Managing Groups

The Groups section allows you to manage a common set of attributes and role mappings for a set of users.

Users can be members of one or more groups.

Users inherit the attributes and role mappings assigned to each group.

It is possible to perform the following in the Groups section:

Manually create groups in Checkmarx One.
Manage the groups in Checkmarx One.
Represent the reflection of all the organization groups via LDAP\SAML\OpenID Connect.

For a detailed procedure for connecting a provider (LDAP\SAML\OpenID Connect), see Configuring LDAP Integration or Managing Identity Providers pages.

Groups are hierarchical. A group can have many subgroups, but a group can only have one parent.

Subgroups inherit the attributes and role mappings from the parent. This applies to the users as well.

If you have a parent group, a child group, and a user that only belongs to the child group, the user inherits both parent and child's attributes and role mappings.

Notice

When logging in for the first time to Checkmarx One, the Groups screen will be empty.

Checkmarx One imposes the following limitations on various aspects of group management:

The maximum number of groups created in the platform is 20,000 per tenant. The initial response time may take up to 1 minute, but subsequent responses will be faster as the data gets cached in the browser.
A regular user can have up to 30 roles and be associated with up to 30 groups.
Admin users can have up to 116 roles and be associated with up to 20 groups.
Header token size has the following limitations:
- When using GraphQL (as employed by the SCA inventory), the header size is limited to 10 KB.
- When not using GraphQL, the header size can be up to 16 KB.

Creating a New Group

To create a new group, navigate to the Groups tab:

Click Create Group.
Enter a name for the group.
Click Create.
Click at the end of a group row and then Edit to open the group settings panel:
- Name
- Role Mapping
- Users
- Managers

Role Mapping

Roles and actions can be set according to types. Role mapping consists of three role types:

Checkmarx One roles
CB roles
IAM roles

Checkmarx One roles consist of two types of roles:

Composite role
Action role

Checkmarx One roles

Composite role

A composite role has one or several roles associated with it. Each composite role is a combination of action roles. When a composite role is mapped to a user, the user gains the roles associated with that composite. This inheritance is recursive, meaning that any composites are inherited. There are eight composite roles included in the system:

Name	Description
ast-admin	Can do everything in the Checkmarx One app and manage users, groups and permission.
ast-risk-manager	Can manage applications, projects, scan, results, risks and policies.
ast-scanner	Can scan , manage results and manage projects.
ast-viewer	Can view projects, scans and results.
manage-application	Can update, delete, create and view the application.
manage-project	Can update, delete, create and view the project.
manage-webhook	Can update, delete, create and view webhook.
queries-editor	Can view projects scans and results and update queries.

For a list of the permissions for Checkmarx One roles see Managing Roles.

Action role

An action role is a single action. This role type defines permissions for actions in the system.

For the full list of the action roles provided for Checkmarx One, along with their respective permissions, see Managing Roles.

IAM role

IAM roles are identity and access management roles or system roles. The two roles included for IAM are:

Name	Description
iam-admin	Manages users, client credentials, identity provider and user federation.
manage-keys	Manage keys.
manage-groups	Manages groups in the system.
manage-users	Manages the users in the system.

Assigning a Role to a Group

Select the name of the group to assign the role to.
The Group Preview pane slides in from the left, displaying an overview of the three role types.
If any roles have been assigned to the group, they are displayed with the permissions listed.
The Members tab shows a list of users included in the group.
Click Edit Group.
Select Role Mapping.
Select the type of role to apply to the group from Checkmarx One roles, CB roles and IAM roles.
Click Add.
The role with all the Effective roles and Actions is added to the group.
Click Save
For additional information regarding roles & permissions, see Managing Roles.

Adding a User to a Group

Expand the Users section.
Click Add Users.
Add Users displays all the users in the system.
Select the user(s) to add to the group by clicking the relevant checkbox.
Click Add Users.
The number of selected users will be at the top of the list.
The selected user(s) will be added to the group.
Click Save

Deleting a User from a Group

To delete a user from a group:

Select the user by clicking the relevant checkbox.
Click Delete.

Adding Group Managers

The Group Manager feature is a distinct position with specialized permissions, based on the internal Keycloak permissions mechanism. A Group Manager has the authority to manage only the specific groups to which they are assigned. They can add or remove users from the group, view available users for adding, and see the list of other groups.

Users can assign or remove Group Managers across all groups with the IAM role manage-groups, which is based on the Checkmarx One permissions mechanism.

When a user is assigned as a Group Manager, they automatically become the manager of all subgroups recursively, extending down the entire group tree. If a Group Manager is assigned to the highest group level, all subgroups inherit the managerial role, creating a hierarchical structure.

However, it is important to note that once a Group Manager is inherited by subgroups, they cannot be removed from lower levels but only from the highest level.

To add Group Managers, perform the following:

Expand the Managers section.
Click Add Managers.
Add Managers opens, presenting all the users in the system.
Mark the relevant users' checkboxes to add.
Click Add Managers.
Click Save

Deleting a Manager from a Group

To delete a manager from a group:

Select the manager by clicking the relevant checkbox.
Click Delete.

Creating a subgroup

Subgroups inherit the attributes and role mappings from the parent. This applies to the user as well.

If you have a parent group and a child group and a user who only belongs to the child group, the user inherits both the parent and child's attributes and role mappings.

To create a Sub Group:

Click the ellipses at the end of the relevant group row to add the sub-group.
Click Create a Sub-Group
Provide the name of the Subgroup.
Click Create Group

The subgroup is created below the parent. Users, Managers, and Roles can be added to the subgroup, as covered in the sections above.

In this section: