- Checkmarx Documentation
- Checkmarx One
- Checkmarx One User Guide
- User Management and Access Control
- Managing Groups
Managing Groups
The Groups section allows you to manage a common set of attributes and role mappings for a set of users.
Users can be members of one or more groups.
Users inherit the attributes and role mappings assigned to each group.
It is possible to perform the following in the Groups section:
Manually create groups in Checkmarx One.
Manage the groups in Checkmarx One.
Represent the reflection of all the organization groups via LDAP\SAML\OpenID Connect.
For a detailed procedure for connecting a provider (LDAP\SAML\OpenID Connect), see Configuring LDAP Integration or Managing Identity Providers pages.
Groups are hierarchical. A group can have many subgroups, but a group can only have one parent.
Subgroups inherit the attributes and role mappings from the parent. This applies to the users as well.
If you have a parent group, a child group, and a user that only belongs to the child group, the user inherits both parent and child's attributes and role mappings.
Notice
When logging in for the first time to Checkmarx One, the Groups screen will be empty.
Checkmarx One imposes the following limitations on various aspects of group management:
The maximum number of groups created in the platform is 20,000 per tenant. The initial response time may take up to 1 minute, but subsequent responses will be faster as the data gets cached in the browser.
A regular user can have up to 30 roles and be associated with up to 30 groups.
Admin users can have up to 116 roles and be associated with up to 20 groups.
Header token size has the following limitations:
When using GraphQL (as employed by the SCA inventory), the header size is limited to 10 KB.
When not using GraphQL, the header size can be up to 16 KB.
Creating a New Group
To create a new group, navigate to the Groups tab:
Click Create Group.
Enter a name for the group.
Click Create.
Click
at the end of a group row and then Edit to open the group settings panel:
Name
Role Mapping
Users
Managers
Role Mapping
Roles and actions can be set according to types. Role mapping consists of three role types:
Checkmarx One roles
CB roles
IAM roles
Checkmarx One roles consist of two types of roles:
Composite role
Action role
Checkmarx One roles
Composite role
A composite role has one or several roles associated with it. Each composite role is a combination of action roles. When a composite role is mapped to a user, the user gains the roles associated with that composite. This inheritance is recursive, meaning that any composites are inherited. There are eight composite roles included in the system:
Name | Description |
---|---|
ast-admin | Can do everything in the Checkmarx One app and manage users, groups and permission. |
ast-risk-manager | Can manage applications, projects, scan, results, risks and policies. |
ast-scanner | Can scan , manage results and manage projects. |
ast-viewer | Can view projects, scans and results. |
manage-application | Can update, delete, create and view the application. |
manage-project | Can update, delete, create and view the project. |
manage-webhook | Can update, delete, create and view webhook. |
queries-editor | Can view projects scans and results and update queries. |
For a list of the permissions for Checkmarx One roles see Managing Roles.
Action role
An action role is a single action. This role type defines permissions for actions in the system.
For the full list of the action roles provided for Checkmarx One, along with their respective permissions, see Managing Roles.
IAM role
IAM roles are identity and access management roles or system roles. The two roles included for IAM are:
Name | Description |
---|---|
iam-admin | Manages users, client credentials, identity provider and user federation. |
manage-keys | Manage keys. |
manage-groups | Manages groups in the system. |
manage-users | Manages the users in the system. |
Assigning a Role to a Group
Select the name of the group to assign the role to.
The Group Preview pane slides in from the left, displaying an overview of the three role types.
If any roles have been assigned to the group, they are displayed with the permissions listed.
The Members tab shows a list of users included in the group.
Click Edit Group.
Select Role Mapping.
Select the type of role to apply to the group from Checkmarx One roles, CB roles and IAM roles.
Click Add.
The role with all the Effective roles and Actions is added to the group.
Click Save
For additional information regarding roles & permissions, see Managing Roles.
Adding a User to a Group
Expand the Users section.
Click Add Users.
Add Users displays all the users in the system.
Select the user(s) to add to the group by clicking the relevant checkbox.
Click Add Users.
The number of selected users will be at the top of the list.
The selected user(s) will be added to the group.
Click Save
Deleting a User from a Group
To delete a user from a group:
Select the user by clicking the relevant checkbox.
Click Delete.
Adding Group Managers
The Group Manager feature is a distinct position with specialized permissions, based on the internal Keycloak permissions mechanism. A Group Manager has the authority to manage only the specific groups to which they are assigned. They can add or remove users from the group, view available users for adding, and see the list of other groups.
Users can assign or remove Group Managers across all groups with the IAM role manage-groups
, which is based on the Checkmarx One permissions mechanism.
When a user is assigned as a Group Manager, they automatically become the manager of all subgroups recursively, extending down the entire group tree. If a Group Manager is assigned to the highest group level, all subgroups inherit the managerial role, creating a hierarchical structure.
However, it is important to note that once a Group Manager is inherited by subgroups, they cannot be removed from lower levels but only from the highest level.
To add Group Managers, perform the following:
Expand the Managers section.
Click Add Managers.
Add Managers opens, presenting all the users in the system.
Mark the relevant users' checkboxes to add.
Click Add Managers.
Click Save
Deleting a Manager from a Group
To delete a manager from a group:
Select the manager by clicking the relevant checkbox.
Click Delete.
Creating a subgroup
Subgroups inherit the attributes and role mappings from the parent. This applies to the user as well.
If you have a parent group and a child group and a user who only belongs to the child group, the user inherits both the parent and child's attributes and role mappings.
To create a Sub Group:
Click the ellipses at the end of the relevant group row to add the sub-group.
Click Create a Sub-Group
Provide the name of the Subgroup.
Click Create Group
The subgroup is created below the parent. Users, Managers, and Roles can be added to the subgroup, as covered in the sections above.