Role Management Scopes
When creating a custom role to be assigned to a new or an existing user, you can predefine access permissions for this role by selecting the relative scopes. The following table describes the permissions each scope provides.
Scope | Description |
---|---|
activities |
Allows viewing notifications and managing the notification feed. |
api-keys |
Allows creating personal API keys. |
auth-objects |
Provides unrestricted access to authentication objects management. |
auth-objects:read |
Allows to view basic configuration of authentication objects. |
auth-objects:test |
Allows testing an authentication object during its configuration. |
auth-objects:write |
Allows managing authentication objects that have been created by a user. |
auth-providers |
Allows configuring SSO providers (okta, Google, ADFS). |
billing |
Allows viewing billing summary. |
comments |
Allows viewing and managing comments in scans and issues that a user has access to. |
comments |
Allows viewing and managing comments in scans and issues that a user has access to. |
comments:read |
Allows viewing comments in scans and issues that a user has access to. |
comments:write |
Allows managing (editing, deleting) comments in scans and issues that a user has access to. |
entry-points:read |
Allows viewing all entry points discovered during a scan. |
files:read |
Allows reading files from the storage and verifying targets. |
files:write |
Allows managing files in the storage, for example uploading or deleting them. |
groups:admin |
Provides unrestricted access to all organization groups, including the possibility to assign a role to a group and view all group members. |
groups:manage |
Allow managing groups, for example creating a new group or editing an existing group. |
groups:read |
Allows viewing information about groups that a user has been added to. |
groups:admin |
Allows viewing information about groups. |
groups:delete |
Allows deleting groups. |
integrations:read |
Allows viewing a list of available and enabled integrations. |
integrations:write |
Allows enabling connection and associating other repositories to be used for a scan (ticketing systems). |
integration.repos:read |
Allows viewing associated repositories, for example GitHub repositories , Slack channels, or Jira boards. |
integration.repos:manage |
Allows filtering the severity level of issues to be opened in integrated services. |
issues:manage |
Allows managing detected issues, for example assigning a user to an issue, marking an issue as resolved, or retesting an issue. |
issues:read |
Allows viewing detected issues. |
logs |
Allows viewing the activities log. |
org |
Provides unrestricted access to organization management (including the permission to delete the organization). |
org:read |
Allows viewing basic information about an organization. This scope is required for running a scan. |
org:write |
Allows editing basic information about an organization and managing its basic settings, for example, enforcing MFA. |
org.api-keys |
Allows creating organization API keys (tokens). |
org.memberships:manage |
Allows managing organization members, for example adding a member to an organization, deleting a member from an organization, or viewing a member’s profile. |
org.memberships:read |
Allows viewing members of an organization. |
payments |
Allows managing user’s payments. |
payment-methods |
Allows managing payment methods. |
plans |
Allows viewing information about offered plans. |
products |
Allows viewing information about offered products. |
projects:admin |
Allows viewing information about projects. |
projects:delete |
Allows to deleting projects. |
projects:manage |
Allows managing projects, for example creating a new project or editing an existing one. |
projects:read |
Allows displaying available projects. This scope is required for running a scan. |
project.api-keys |
Allows creating project-level API keys. |
repeaters:read |
Allows viewing organization’s repeaters. |
repeaters:write |
Allows creating, editing, deleting a repeater, as well as testing repeater connection to a network. |
reports:read |
Allows viewing scan reports. |
reports:write |
Allows managing configuration of PDF reports. |
roles:read |
Allows viewing a list of roles. |
roles:write |
Allows creating and editing custom roles. The default roles (for example, “Admin”, “Owner”, etc.) are read-only. |
scans |
Provides unrestricted access to scan management. |
scans:delete |
Allows deleting scans. |
scans:manage |
Allows managing scans, for example editing scan settings or retesting a scan. |
scans:read |
Allows viewing existing scans. |
scans:run |
Allows running scans. |
scans:stop |
Allows stopping scans. |
scans-templates |
Provides unrestricted access to scan templates management. |
scans-templates:read |
Allows viewing existing scan templates. |
scans-templates:write |
Allows creating, editing and deleting custom scan templates. |
scripts:read |
Allows viewing repeater’s scripts. |
scripts:write |
Allows creating, editing and deleting scripts. |
subscriptions |
Allows managing plan subscriptions for an organization. |
user |
Selected by default for all roles. |
user:read |
Allows viewing user’s personal details. |
user:write |
Allows users to edit their personal details, for example change names, emails and passwords. |
Updated 8 months ago
Did this page help you?