User Roles and Permissions

Administration Guide

The following table summarizes the permissions available to each role on the Veracode Platform.

To have access to the Veracode XML APIs, you are assigned the necessary API roles. An administrator assigns the roles to the user. You can see which roles your login has by clicking Your Account in the top navigation menu. Your roles are listed on the Your Account Settings page.

Administrator
Can manage users, teams, eLearning curricula, and SAML settings.
Creator
Can create, edit, and delete application profiles, as well as request and delete scans for applications that belong to the user's teams. Can also promote a sandbox scan to become a policy scan and delete sandbox scans.
Note: The Creator role can be assigned for all scan types, or only for specific scan types. A scan type restricted assignment limits the type of scans you can create.
Delete Scans
Can delete scans. To be able to delete scans, you must also have one of the following additional roles: Administrator, Submitter, Reviewer, Security Lead, eLearning, Executive, or Creator.
eLearning
Can access eLearning courses, assessments, and/or the Knowledge Base.
Note: Assigning a role to an eLearning user consumes one of your purchased eLearning seats when the user launches a course. If the course is not launched, the Administrator can assign the role to another user. You can only assign as many roles as you have purchased seats.
Executive
Can access Veracode Analytics and reports for all applications. Users with the Executive role can only access the eLearning summary reports if they also have the eLearning role.
Greenlight IDE User
Can access the Veracode Greenlight plugin in your IDE, perform Greenlight scans, and review Greenlight scan results. This role is only available to organizations that have active Veracode Greenlight subscriptions.
Mitigation Approver
Can approve mitigations for flaws.
Policy Administrator
Can access the Policies page, enabling the ability to create and edit policies, set default policies and notification rules, and assign different policies to applications. When assigned in combination with the Creator or Security Lead role, a user can change policy assignments for individual applications using the Application Profile. Without these roles, a user can change policy assignments using the Policies > Applications tab.
Reviewer
Can access reports and flaw details for apps that belong to the user's teams, and propose mitigations, but cannot access the review modules page.
Sandbox Administrator
Can create developer sandboxes for scanning code in development for applications associated with the user account. Can also edit or delete sandboxes for applications to which they have access, and propose mitigation comments.
Note: Sandbox Administrator is only used in addition to another role (Creator, Submitter, Reviewer, or Security Lead).
Sandbox User
Can create and edit developer sandboxes that enable scanning code in development for applications that belong to the user's teams. Can scan code within a developer sandbox, delete their scan, and review results of a sandbox scan. If you use the Sandbox User role in conjunction with the Creator, Submitter, and Security Lead role, and you have All Scan Types or Static Scan selected, you can promote the sandbox scan to a policy scan, which counts toward your policy compliance score.
Security Insights
Can access Veracode Analytics where the user can view scan metrics of applications in the user's team portfolio, and custom reports.
Security Lead
Can access Veracode Analytics, reports, and flaw details for all applications. Can submit applications and approve scan requests made by Creators and Submitters. Can promote a sandbox scan to a policy scan.
Note: The Security Lead role can be assigned for all scan types, or only for specific scan types. A scan type restricted assignment limits the type of scans you can create.
Submitter
Can request scans for applications that belong to the user's teams, has access to the review modules page, and can upload binaries. Cannot create, edit, or delete applications, or delete scans. If you are a vendor receiving a third-party scan request to submit a scan, you need to accept the third-party scan request first. Can promote a sandbox scan to become a policy scan.
Note: The Submitter role can be assigned for all scan types, or only for specific scan types. A scan type restricted assignment limits the type of scans you can submit.
Vendor Manager
View the list of all third-party vendors for the organization.
Roles Create Application Profile Bulk Add Applications Assign Application to Team Request Manual, Static, or DynamicDS Scan Request DynamicMP Scan Request Discovery Scan Request Approve DynamicDS Scan Delete Scans
Admin     X   X X    
Creator X   X X X X   X
Delete Scans               X
Security Lead X X X X X X X X
Submitter       X X X    

Roles View DynamicDS Detailed Results Comment on Static Results View or Delete File Exchange Files Download DynamicMP Results Download Discovery Results Download XML Results Download DynamicMP or Discovery Site Lists Link DynamicMP Results
Admin     X X X   X X
Creator             X  
Executive       X X X    
Reviewer X X   X X X    
Security Lead X X X X X X X X

Table. Access Other Capabilities
Roles View Analytics View Reports Access eLearning Propose Mitigations Approve Mitigations Create Policies View Vendors Page Publish Results
Executive X X X          
Mitigation Approver         X      
Policy Admin           X    
Reviewer   X   X        
Security Lead X X   X       X
Submitter                
Vendor Manager             X  
Security Insights X              
Note: Users with the Executive role must also have the eLearning role to be able to access eLearning summary reports. Users who are members of the team associated with the application can accept third-party terms or scan requests. Users with both the Reviewer and Security Insights role can view analytics only for the teams for which they have access.

Dynamic Analysis Roles

The following tables summarize the Dynamic Analysis permissions available to certain roles on the Veracode Platform.

Note: These roles are only for Dynamic Analysis, not DynamicMP or DynamicDS.
Role Request/Create/Submit Analysis Upload or Enter URLs Import URLs From Applications Maintain Linking to Dynamic Application Assign Teams
Creator X X X   X
Submitter X X X   X
Reviewer          
Security Lead X X X X X

Role Edit Analysis and Schedule Edit Scan Configuration Add or Delete Scan from Existing Analysis View Results View Status View Analysis Configuration Delete Analysis View Vulnerability Summary
Creator X X X   X X X X
Submitter X X X   X X   X
Reviewer       X X     X
Security Lead X X X X X X X X

Sandbox Capabilities

The following table summarizes the Sandbox permissions available to each role on the Veracode Platform.

Developers can create sandboxes within existing application profiles, and use them to submit the application code for analysis while still in development. Sandbox scans do not affect the developer's ability to run a formal policy scan of the application, and the results of the sandbox scans do not degrade the policy status or flaw metrics of the production version of the application.
Roles Create, Edit Sandbox Delete Sandbox Create Policy Scan Submit Policy Scan Create Sandbox Scan Submit Sandbox Scan Review Scan Results Review Scan Reports
Creator X X X X X X    
Submitter     X X X X    
Reviewer             X X
Sandbox Administrator X X            
Sandbox User X       X X X X
Security Lead X X X X X X X X

SourceClear Software Composition Analysis

The SourceClear features and functionality available to you depend on your Veracode Platform roles allocation. The following table outlines the roles you must have in the Veracode Platform to complete specific actions in SourceClear.

Action Administrator Security Lead Executive Submitter Reviewer
View the Workspace Portfolio Page X X X X X
Create and Delete Workspaces   X      
Edit Workspaces   X      
Add Teams to Workspaces   X      
View All Workspaces   X X    
View Specific Workspaces   X X   X
Manage Projects   X      
Manage SourceClear Rules   X      
Manage Library Catalogue   X      
Manage Integrations   X      
Manage Agents   X   X  

Specific Scan Permissions and Approvals

To submit scan requests, you must have one of the indicated roles listed in the table under the request scan column, and your organization must own the application. In addition, you must have the respective scan permissions to request each type of scan. To control the number of DynamicDS scans of applications, your organization can decide that the Security Lead must approve every dynamic scan that Creators or Submitters request. If you want to use this feature, please contact your Veracode account manager or support@veracode.com.

Use APIs with Human Account

The Upload Using the Veracode Plugins permission is available to the Submitter role on the Veracode Platform.

The Create Application Using the Veracode Plugins permission is available to the Creator role on the Veracode Platform.