Managing Access Scopes
For some Bright operations and integrations, you will need specific scanning and management permissions provided by selecting the relative access scopes.
Note:For example, to enable integration with your CI pipeline, you may require to create an organization or a personal API key with a predefined set of scopes. Each scope grants permission to perform a specific action, such as creating, running, viewing, editing, or deleting the particular Bright component.
Access scopes can be enabled for the following list. To learn how to create the API keys on different levels and custom user roles, use the links below:
The table below shows which scopes can be enabled for user roles and different types of API keys.
| Scope | Role | Personal API key | Project API key | Organization API key | Description |
|---|---|---|---|---|---|
api-keys | ✅ | Allows creating personal API keys | |||
auth-objects | ✅ | Provides unrestricted access to authentication objects management | |||
auth-objects:read | ✅ | ✅ | ✅ | Allows viewing authentication objects | |
auth-objects:test | ✅ | ✅ | ✅ | Allows testing an authentication object during its configuration | |
auth-objects:write | ✅ | ✅ | ✅ | Allows creating, editing, and deleting authentication objects | |
auth-providers | ✅ | Allows configuring SSO providers (okta, Google, ADFS) | |||
bot | ✅ | ✅ | ✅ | Enables communication between a Repeater and the Bright engine | |
comments | ✅ | ✅ | Allows viewing and managing comments in scans and issues | ||
comments:read | ✅ | ✅ | Allows viewing comments in scans and issues | ||
comments:write | ✅ | ✅ | Allows editing and deleting comments in scans and issues | ||
discoveries | ✅ | ✅ | ✅ | ✅ | Provides unrestricted access to discoveries |
discoveries:delete | ✅ | ✅ | ✅ | Allows deleting discoveries | |
discoveries:manage | ✅ | ✅ | ✅ | Allows editing discoveries | |
discoveries:read | ✅ | ✅ | ✅ | ✅ | Allows viewing existing discoveries |
discoveries:run | ✅ | ✅ | ✅ | Allows running discoveries | |
discoveries:stop | ✅ | ✅ | ✅ | Allows stopping discoveries | |
entry-points | ✅ | ✅ | ✅ | ✅ | Provides unrestricted access to entry points |
entry-points:manage | ✅ | ✅ | ✅ | ✅ | Allows creating, editing, deleting, testing and previewing changes made to entrypoints |
entry-points:read | ✅ | ✅ | ✅ | ✅ | Allows viewing entry points |
field:set-clear-text | ✅ | Allows setting fields as clear test | |||
field:set-masked | ✅ | Allows setting fields as masked | |||
field:unmask | ✅ | Allows unmasking sensitive fields | |||
files:read | ✅ | ✅ | ✅ | ✅ | Allows reading and downloading files from the storage |
files:write | ✅ | ✅ | ✅ | ✅ | Allows to associate files with projects, clone files, upload or delete them |
groups:admin | ✅ | ✅ | Provides administrative control over groups only and should not be required for viewing members. | ||
groups:delete | ✅ | ✅ | ✅ | Allows deleting groups | |
groups:manage | ✅ | ✅ | ✅ | Allows creating, editing, and deleting groups, but does not control member visibility. | |
groups:read | ✅ | ✅ | ✅ | Allows viewing groups | |
integration.repos:manage | ✅ | Allows choosing the severity level of issues to be opened in integrated services | |||
integration.repos:read | ✅ | ✅ | ✅ | ✅ | Allows viewing resources of the integrated services, for example, GitHub repositories, Slack channels, or Jira boards |
integrations:read | ✅ | Allows viewing a list of available and enabled integrations | |||
integrations:write | ✅ | Allows enabling integrations with services like GitHub, Gitlab, Slack, Jira, or Azure | |||
issues:manage | ✅ | ✅ | ✅ | ✅ | Allows execution and saving scan issues as new |
issues:read | ✅ | ✅ | ✅ | ✅ | Allows viewing detected scan issues |
logs | ✅ | ✅ | Allows viewing the personal activities log | ||
org | ✅ | Provides unrestricted access to organization management | |||
org:read | ✅ | ✅ | ✅ | Gives access to the Organization tab and general org details, but does not grant visibility into members | |
org:write | ✅ | ✅ | ✅ | Allows editing company name and enforcing MFA | |
org.api-keys | ✅ | Allows creating organization API keys (tokens) | |||
org.logs | ✅ | ✅ | ✅ | Allows viewing the organization's activities log | |
org.memberships:manage | ✅ | ✅ | ✅ | Allows managing group memberships, including adding, editing, and removing members from groups. | |
org.memberships:read | ✅ | ✅ | ✅ | Allows users to see only the members who share a mutual group with them (excluding “Everyone”). Together with org:read, it enables opening the Organization tab and viewing the filtered member list. | |
org.scans-templates | ✅ | ✅ | Allows unrestricted access to all scan templates | ||
projects-issues:write | ✅ | ✅ | ✅ | ✅ | Allows users to manage project issues: to change severity, status, and assignee |
project.api-keys | ✅ | Allows creating project-level API keys | |||
projects:admin | ✅ | Provides unrestricted access to project management | |||
projects:create | ✅ | ✅ | ✅ | Allows to create projects | |
projects:delete | ✅ | ✅ | ✅ | Allows deleting projects | |
projects:edit | ✅ | ✅ | ✅ | ✅ | Allows editing project name, number of concurrent scans, adding associated GitHub or Gitlab repositories, Slack channels, Azure or Jira boards, managing webhooks |
projects:read | ✅ | ✅ | ✅ | ✅ | Allows viewing of available projects and project issues. This scope is required for running a scan |
repeaters:read | ✅ | ✅ | ✅ | ✅ | Allows viewing organization’s repeaters |
repeaters:write | ✅ | ✅ | ✅ | ✅ | Allows creating, editing, and deleting a repeater, as well as testing repeater connection to a network |
reports:read | ✅ | Allows viewing scan reports | |||
reports:write | ✅ | Allows managing configuration of PDF reports | |||
roles:read | ✅ | ✅ | ✅ | Allows viewing a list of roles | |
roles:write | ✅ | ✅ | ✅ | Allows creating, editing, and deleting custom roles. The default roles (for example, “Admin”, “Owner”, etc.) are read-only | |
scan-labels:manage | ✅ | ✅ | ✅ | ✅ | Allows editing labels in scans that are already running or have been finished |
scans | ✅ | ✅ | ✅ | ✅ | Provides unrestricted access to scan management. org:read scope is also required to run and manage scans |
scans:delete | ✅ | ✅ | ✅ | ✅ | Allows deleting scans |
scans:manage | ✅ | ✅ | ✅ | ✅ | Allows editing scan settings |
scans:read | ✅ | ✅ | ✅ | ✅ | Allows viewing existing scans |
scans:run | ✅ | ✅ | ✅ | ✅ | Allows running and retesting scans |
scans:stop | ✅ | ✅ | ✅ | ✅ | Allows stopping scans |
scans-templates | ✅ | ✅ | ✅ | Provides unrestricted access to scan templates management | |
scans-templates:read | ✅ | ✅ | ✅ | Allows viewing existing scan templates | |
scans-templates:write | ✅ | ✅ | ✅ | Allows creating, editing, and deleting custom scan templates | |
scim | ✅ | Enables user and group provisioning from ADFS and Okta to a Bright organization | |||
scripts:read | ✅ | ✅ | ✅ | ✅ | Allows viewing repeater’s scripts |
scripts:write | ✅ | ✅ | ✅ | ✅ | Allows creating, editing, and deleting repeater’s scripts |
user | ✅ | ✅ | Allows reading and editing user’s own personal details including consents, date settings, and notifications. Required for API authorization | ||
user:read | ✅ | ✅ | Allows viewing user’s own personal details | ||
user:write | ✅ | ✅ | Allows users to edit their own personal details, for example, change names, emails, and passwords | ||
repeaters:manage | ✅ | ✅ | Allow users to edit repeater's settings |
Updated 8 days ago