Skip to main content

Managing Roles

This section describes the roles and permissions associated with Checkmarx One.

Checkmarx One user management (IAM) includes 3 role types:

  1. Checkmarx One roles - This role type is divided into Composite roles & Action roles.

    • Composite roles - A role that has one or more additional roles associated with it.

      When a composite role is mapped to the user, the user gains the associated roles.

      This inheritance is recursive, so any composite of composites also gets inherited.

    • Action role - A single action role. This role type defines permissions for actions in the system.

  2. CB roles - Codebashing roles.

  3. IAM (Identity and Access Management) roles - System roles.

Composite Roles

A composite role is an aggregation of single actions combined into 1 role type.

For example:

ast-viewer role allows the user the ability to view all projects related data, including:

  • View Projects

  • View scans

  • View scan results

Checkmarx IAM comes with a set of out-of-the-box roles - Composite Roles.

These roles can be used in the following options:

  • The roles can be modified according to specific needs.

  • If needed, new customized composite roles can be added to the existing roles list.

The Roles screen includes the following default composite roles.

Default_Composite_Roles.png

Note

For more information, see Creating New Composite Roles

The following table lists the predefined roles that are provided for IAM, along with their respective permissions:

Role

Description

Permissions

ast-admin

Can do everything in the Checkmarx One app

  • create-application

  • view-projects

  • update-scan

  • create-scan

  • delete-webhook

  • delete-application

  • view-queries

  • view-license

  • view-applications

  • view-engines

  • order-services

  • view-project-params

  • create-query

  • update-query

  • update-tenant-params

  • view-scans

  • delete-scan

  • update-pool

  • update-project

  • update-result

  • create-pool

  • view-results

  • view-webhooks

  • create-project

  • view-pools

  • update-project-params

  • update-application

  • create-webhook

  • delete-pool

  • update-webhook

  • delete-project

  • view-tenant-params

  • dast-admin

ast-risk-manager

Manage applications, projects, scans, results, risks, and policies

  • view-projects

  • update-scan

  • create-scan

  • view-queries

  • view-applications

  • view-project-params

  • view-scans

  • delete-scan

  • update-project

  • update-result

  • view-results

  • create-project

  • update-project-params

  • delete-project

  • view-tenant-params

ast-scanner

Scan, manage results, manage projects

  • view-projects

  • create-scan

  • view-queries

  • view-applications

  • view-scans

  • update-project

  • view-results

  • create-project

ast-viewer

View projects, scans, and results

  • view-projects

  • view-queries

  • view-applications

  • view-engines

  • view-project-params

  • view-scans

  • view-results

  • view-tenant-params

manage-application

Update, delete, create, and view the application

  • create-application

  • view-projects

  • update-scan

  • create-scan

  • delete-application

  • view-applications

  • view-scans

  • delete-scan

  • update-project

  • update-result

  • view-results

  • create-project

  • update-application

  • delete-project

  • update-result-not-exploitable

manage-project

Update, delete, create, and view the project

  • view-projects

  • update-scan

  • create-scan

  • view-queries

  • view-applications

  • view-project-params

  • view-scans

  • delete-scan

  • update-project

  • update-result

  • view-results

  • create-project

  • update-project-params

  • delete-project

  • view-tenant-params

  • update-result-not-exploitable

manage-webhook

Update, delete, create, and view webhook

  • delete-webhook

  • view-webhooks

  • create-webhook

  • update-webhook

queries-editor

View projects, scans, and results; update queries

  • ast-viewer

    • view-applications

    • view-results

    • view-scans

    • view-engines

    • view-projects

    • view-tenant-params

    • view-queries

    • view-project-params

  • update-query

Creating New Composite Roles

To create new composite roles, please perform the following steps:

  1. Click Create Role

  2. Name the role and click Create Role

    6195052746.png
  3. Write the roles' Description (Optional) - Recommended to remember what purpose you created the role for.

  4. Expand the Role Mapping section.

    Create_Role3.png
  5. Add roles (Composite and/or Actions) by clicking the relevant Add buttons.

    Create_Role4.png
  6. Click Save Role

  7. The new composite role is added to the composite roles list.

    New_Composite_Role.png

Action Roles

An action role is a single action role. This role type defines permissions for actions in the system.

The following table lists the action roles that are provided for Checkmarx One, along with their respective permissions:

Roles

Related Activity

Description

create-application

Application

Create an application

delete-application

Applications

Delete an application

update-application

Application

Update an application

view-applications

Application

View applications

view-engines

Engines

View engines

create-pool

Pool

Create a pool

delete-pool

Pool

Delete a pool

update-pool

Pool

Update a pool

view-pools

Pool

View pools

create-project

Project

Create a project

delete-project

Project

Delete a project

update-project

Project

Update a project

view-projects

Project

View projects

create-query

Query

Create a query

delete-query

Query

Delete a query

update-query

Query

Update a query

view-queries

Query

View queries

update-result

Results

Update results

update-result-not-exploitable

Results

Update results state to Not exploitable

view-results

Results

View results

create-scan

Scan

Initiate a scan

delete-scan

Scan

Delete a scan

update-scan

Scan

Cancel a scan

view-scans

Scan

View scans

dast-admin

Environment

Manage Environments, Scans, update results, and execute other actions in DAST

dast-update-scan

Environment

The user can update a Scan's properties in DAST

dast-update-results

Environment

The user can update results in DAST (severity, comments, etc.)

dast-create-scan

Environment

The user can create a new Scan in DAST

dast-delete-scan

Environment

The user can delete a Scan in DAST

dast-update-environment

Environment

The user can update an Environment in DAST

dast-create-environment

Environment

The user can create a new Environment in DAST

dast-external-scans

Environment

CI/CD user for executing actions related to External Workers

dast-delete-environment

Environment

The user can delete an Environment in DAST

dast-cancel-scan

Environment

The user can cancel a Scan in DAST

IAM Roles

IAM roles are related to the actions available in the User and Access Management console.

The following table lists the action roles that are provided for Checkmarx One, along with their respective permissions:

Checkmarx One IAM Roles

Permissions

iam-admin

  • Manages general settings, users, client credentials, identity provider, and user federation

  • iam-admin also inherits the ast-admin role (by design)

manage-clients

Manage clients

manage-keys

Manage keys

manage-groups

Manages groups in the system

manage-users

Manages the users in the system