This section provides details about the permissions available to each role on the Veracode Platform.
To grant access to the Veracode XML APIs, administrators assign the necessary API roles to users with API service accounts. To see the roles assigned to your account, click Your Account in the top navigation menu.
- Can manage users, teams, Veracode eLearning administration tasks, and SAML settings.
- Can create, edit, and delete application profiles, as well as request and delete scans for applications that belong to the user's teams. Can only create application profiles for teams in which the user with the Creator role is a member. Can also promote a sandbox scan to a policy scan and delete sandbox scans. You can assign the Creator role for all scan types, or only for specific scan types. In addition, if your user account is restricted to specific scan types, you can only request scans of that type.
- Delete Scans
- Can delete scans. To be able to delete scans, you must also have one of these roles: Administrator, Submitter, Reviewer, Security Lead, eLearning, Executive, or Creator.
- Can access Veracode eLearning courses, assessments, and/or the Knowledge Base.
Note: Assigning a role to an eLearning user (learner) consumes one of your purchased Veracode eLearning seats when the learner launches a course. If a learner does not launch a course, you can assign the role to another user. You can only assign as many roles as you have purchased seats.
- Can access Veracode Analytics and reports for all applications. Users with the Executive role must also have the eLearning role to access the Veracode eLearning summary reports.
- Greenlight IDE User
- Can access the Veracode Greenlight plugin in your IDE, perform Greenlight scans, and review Greenlight scan results. This role is only available to organizations that have active Veracode Greenlight subscriptions.
- Mitigation Approver
- Can approve mitigations for flaws.
- Policy Administrator
- Can access the Policies page, enabling the ability to create and edit policies, set default policies and notification rules, and assign different policies to applications. When assigned in combination with the Creator or Security Lead role, you can change policy assignments for individual applications using the application profile.
- Can access reports and flaw details for apps that belong to the user's teams, and propose mitigations, but cannot access the review modules page.
- Sandbox Administrator
- Can create developer sandboxes for scanning code in development for applications
associated with the user account. Can also edit or delete sandboxes for applications to which
they have access, and propose mitigation comments.Note: Sandbox Administrator is only used in addition to another role (Creator, Submitter, Reviewer, or Security Lead).
- Sandbox User
- Can create and edit developer sandboxes that enable scanning code in development for applications that belong to the user's teams. Can scan code within a developer sandbox, delete their scan, and review results of a sandbox scan. If you use the Sandbox User role in conjunction with the Creator, Submitter, and Security Lead role, and you have All Scan Types or Static Scan selected, you can promote the sandbox scan to a policy scan, which counts toward your policy compliance score.
- Security Insights
- Can access Veracode Analytics where the user can view scan metrics of applications in the user's team portfolio, and custom reports.
- Security Labs User
- Can access the Veracode Security Labs interactive training labs. Note: Assigning this role to a Veracode Security Labs user consumes one of your purchased Security Labs seats. You can see the number of remaining seats by clicking the Security Labs User help icon when assigning roles on the Admin page.
- Security Lead
- Can access Veracode Analytics, reports, and flaw details for all applications. Can submit
applications and approve scan requests made by Creators and Submitters. Can promote a sandbox
scan to a policy scan. Note: The Security Lead role can be assigned for all scan types, or only for specific scan types. A scan type restricted assignment limits the type of scans you can create.
- Can request scans for applications that belong to the user's teams, has access to the
review modules page, and can upload binaries. Cannot create, edit, or delete applications, or
delete scans. If you are a vendor receiving a third-party scan request to submit a scan, you
need to accept the third-party scan request first. Can promote a sandbox scan to become a
policy scan. Can create, rename, and delete agents and regenerate agent tokens in Veracode Integrated Software Composition Analysis.Note: You can assign the Submitter role for all scan types, or only for specific scan types. A scan type restricted assignment limits the type of scans you can submit.
- Team Admin
- Can manage users, including creating new users, resetting passwords, and updating roles. Team administrators can only manage users who belong to the same team as the team administrator. Can add or remove teams from a user who is on one of the teams managed by the team administrator. A team administrator cannot edit the roles for users who have Security Lead, Executive, or Administrator roles. A team administrator cannot create teams. Only a user with the Administrator role can create teams or business units. When the administrator creates a user with the Team Admin role, the administrator assigns team membership to that user.
- Vendor Manager
- Can view the list of all third-party vendors for the organization.
- Workspace Administrator
- Can edit and delete workspaces in Veracode Integrated Software Composition Analysis. Can create, edit, and delete agents in a workspace. Can add teams to a workspace and remove them. Can manage rules in a workspace and view workspace reports. Can create and comment on issues. Can manage project settings.
- Workspace Editor
- Can create, edit, and delete agents in a workspace in Veracode Integrated Software Composition Analysis. Can manage rules in a workspace and view workspace reports. Can create and comment on issues. Can manage project settings.
|Roles||Create Application Profile||Bulk Add Applications||Assign Application to Team||Request Manual, Static, Pipeline, or DynamicDS Scan||Request DynamicMP Scan||Request Discovery Scan||Request Approve DynamicDS Scan||Delete Scans|
|Roles||View DynamicDS Detailed Results||Comment on Static Results||View or Delete File Exchange Files||Download DynamicMP Results||Download Discovery Results||Download XML Results||Download DynamicMP or Discovery Site Lists||Link DynamicMP Results|
|Roles||View Analytics||View Reports||Access eLearning||Access Security Labs||Propose Mitigations||Approve Mitigations||Create Policies||View Vendors Page||Publish Results|
|Security Labs User||X|
Dynamic Analysis Roles
The following tables summarize the Dynamic Analysis permissions available to certain roles on the Veracode Platform.
|Role||Request/Create/ Submit Analysis||Upload or Enter URLs||Import URLs From Applications||Turn on Application Auto-Linking||Manually Link Results to Application||Assign Teams|
|Role||Edit Analysis and Schedule||Edit Scan Configuration||Add or Delete Scan from Existing Analysis||View Results||View Status||View Analysis Configuration||Delete Analysis||View Vulnerability Summary|
The following table summarizes the Sandbox permissions available to each role on the Veracode Platform.
|Roles||Create, Edit Sandbox||Delete Sandbox||Create Policy Scan||Submit Policy Scan||Create Sandbox Scan||Submit Sandbox Scan||Review Scan Results||Review Scan Reports|
Veracode Integrated Software Composition Analysis
|Action||Mitigation Approver||Security Lead||Executive||Creator||Reviewer||Submitter||Workspace Administrator||Workspace Editor|
|View the SCA Portfolio Page||X||X||X||X||X||X||X|
|Create and Delete Applications||X||X|
|Add Teams to Applications||X||X|
|View All Applications||X||X|
|View Specific Applications||X||X||X||X|
|Request SCA (Static) Scans||X||X|
|View the Workspace Portfolio Page||X||X||X||X||X||X|
|Add Teams to Workspaces||X||X||X|
|View All Workspaces||X||X|
|View Specific Workspaces||X||X||X||X||X|
|Link Projects to Applications||X||X||X|
|Manage SourceClear Rules||X||X||X|
|Ignore and Unignore Issues||X|
Veracode Agent-Based Scan
The Veracode Agent-Based Scan features and functionality available to you depend on your Veracode Platform roles allocation. The following table lists the roles you must have in the Veracode Platform to complete specific actions in Veracode Agent-Based Scan.
|View the Workspace Portfolio Page||X||X||X||X||X|
|Create and Delete Workspaces||X|
|Add Teams to Workspaces||X|
|View All Workspaces||X||X|
|View Specific Workspaces||X||X||X|
|Manage Veracode Agent-Based Scan Rules||X|
Specific Scan Permissions and Approvals
To submit scan requests, you must have one of the indicated roles listed in the table under the request scan column, and your organization must own the application. In addition, you must have the respective scan permissions to request each type of scan. To control the number of DynamicDS scans of applications, your organization can decide that the Security Lead must approve every dynamic scan that Creators or Submitters request. If you want to use this feature, please contact your Veracode account manager or firstname.lastname@example.org.
Use APIs with a User Account
The Upload Using the Veracode Plugins permission is available to the Submitter role on the Veracode Platform.
The Create Application Using the Veracode Plugins permission is available to the Creator role on the Veracode Platform.