Managing Access Scopes

For some Bright operations and integrations, you will need specific scanning and management permissions provided by selecting the relative access scopes.



For example, to enable integration with your CI pipeline, you may require to create an organization or a personal API key with a predefined set of scopes. Each scope grants permission to perform a specific action, such as creating, running, viewing, editing, or deleting the particular Bright component.

Access scopes can be enabled for the following list. To learn how to create the API keys on different levels and custom user roles, use the links below:

The table below shows which scopes can be enabled for user roles and different types of API keys.

ScopeRolePersonal API keyProject API keyOrganization API keyDescription
activities+Allows viewing notifications and managing the notification feed
api-keys+Allows creating personal API keys
auth-objects+Provides unrestricted access to authentication objects management
auth-objects:read++Allows viewing authentication objects
auth-objects:test++Allows testing an authentication object during its configuration
auth-objects:write++Allows creating, editing, and deleting authentication objects
auth-providers+Allows configuring SSO providers (okta, Google, ADFS)
billing+Allows viewing billing summary
bot+++Enables communication between a Repeater and the Bright engine
comments++Allows viewing and managing comments in scans and issues
comments:read++Allows viewing comments in scans and issues
comments:write++Allows editing and deleting comments in scans and issues
discoveries++++Provides unrestricted access to discoveries
discoveries:delete+++Allows deleting discoveries
discoveries:manage+++Allows editing discoveries
discoveries:read++++Allows viewing existing discoveries
discoveries:run+++Allows running discoveries
discoveries:stop+++Allows stopping discoveries
entry-points++++Provides unrestricted access to entry points
entry-points:read++++Allows viewing entry points
entry-points:manage++++Allows creating, editing, deleting, testing and previewing changes made to entrypoints
files:read++++Allows reading and downloading files from the storage
files:write++++Allows to associate files with projects, clone files, upload or delete them
groups:admin++Provides unrestricted access to all organization groups
groups:delete+++Allows deleting groups
groups:manage+++Allows creating new groups, editing existing groups, adding members to groups, assigning roles to groups
groups:read+++Allows viewing groups
integration.repos:manage+Allows choosing the severity level of issues to be opened in integrated services
integration.repos:read++++Allows viewing resources of the integrated services, for example, GitHub repositories, Slack channels, or Jira boards
integrations:read+Allows viewing a list of available and enabled integrations
integrations:write+Allows enabling integrations with services like GitHub, Gitlab, Slack, Jira, or Azure
issues:manage++++Allows execution and saving scan issues as new
issues:read++++Allows viewing detected scan issues
logs++Allows viewing the personal activities log
org+Provides unrestricted access to organization management, including permission to delete the organization
org:read+++Allows viewing basic information about an organization: organization name and quotas. This scope is required for running and managing scans
org:write+++Allows editing company name and enforcing MFA
org.api-keys+Allows creating organization API keys (tokens)
org.logs+++Allows viewing the organization's activities log
org.memberships:manage+++Allows adding a member to an organization, editing member's details, and deleting a member from an organization
org.memberships:read+++Allows viewing members of an organization
org.scans-templates++Allows unrestricted access to all scan templates
payment-methods+Allows managing payment methods
payments+Allows managing user’s payments
plans+Allows viewing information about payment plans
products+Allows viewing information about available products
project.api-keys+Allows creating project-level API keys
project-issues:write+++Allows users to manage project issues: to change severity, status, and assignee
projects:admin+Provides unrestricted access to project management
projects:create++++Allows to create projects
projects:delete+++Allows deleting projects
projects:edit++++Allows editing project name, number of concurrent scans, adding associated GitHub or Gitlab repositories, Slack channels, Azure or Jira boards, managing webhooks
projects:read++++Allows viewing of available projects and project issues. This scope is required for running a scan.
repeaters:read++++Allows viewing organization’s repeaters
repeaters:write++++Allows creating, editing, and deleting a repeater, as well as testing repeater connection to a network
reports:read+Allows viewing scan reports
reports:write+Allows managing configuration of PDF reports
roles:read+++Allows viewing a list of roles
roles:write+++Allows creating, editing, and deleting custom roles. The default roles (for example, “Admin”, “Owner”, etc.) are read-only
scan-labels:manage++++Allows editing labels in scans that are already running or have been finished
scans++++Provides unrestricted access to scan management. org:read scope is also required to run and manage scans
scans-templates+++Provides unrestricted access to scan templates management
scans-templates:read+++Allows viewing existing scan templates
scans-templates:write+++Allows creating, editing, and deleting custom scan templates
scans:delete++++Allows deleting scans
scans:manage++++Allows editing scan settings
scans:read++++Allows viewing existing scans
scans:run++++Allows running and retesting scans
scans:stop++++Allows stopping scans
scim+Enables user and group provisioning from ADFS and Okta to a Bright organization
scripts:read++++Allows viewing repeater’s scripts
scripts:write++++Allows creating, editing, and deleting repeater’s scripts
subscriptions+Allows managing plan subscriptions for an organization
user++Allows reading and editing user’s own personal details including consents, date settings, and notifications. Required for API authorization
user:read++Allows viewing user’s own personal details
user:write++Allows users to edit their own personal details, for example, change names, emails, and passwords