Managing Roles

This section describes the roles and permissions associated with Checkmarx One.

Checkmarx One user management has three types of roles:

Checkmarx One roles are divided into Action roles and Composite roles.
- Action roles are single actions that define a user's permissions for actions in Checkmarx One.
- Composite roles are roles with one or more Action roles associated with them.
  When a composite role is mapped to a user, the user gains the associated roles.
  This inheritance is continuous, so a composite of composites also gets inherited.
Identity and Access Management (IAM) roles - System roles.

Composite Roles

A composite role aggregates multiple actions into 1 role type.

For example:

The ast-viewer role lets the user view all project-related data, including:

View Projects
View scans
View scan results

Checkmarx IAM includes a set of out-of-the-box roles - Composite Roles.

These roles can be used in the following options:

The roles can be modified according to specific needs.
If needed, new customized composite roles can be added to the existing roles list.

The Roles screen includes the following default composite roles.

Note

For more information, see Creating New Composite Roles

The following are predefined roles and their permissions in IAM:

ast-admin
manage-access
view-engines
view-queries
update-scan
update-result-not-exploitable
create-schedule-scan
queries-editor
manage-feedbackapp
update-project-params
analytics-reports-admin
create-application
manage-project
ast-risk-manager
delete-preset
update-application
create-webhook
order-services
update-risk-management
update-package-state-snooze
import-findings-external-platforms
update-tenant-params
view-risk-management
create-query
assign-to-application
create-preset
view-license
view-project-params
update-project
view-projects
update-preset
update-query
delete-schedule-scan
view-scans
view-tenant-params
add-package
view-results
update-result
create-scan
manage-cnas
view-cnas
manage-webhook
delete-webhook
update-package-state-mute
view-webhooks
create-project
ast-scanner
delete-application
update-webhook
view-preset
manage-data-retention
dast-admin
view-schedule-scans
manage-policy-management
open-support-ticket
delete-project
delete-scan
sast-migration
manage-application
view-applications
open-feature-request
update-schedule-scan
download-source-code
ast-risk-management
view-risk-management
view-tenant-params
view-queries
view-preset
create-preset
update-scan
view-results
update-result
create-scan
update-project-params
view-project-params
update-project
delete-project
update-sca-license-state
delete-scan
update-sca-license-properties
delete-preset
create-project
update-risk-management
view-applications
import-findings-external-platforms
view-projects
update-preset
ast-scanner
view-risk-management
manage-reports
view-tenant-params
assign-to-application
view-preset
create-preset
view-queries
update-scan
view-results
create-scan
create-schedule-scan
view-schedule-scans
view-project-params
update-project-params
update-project
create-project
update-risk-management
view-applications
view-projects
update-schedule-scan
update-preset
delete-schedule-scan
ast-viewer
view-risk-management
manage-reports
view-tenant-params
view-preset
view-engines
view-queries
view-results
view-project-params
analytics-scan-dashboard-view
view-applications
view-projects
analytics-vulnerability-dashboard-view
view-scans
manage-application
view-risk-management
delete-application
manage-reports
assign-to-application
view-preset
create-preset
update-scan
view-results
update-result-not-exploitable
update-result
create-scan
view-project-params
update-project
create-application
delete-project
delete-scan
delete-preset
update-application
create-project
update-risk-management
view-applications
view-projects
update-preset
view-scans
manage-project
view-risk-management
manage-reports
view-tenant-params
view-preset
create-preset
view-queries
update-scan
view-results
update-result-not-exploitable
update-result
create-scan
view-project-params
update-project-params
update-project
delete-project
delete-scan
delete-preset
create-project
update-risk-management
view-applications
view-projects
update-preset
view-scans
manage-webhook
delete-webhook
view-webhooks
update-webhook
create-webhook
queries-editor
view-preset
create-preset
update-preset
update-query
ast-viewer
manage-data-retention
start-data-retention
abort-data-retention
view-data-retention

Creating New Composite Roles

To create new composite roles, perform the following steps:

Click Create Role
Name the role and click Create Role
Write the role's Description (Optional). It is recommended you include the purpose you created the role for.
Expand the Role Mapping section.
Add roles (Composite and/or Actions) by clicking the relevant Add buttons.
Click Save Role
The new composite role is added to the composite roles list.

Action Roles

An action role is a single action role. This role type defines permissions for actions in the system.

The following table lists the action roles that are provided for Checkmarx One, along with their respective permissions:

Roles	Related Activity	Description
create-application	Application	Create an application
delete-application	Applications	Delete an application
update-application	Application	Update an application
view-applications	Application	View applications
view-engines	Engines	View engines
create-project	Project	Create a project
delete-project	Project	Delete a project
update-project	Project	Update a project
view-projects	Project	View projects
create-query	Query	Create a query
delete-query	Query	Delete a query
update-query	Query	Update a query
view-queries	Query	View queries
update-result	Results	Update results
update-result-not-exploitable	Results	Update results state to Not exploitable
view-results	Results	View results
create-scan	Scan	Initiate a scan
delete-scan	Scan	Delete a scan
update-scan	Scan	Cancel a scan
view-scans	Scan	View scans
dast-admin	Environment	Manage Environments, Scans, update results, and execute other actions in DAST
dast-update-scan	Environment	The user can update a Scan's properties in DAST
dast-update-results	Environment	The user can update results in DAST (severity, comments, etc.)
dast-create-scan	Environment	The user can create a new Scan in DAST
dast-delete-scan	Environment	The user can delete a Scan in DAST
dast-update-environment	Environment	The user can update an Environment in DAST
dast-create-environment	Environment	The user can create a new Environment in DAST
dast-external-scans	Environment	CI/CD user for executing actions related to External Workers
dast-delete-environment	Environment	The user can delete an Environment in DAST
dast-cancel-scan	Environment	The user can cancel a Scan in DAST

IAM Roles

IAM roles are related to the actions available in the User and Access Management console.