Role Management Scopes

When creating a custom role to be assigned to a new or an existing user, you can predefine access permissions for this role by selecting the relative scopes. The following table describes the permissions each scope provides.

ScopeDescription
activitiesAllows viewing notifications and managing the notification feed
api-keysAllows creating personal API keys
auth-objectsProvides unrestricted access to authentication objects management
auth-objects:readAllows to view the basic configuration of authentication objects
auth-objects:testAllows testing an authentication object during its configuration
auth-objects:writeAllows managing authentication objects that have been created by a user
auth-providersAllows configuring SSO providers (okta, Google, ADFS)
billingAllows viewing billing summary
commentsAllows viewing and managing comments in scans and issues that a user has access to
comments:readAllows viewing comments in scans and issues that a user has access to
comments:writeAllows managing (editing, deleting) comments in scans and issues that a user has access to
entry-points:readAllows viewing all entry points discovered during a scan
files:readAllows reading files from the storage and verifying targets
files:writeAllows managing files in the storage, for example, uploading or deleting them
groups:adminProvides unrestricted access to all organization groups, including the possibility to assign a role to a group and view all group members
groups:manageAllow managing groups, for example creating a new group or editing an existing group
groups:readAllows viewing information about groups that a user has been added to
groups:adminAllows viewing information about groups
groups:deleteAllows deleting groups
integrations:readAllows viewing a list of available and enabled integrations
integrations:writeAllows enabling connection and associating other repositories to be used for a scan (ticketing systems)
integration.repos:readAllows viewing associated repositories, for example, GitHub repositories, Slack channels, or Jira boards
integration.repos:manageAllows filtering the severity level of issues to be opened in integrated services
issues:manageAllows managing detected issues, for example assigning a user to an issue, marking an issue as resolved, or retesting an issue
issues:readAllows viewing detected issues
logsAllows viewing the activities log
orgProvides unrestricted access to organization management (including permission to delete the organization)
org:readAllows viewing basic information about an organization. This scope is required for running a scan
org:writeAllows editing basic information about an organization and managing its basic settings, for example, enforcing MFA
org.api-keysAllows creating organization API keys (tokens)
org.memberships:manageAllows managing organization members, for example adding a member to an organization, deleting a member from an organization, or viewing a member’s profile
org.memberships:readAllows viewing members of an organization.
paymentsAllows managing user’s payments
payment-methodsAllows managing payment methods
plansAllows viewing information about offered plans
productsAllows viewing information about offered products
projects:adminAllows viewing information about projects
projects:deleteAllows deleting projects
projects:manageAllows managing projects, for example creating a new project or editing an existing one
projects:readAllows displaying available projects. This scope is required for running a scan
project.api-keysAllows creating project-level API keys
repeaters:readAllows viewing organization’s repeaters
repeaters:writeAllows creating, editing, and deleting a repeater, as well as testing repeater connection to a network
reports:readAllows viewing scan reports
reports:writeAllows managing configuration of PDF reports
roles:readAllows viewing a list of roles
roles:writeAllows creating and editing custom roles. The default roles (for example, “Admin”, “Owner”, etc.) are read-only.
scansProvides unrestricted access to scan management
scans:deleteAllows deleting scans
scans:manageAllows managing scans, for example editing scan settings or retesting a scan
scans:readAllows viewing existing scans
scans:runAllows running scans
scans:stopAllows stopping scans
scans-templatesProvides unrestricted access to scan templates management
scans-templates:readAllows viewing existing scan templates
scans-templates:writeAllows creating, editing, and deleting custom scan templates
scripts:readAllows viewing repeater’s scripts
scripts:writeAllows creating, editing, and deleting scripts
subscriptionsAllows managing plan subscriptions for an organization
userSelected by default for all roles
user:readAllows viewing user’s personal details
user:writeAllows users to edit their personal details, for example, change names, emails, and passwords