects associated with Application A.
If Application A contains two projects, a user with the ast-scanner role at the application level will have scanning privileges across both projects. If a new project is created within Application A, the user also inherits scanning privileges in this new project.
Obsolescence of “if-in-group” Roles
Previously, the if-in-group roles were used to restrict access to specific areas by granting certain permissions or access rights based on the user's membership in specific groups.
In the current context of Access Management, this approach to role enforcement has become obsolete.
In the new architecture, users, groups, and clients are directly associated with the resources, such as tenants, applications, or projects, providing a simpler way of restricting group access according to the organization's needs.
Customer Impact During Transition
The transition has been carefully designed to ensure minimal impact on customers:
Role Conversion: All roles with
if-in-groupare automatically converted to roles withoutif-in-group, rendering them obsolete, but this change has no impact on functionality.Group Association: Groups already linked to a project or application are automatically reassigned to their respective resources. This process is seamless and results in no impact.
User Adjustment: Users without
if-in-grouproles will be moved to the Tenant level. Administrators can now associate these users with different applications and/or projects without causing any disruption.Access Restoration: Users with
if-in-grouproles will regain access through their group association, ensuring a smooth transition with no impact.API Consistency: All existing APIs continue functioning as before, ensuring backward compatibility. New APIs have also been introduced to allow the association of users and groups with resources.
Temporary Limitations
Assigning groups to projects via the Create/Update Project API is not currently supported, and this functionality is also unavailable in the UI. However, customers will continue to see assigned groups listed in the Projects table as before.
The Access Management APIs can be used to assign groups to projects.
During migration, all group-to-project assignments will be preserved.
Notice
This limitation is temporary—support for group assignment via the Create/Update Project API will be reintroduced later.