Managing Access Scopes

For some Bright operations and integrations, you will need specific scanning and management permissions provided by selecting the relative access scopes.

📘

Note:

For example, to enable integration with your CI pipeline, you may require to create an organization or a personal API key with a predefined set of scopes. Each scope grants permission to perform a specific action, such as creating, running, viewing, editing, or deleting the particular Bright component.

Access scopes can be enabled for the following list. To learn how to create the API keys on different levels and custom user roles, use the links below:

The table below shows which scopes can be enabled for user roles and different types of API keys.

ScopeRolePersonal API keyProject API keyOrganization API keyDescription
api-keysAllows creating personal API keys
auth-objectsProvides unrestricted access to authentication objects management
auth-objects:readAllows viewing authentication objects
auth-objects:testAllows testing an authentication object during its configuration
auth-objects:writeAllows creating, editing, and deleting authentication objects
auth-providersAllows configuring SSO providers (okta, Google, ADFS)
botEnables communication between a Repeater and the Bright engine
commentsAllows viewing and managing comments in scans and issues
comments:readAllows viewing comments in scans and issues
comments:writeAllows editing and deleting comments in scans and issues
discoveriesProvides unrestricted access to discoveries
discoveries:deleteAllows deleting discoveries
discoveries:manageAllows editing discoveries
discoveries:readAllows viewing existing discoveries
discoveries:runAllows running discoveries
discoveries:stopAllows stopping discoveries
entry-pointsProvides unrestricted access to entry points
entry-points:manageAllows creating, editing, deleting, testing and previewing changes made to entrypoints
entry-points:readAllows viewing entry points
field:set-clear-textAllows setting fields as clear test
field:set-maskedAllows setting fields as masked
field:unmaskAllows unmasking sensitive fields
files:readAllows reading and downloading files from the storage
files:writeAllows to associate files with projects, clone files, upload or delete them
groups:adminProvides unrestricted access to all organization groups
groups:deleteAllows deleting groups
groups:manageAllows creating new groups, editing existing groups, adding members to groups, assigning roles to groups
groups:readAllows viewing groups
integration.repos:manageAllows choosing the severity level of issues to be opened in integrated services
integration.repos:readAllows viewing resources of the integrated services, for example, GitHub repositories, Slack channels, or Jira boards
integrations:readAllows viewing a list of available and enabled integrations
integrations:writeAllows enabling integrations with services like GitHub, Gitlab, Slack, Jira, or Azure
issues:manageAllows execution and saving scan issues as new
issues:readAllows viewing detected scan issues
logsAllows viewing the personal activities log
orgProvides unrestricted access to organization management
org:readAllows viewing basic information about an organization: organization name and quotas. This scope is required for running and managing scans
org:writeAllows editing company name and enforcing MFA
org.api-keysAllows creating organization API keys (tokens)
org.logsAllows viewing the organization's activities log
org.memberships:manageAllows adding a member to an organization, editing member's details, and deleting a member from an organization
org.memberships:readAllows viewing members of an organization
org.scans-templatesAllows unrestricted access to all scan templates
projects-issues:writeAllows users to manage project issues: to change severity, status, and assignee
project.api-keysAllows creating project-level API keys
projects:adminProvides unrestricted access to project management
projects:createAllows to create projects
projects:deleteAllows deleting projects
projects:editAllows editing project name, number of concurrent scans, adding associated GitHub or Gitlab repositories, Slack channels, Azure or Jira boards, managing webhooks
projects:readAllows viewing of available projects and project issues. This scope is required for running a scan
repeaters:readAllows viewing organization’s repeaters
repeaters:writeAllows creating, editing, and deleting a repeater, as well as testing repeater connection to a network
reports:readAllows viewing scan reports
reports:writeAllows managing configuration of PDF reports
roles:readAllows viewing a list of roles
roles:writeAllows creating, editing, and deleting custom roles. The default roles (for example, “Admin”, “Owner”, etc.) are read-only
scan-labels:manageAllows editing labels in scans that are already running or have been finished
scansProvides unrestricted access to scan management. org:read scope is also required to run and manage scans
scans:deleteAllows deleting scans
scans:manageAllows editing scan settings
scans:readAllows viewing existing scans
scans:runAllows running and retesting scans
scans:stopAllows stopping scans
scans-templatesProvides unrestricted access to scan templates management
scans-templates:readAllows viewing existing scan templates
scans-templates:writeAllows creating, editing, and deleting custom scan templates
scimEnables user and group provisioning from ADFS and Okta to a Bright organization
scripts:readAllows viewing repeater’s scripts
scripts:writeAllows creating, editing, and deleting repeater’s scripts
userAllows reading and editing user’s own personal details including consents, date settings, and notifications. Required for API authorization
user:readAllows viewing user’s own personal details
user:writeAllows users to edit their own personal details, for example, change names, emails, and passwords
org.memberships:reset-mfaAllows users under the roles: Admin and Owners to disable 2FA settings for users inside the org.