Manage user access to projects
Use the Access page to manage membership and access to Semgrep resources, such as scans, projects, and findings. Projects are repositories or codebases you have added to SCP for scanning.
User roles and access
Accounts enable you to manage access to Semgrep resources, such as scans, projects, and findings, with varying levels of collaboration and visibility. Basic access control is managed through the Users tab.
A user is any person who has been added to your organization in Semgrep.
Semgrep primarily divides users into three roles:
admin
member
readonly
Optionally, you can appoint members to a fourth role: the manager role. Managers are a subset of members with some additional capabilities and scopes. In particular, they are able to assign specific projects to members through the creation of teams.
- Users are assigned a role based on your organization's default. New organizations are created with a default role of
admin
.
User permissions and visibility
Admins have full permissions, scopes, and visibility into all aspects of Semgrep.
Members can edit the following page:
- Findings. They can view all projects in the Findings page, and can sort and triage findings.
Members can view the following pages:
- Dashboard. They are able to see the total count of findings for all projects in the org.
- Editor. They can view an org's rules, but they can't write rules for the org. They can still write rules for their personal Semgrep orgs.
- Registry. They can view, but not add, rules and rule packs.
- Docs. Anyone can view the docs.
Members can't view or perform any actions in the following pages:
- Policies
- Projects
- Settings
Invite a team member through email
Add team members easily to your organization by sending them an email. This email contains instructions for them to join your org through the same auth provider configured for your account.
You must be an admin
to perform this operation.
- Sign in to Semgrep Cloud Platform.
- Click Settings > Access. This brings you to the Users tab.
- Click Invite users.
- In the dialog, enter your team members' email addresses. You can invite up to 20 users at a time. Separate each email address with a Space or Tab key. You can also paste a comma-separated list of email addresses.
- Click Send invites.
Change a user's role
You must be an admin
to perform this operation.
- Sign in to Semgrep Cloud Platform.
- Click Settings > Access.
- Search for the user whose role will be changed.
- Click on the user's current role, under the role header. A drop-down box appears.
- Select the new role for the user.
You cannot change your own role.
Set a default role
Organizations start with a default role of admin
.
To change this, perform the following steps:
- In Semgrep AppSec Platform, click Settings.
- Click Access > Defaults.
Figure. Default user role.
Teams (beta)
The Teams (beta) feature enables admins to grant or limit access to specific projects in Semgrep AppSec Platform (SCP). This provides more granular control than the Users feature.
You can quickly assign projects to large groups of users by first assigning users to teams and subteams within your organization.
Figure. The Settings > Access > Teams tab displays both top-level teams and subteams.
This feature helps security engineers and developers in large organizations focus on the projects that are relevant to their specific department or team.
When you limit a user's access to a subset of your projects, their Dashboard and Findings pages all reflect that change. For example, their total finding count is based on the total number of findings of the projects they can access.
This document walks you through the following:
- How to approach team management and project access in Semgrep
- How to create, view, update, and delete teams and subteams
- How to assign or unassign projects to teams
Roles and access
The Teams feature extends the existing roles defined in the Users tab.
- Admin
- A user who has access to all features, resources, and projects of their Semgrep deployment. Admins can also change the role of members and managers.
- When creating teams, admins are automatically included in all teams and can't be removed from any team. The access of an admin cannot be restricted except by making them a member.
- An org admin can change the role of any other user, including a fellow admin.
- Member
- A user who has access to some features, resources, and projects of their Semgrep deployment.
- To grant members access to a project and its findings, you must add the members to a team, and that team must be assigned to the project.
- Members can scan their local or personal repositories through a personal account.
- Members can also be assigned as Managers within a team.
- Readonly
- A user who can only view projects and issues of their Semgrep deployment.
A fourth role, the manager, can be assigned within the context of a team. Managers are a subset of members:
- Manager
- A member who can grant access to projects by creating subteams and assigning members to these subteams.
- A manager role is restricted to the teams where they have been assigned as a manager. Users can be managers of some projects, but members for others. For more information, see the manager role.
Figure. A member's view of the Projects page. It displays projects that are assigned to the team they are a member of, but they cannot edit a project nor can they scan new projects in their organizational account.
Page and feature access per role
Page | Readonly | Member | Manager | Admin | Notes |
---|---|---|---|---|---|
Dashboard | ⚠️ Restricted | ⚠️ Restricted | ⚠️ Restricted | ✅ Yes | For non-admins, scope is limited based on their teams and the project access granted to those teams. |
Projects | ⚠️ Restricted | ⚠️ Restricted | ⚠️ Restricted | ✅ Yes | Projects assigned to teams are visible to users assigned to those teams. Admins can see all projects. |
Findings | ⚠️ Restricted | ⚠️ Restricted | ⚠️ Restricted | ✅ Yes | Members can perform all triage operations on Projects assigned to them. |
Policies | ❌ No | ❌ No | ❌ No | ✅ Yes | Only admins can view and edit policies. |
Editor | ❌ No | 👁️ Read-only | 👁️ Read-only | ✅ Yes | Members can view all rules of an organization, but can't edit or create their own. They can create their own rules in their personal account. |
Settings | ❌ No | ❌ No | ⚠️ Restricted | ✅ Yes | Managers can see the Access and Account subpages. In the Access page, they can make edits to subteams they are managers of. |
Operations permitted per role
Capability | Readonly | Member | Manager | Admin | Notes |
---|---|---|---|---|---|
Create or edit projects | ❌ No | ⚠️ Restricted | ⚠️ Restricted | ✅ Yes | |
Change policies | ❌ No | ❌ No | ✅ Yes | ❌ No | |
Triage findings | ❌ No |