Role Management Scopes

When creating a custom role to be assigned to a new or an existing user, you can predefine access permissions for this role by selecting the relative scopes. The following table describes the permissions each scope provides.

ScopeDescription
activitiesAllows viewing notifications and managing the notification feed
api-keysAllows creating personal API keys
auth-objectsProvides unrestricted access to authentication objects management
auth-objects:readAllows viewing authentication objects
auth-objects:testAllows testing an authentication object during its configuration
auth-objects:writeAllows creating, editing and deleting authentication objects
auth-providersAllows configuring SSO providers (okta, Google, ADFS)
billingAllows viewing billing summary
commentsAllows viewing and managing comments in scans and issues that a user has access to
comments:readAllows viewing comments in scans and issues that a user has access to
comments:writeAllows managing (editing, deleting) comments in scans and issues that a user has access to
entry-points:readAllows viewing entry points
files:readAllows reading and download files from the storage
files:writeAllows to associate files with projects, clone files, upload or delete them
groups:adminProvides unrestricted access to all organization groups
groups:manageAllows creating new groups, editing existing groups, adding members to groups, assigning roles to groups
groups:readAllows viewing information about groups that a user has been added to
groups:deleteAllows deleting groups
integrations:readAllows viewing a list of available and enabled integrations
integrations:writeAllows enabling integrations with services like GitHub, Gitlab, Slack, Jira or Azure
integration.repos:readAllows viewing resources of the integrated services, for example, GitHub repositories, Slack channels, or Jira boards
integration.repos:manageAllows choosing the severity level of issues to be opened in integrated services
issues:manageAllows execution and saving scan issues as new
issues:readAllows viewing detected scan issues
logsAllows viewing the activities log
orgProvides unrestricted access to organization management, including permission to delete the organization
org:readAllows viewing basic information about an organization. This scope is required for running a scan
org:writeAllows editing company name and enforcing MFA
org.api-keysAllows creating organization API keys (tokens)
org.memberships:manageAllows adding a member to an organization, editing member's details and deleting a member from an organization
org.memberships:readAllows viewing members of an organization
paymentsAllows managing user’s payments
payment-methodsAllows managing payment methods
plansAllows viewing information about payment plans
productsAllows viewing information about available products
projects:adminProvides unrestricted access to project management
projects:deleteAllows deleting projects
projects-issues:writeAllows users to manage project issues: to change severity, status, and assignee
projects:manageAllows managing projects, for example creating a new project or editing an existing one
projects:readAllows displaying available projects. This scope is required for running a scan
project.api-keysAllows creating project-level API keys
repeaters:readAllows viewing organization’s repeaters
repeaters:writeAllows creating, editing, and deleting a repeater, as well as testing repeater connection to a network
reports:readAllows viewing scan reports
reports:writeAllows managing configuration of PDF reports
roles:readAllows viewing a list of roles
roles:writeAllows creating, editing and deleting custom roles. The default roles (for example, “Admin”, “Owner”, etc.) are read-only
scansProvides unrestricted access to scan management
scans:deleteAllows deleting scans
scans:manageAllows editing scan settings
scans:readAllows viewing existing scans
scans:runAllows running and retesting scans
scans:stopAllows stopping scans
scans-templatesProvides unrestricted access to scan templates management
scans-templates:readAllows viewing existing scan templates
scans-templates:writeAllows creating, editing, and deleting custom scan templates
scan-labels:manageAllows editing labels in scans that are already running or have been finished
scripts:readAllows viewing repeater’s scripts
scripts:writeAllows creating, editing, and deleting scripts
subscriptionsAllows managing plan subscriptions for an organization
userAllows reading and editing user’s own personal details including consents, date settings, notifications
user:readAllows viewing user’s personal details
user:writeAllows users to edit their personal details, for example, change names, emails, and passwords