Role Management Scopes
When creating a custom role to be assigned to a new or an existing member/group, you can predefine access permissions for this role by selecting the relative scopes. The following table describes the permissions each scope provides.
| Scope | Description |
|---|---|
api-keys | Allows creating personal API keys |
auth-objects | Provides unrestricted access to authentication objects management |
auth-objects:read | Allows viewing authentication objects |
auth-objects:test | Allows testing an authentication object during its configuration |
auth-objects:write | Allows creating, editing, and deleting authentication objects |
auth-providers | Allows configuring SSO providers (okta, Google, ADFS) |
comments | Allows viewing and managing comments in scans and issues |
comments:read | Allows viewing comments in scans and issues |
comments:write | Allows editing and deleting comments in scans and issues |
discoveries | Provides unrestricted access to discoveries |
discoveries:delete | Allows deleting discoveries |
discoveries:manage | Allows editing discoveries |
discoveries:read | Allows viewing existing discoveries |
discoveries:run | Allows running discoveries |
discoveries:stop | Allows stopping discoveries |
entry-points | Provides unrestricted access to entry points |
entry-points:manage | Allows creating, editing, deleting, testing and previewing changes made to entrypoints |
entry-points:read | Allows viewing entry points |
field:set-clear-text | Allows setting fields as clear test |
field:set-masked | Allows setting fields as masked |
field:unmask | Allows unmasking sensitive fields |
files:read | Allows reading and downloading files from the storage |
files:write | Allows to associate files with projects, clone files, upload or delete them |
groups:admin | Provides unrestricted access to all organization groups |
groups:delete | Allows deleting groups |
groups:manage | Allows creating new groups, editing existing groups, adding members to groups, assigning roles to groups |
groups:read | Allows viewing groups |
integration.repos:manage | Allows choosing the severity level of issues to be opened in integrated services |
integration.repos:read | Allows viewing resources of the integrated services, for example, GitHub repositories, Slack channels, or Jira boards |
integrations:read | Allows viewing a list of available and enabled integrations |
integrations:write | Allows enabling integrations with services like GitHub, Gitlab, Slack, Jira, or Azure |
issues:manage | Allows execution and saving scan issues as new |
issues:read | Allows viewing detected scan issues |
logs | Allows viewing the personal activities log |
org | Provides unrestricted access to organization management |
org:read | Allows viewing basic information about an organization: organization name and quotas. This scope is required for running and managing scans |
org:write | Allows editing company name and enforcing MFA |
org.api-keys | Allows creating organization API keys (tokens) |
org.logs | Allows viewing the organization's activities log |
org.memberships:manage | Allows adding a member to an organization, editing member's details, and deleting a member from an organization |
org.memberships:read | Allows viewing members of an organization |
org.scans-templates | Allows unrestricted access to all scan templates |
projects-issues:write | Allows users to manage project issues: to change severity, status, and assignee |
project.api-keys | Allows creating project-level API keys |
projects:admin | Provides unrestricted access to project management |
projects:create | Allows to create projects |
projects:delete | Allows deleting projects |
projects:edit | Allows editing project name, number of concurrent scans, adding associated GitHub or Gitlab repositories, Slack channels, Azure or Jira boards, managing webhooks |
projects:read | Allows viewing of available projects and project issues. This scope is required for running a scan |
repeaters:read | Allows viewing organization’s repeaters |
repeaters:write | Allows creating, editing, and deleting a repeater, as well as testing repeater connection to a network |
reports:read | Allows viewing scan reports |
reports:write | Allows managing configuration of PDF reports |
roles:read | Allows viewing a list of roles |
roles:write | Allows creating, editing, and deleting custom roles. The default roles (for example, “Admin”, “Owner”, etc.) are read-only |
scan-labels:manage | Allows editing labels in scans that are already running or have been finished |
scans | Provides unrestricted access to scan management. org:read scope is also required to run and manage scans |
scans:delete | Allows deleting scans |
scans:manage | Allows editing scan settings |
scans:read | Allows viewing existing scans |
scans:run | Allows running and retesting scans |
scans:stop | Allows stopping scans |
scans-templates | Provides unrestricted access to scan templates management |
scans-templates:read | Allows viewing existing scan templates |
scans-templates:write | Allows creating, editing, and deleting custom scan templates |
scripts:read | Allows viewing repeater’s scripts |
scripts:write | Allows creating, editing, and deleting repeater’s scripts |
user | Allows reading and editing user’s own personal details including consents, date settings, and notifications. Required for API authorization |
user:read | Allows viewing user’s own personal details |
user:write | Allows users to edit their own personal details, for example, change names, emails, and passwords |
Updated 3 days ago