CxSAST / CxOSA Roles and Permissions (v9.0.0 and up)

This section describes the roles and permissions associated with CxSAST / CxOSA that are effective after performing the data migration procedure and upgrading to CxSAST/CxOSA v9.0.0 and up.

Provided CxSAST / CxOSA Roles

The following table lists the predefined roles that are provided for CxSAST / CxOSA v9.0.0 and up, along with their respective permissions:


Provided Roles for CxSAST / CxOSADescriptionPermissions per Role
Scanner

Permissions to create and manage projects, and run scans

save-sast-scan

save-osa-scan

open-issue-tracking-tickets

save-project

create-project

view-failed-sast-scan​

download-scan-log

see-support-link

Reviewer

Read-only permissions to view scan results and generate reports

manage-result-comment

manage-data-analysis-templates

generate-scan-report

export-scan-results 

see-support-link 

Auditor

Permissions to manage vulnerability queries and use CxAudit

use-cxaudit

create-preset

update-and-delete-preset

manage-custom-description

save-sast-scan

save-project

Results Updater

Permissions to update the properties of scan results​

manage-results-state-and-assignee 

manage-result-comment

manage-result-severity

Results Verifier

Permissions to set the state of scan results to "Not Exploitable"

manage-result-exploitability

Data Cleaner

Permissions to delete projects and scans

delete-sast-scan

delete-project

SAST Admin

Full permissions

All SAST permissions, excluding use-cxaudit
Access Control ManagerManages users, authentication and system settings*See footnote below this table.
AdminCheckmarx products global administrator*See footnote below this table.
User ManagerManages the users in the system*See footnote below this table.
Security Risk ManagerGrants permissions to manage the security risk at scale, manage policies, KPIs, business applications, weights, and more. **See footnote below this table.
Security Risk ViewerGrants permissions to track the security risk, and view policy violations and KPIs.**See footnote below this table.

*These permissions are coming from Access Control.

**These permissions are coming from M&O.

CxSAST / CxOSA Permissions

The following table describes the permissions associated with CxSAST / CxOSA v9.0.0 and up:

PermissionCategoryDescription
manage-authentication-providersGeneral/Access ControlManage authentication providers
manage-clientsGeneral/Access ControlManage clients and their settings
manage-rolesGeneral/Access ControlManage custom roles 
manage-system-settingsGeneral/Access ControlManage general system settings
manage-usersGeneral/Access ControlManage Users

save-sast-scan​

Projects & Scans​          

  • Run new CxSAST scan
  • Create scan subset
  • Save results from CxAudit

delete-sast-scan​

Projects & Scans​

  • Delete CxSAST scan
  • Lock/unlock scan

save-project​

Projects & Scans​

  • Create new project
  • Update project
  • Branch project
  • Duplicate project
  • Save local project from CxAudit

delete-project​

Projects & Scans​

Delete project

view-failed-sast-scan​

Projects & Scans​

View faild scans 

save-osa-scan​

Projects & Scans​

Run CxOSA scan
download-scan-log                       Projects & Scans​Download scan log 

manage-result-state-and-assignee​

Scan Results​

  • Change result state (excluding NE)
  • Assign user

manage-result-comment​

Scan Results​

Add new result comment

manage-result-exploitability​

Scan Results​

Set result state to NE (all other states will be available as well) 

manage-result-severity​

Scan Results​

Change result severity

open-issue-tracking-tickets​

Scan Results​

Create ticket for result

manage-data-analysis-templates​

Reports​

create and delete templates 

generate-scan-report​

ReportsGenerate scan reports
export-scan-resultsReportsExport to CSV from the results viewer

manage-custom-description​

Vulnerability Queries​

Manage custom query descriptions (create, export and import)

create-preset​

Vulnerability Queries​

Create a new preset, save it, update it, delete it
manage-queriesVulnerability Queries​Created and manage queries customization in the CxAudit

update-and-delete-preset​

Vulnerability Queries​

Edit and delete all presets (including Cx out-of-the-box presets)
use-cxauditVulnerability Queries​

Login to CxAudit

Note: This permission is counted against the license.

manage-data-retention​

System Configuration​

Manage data retention

manage-engine-servers​

System Configuration​

Manage engine servers

manage-system-settings​

System Configuration​

  • Download application logs
  • View utilization dashboard
  • View license details
  • View installation details
  • View and edit general settings
  • View and edit CxOSA settings
  • Manage source control users
  • Export/import preset

manage-external-services-settings​

System Configuration​

Configure external service settings

manage-custom-fields​

System Configuration​

Create/update/delete custom fields 

manage-issue-tracking-systems​

System Configuration​

Manage issue-tracking system

manage-pre-post-scan-actions​

System Configuration​

Configure pre- and post-scan actions
download-system-logsSystem Configuration​

View installation details page

Download application logs

Note: only available from 9.0 HF1 

view-appsec-coach-statisticsSystem Configuration​Ability to set the Codebashing integration

use-odata​

API​

Fetch all data via OData API (no filter per current user's team)

see-support-linkOtherView and use "Services & Support" button
view-resultsScan Results​

This permission separates the view-results ability from any other permission.

This is added to any predefined role and is available from CxSAST 9.0 HF5

manage-global-policies-settingsSecurity Risk ManagementManage Global Policies Settings
manage-policiesSecurity Risk ManagementManage Policies
manage-remediation-intelligenceSecurity Risk ManagementManage Remediation Intelligence
view-analyticsSecurity Risk ManagementView Analytics

Permissions per User Interface Screen

The following permissions are required to open the following CxSAST / CxOSA user interface screens.

UI ScreenRequired permission to open the screen
Dashboard/Project state-
Dashboard/Failed scansview-failed-sast-scan
Dashboard/Utilizationmanage-system-settings
Dashboard/Risk-
Dashboard/Data Analysis
Projects & Scans/Create new project
Projects & Scans/Queue
Projects & Scans/Projects-
Projects & Scans/All scans-
Management/Scan settings/Query viewer-
Management/Scan settings/Preset manager -
Management/Scan settings/Pre-post actionsmanage-pre-post-scan-actions
Management/Scan settings/Source control usersmanage-system-settings
Management/Application settings/Generalmanage-system-settings
Management/Application settings/Licensemanage-system-settings
Management/Application settings/OSA settingsmanage-system-settings
Management/Application settings/Installationmanage-system-settings
Management/Application settings/External servicesmanage-external-services-settings
Management/Application settings/Engine managementmanage-engine-servers
Management/Application settings/Data retentionmanage-data-retention
Management/Application settings/Issue tracking manage-issue-tracking-systems
Management/Manage custom fieldsmanage-custom-fields
Access Controlmanage-users (AC permission)
M&O/Analyticsview-analytics (M&O permission)
M&O/Remediation Intelligence(M&O permission)
M&O/Policy Violations-
M&O/Policy Manager-
My Profile-
Services & Supportsee-support-link