Skip to main content

About user roles and permissions

This section provides details about the permissions available to each role on the Veracode Platform. To see which roles are often relevant to different users in your organization, see Common roles for user accounts.

To grant access to the Veracode APIs, administrators assign the necessary API roles to users with an API service account. To see the roles assigned to your account, you can click Your Account from the top navigation menu in the Veracode Platform.

note

Do not share your account credentials for the Veracode Platform with other users.

Administrator

Can manage users, teams, and SAML settings. Administrator access can be granted either by Veracode Technical Support or, if your organization uses SSO with IdP data preferred, through a SAML assertion. A user with the Administrator and eLearning roles is considered an eLearning administrator and can manage Veracode eLearning administration tasks.

Analytics Creator

Can access Veracode Analytics, where the user can view scan metrics of applications in the user's team portfolio, and create or edit custom reports.

Creator

Can create, edit, and delete application profiles, as well as request and delete scans for applications that belong to the user's teams. Can only create application profiles for teams in which the user with the Creator role is a member. Can assign applications to teams. Can allow next-day consultations for an application. Can schedule consultation calls for scan configurations. Can view the list of applications to which you have access. Can also promote a sandbox scan to a policy scan and delete sandbox scans. You can assign the Creator role for specific scan types or for all scan types. In addition, if your user account is restricted to specific scan types, you can only request scans of that type.

Delete Scans

Can delete scans. To be able to delete scans, you must also have the Security Lead or Creator role. Can view the list of applications to which you have access.

eLearning

Can access Veracode eLearning courses, assessments, and/or the Knowledge Base.

note

Assigning a role to an eLearning user (learner) consumes one of your purchased Veracode eLearning seats when the learner launches a course. If a learner does not launch a course, you can assign the role to another user. You can only assign as many roles as you have purchased seats.

Executive

Can view Veracode Analytics and reports for all applications. Users with the Executive role must also have the eLearning role to access the Veracode eLearning summary reports. Can view the list of applications to which you have access. Can schedule consultation calls for policy scan results.

Free Trial Admin

Can edit users and teams in their organization. Can create up to nine additional users and four additional teams in the free trial organization. Can submit a support request. Can access DAST Essentials in the Veracode Platform. There can only be one free trial administrator in each free trial organization.

Free Trial User

Can edit their user account. Cannot add, edit, or delete users or teams in their organization. Can submit a support request. Can access DAST Essentials in the Veracode Platform.

Greenlight IDE User

Can access the Veracode Greenlight plugin in your IDE, perform Greenlight scans, and review Greenlight scan results. This role is only available to organizations that have active Veracode Greenlight subscriptions.

Mitigation Approver

Can approve mitigations for flaws. Can view the list of applications to which you have access.

Policy Administrator

Can access the Policies page, enabling the ability to create and edit policies, set default policies and notification rules, and assign different policies to applications. When assigned in combination with the Creator or Security Lead role, you can change policy assignments for individual applications using the application profile.

Reviewer

Can access reports and flaw details for applications that belong to the user teams, and propose mitigations, but cannot access the review modules page. Can review scan results and scan reports for sandboxes. Can view the list of applications to which you have access. Can schedule consultation calls for policy scan results.

Sandbox Administrator

Can create development sandboxes for scanning code in development for applications associated with the user account. For applications which the Sandbox Administrator can access, can edit or delete development sandboxes and propose mitigation comments.

note

You use the Sandbox Administrator role in addition to another role (Creator, Submitter, Reviewer, or Security Lead).

Sandbox User

Can create and edit development sandboxes that enable scanning code in development for applications that belong to the user teams. Can scan code within a development sandbox, delete their scan, review results of a sandbox scan, add comments, and propose mitigations. Can schedule consultation calls for sandbox scan results. You can promote the sandbox scan to a policy scan, which counts toward your policy compliance score, if you:

  • Have the Sandbox User role with the Creator or Submitter role
  • Have All Scan Types or Static Scan selected

Security Insights

Can access Veracode Analytics, where the user can view scan metrics of applications in the user's team portfolio and custom reports. To create or edit dashboards, you must have the Analytics Creator role.

Security Labs User

Can access the Veracode Security Labs interactive training labs.

note

Assigning this role to a Veracode Security Labs user consumes one of your purchased Security Labs seats. You can see the number of remaining seats by clicking the Security Labs User help icon when assigning roles on the Admin page.

Security Lead

Can create, edit, and delete application profiles. Can view Veracode Analytics, reports, and flaw details for all applications. Can submit applications and approve scan requests made by Creators and Submitters. Can assign applications to teams. Can review all applications and scans, including receiving all notifications for these applications and scans, without any restrictions or team assignment limitations. Can allow next-day consultations for an application. Can schedule consultation calls. Can promote a sandbox scan to a policy scan.

note

You can assign the Security Lead role for all scan types or only for specific scan types. A scan type restricted assignment limits the type of scans you can create.

Submitter

Can request scans for applications that belong to the user's teams, has access to the review modules page, and can upload binaries. Can view the list of applications to which you have access. Cannot create, edit, or delete applications, or delete scans. If you are a vendor receiving a third-party scan request to submit a scan, you need to accept the third-party scan request first. Can promote a sandbox scan to become a policy scan. Can create, rename, and delete agents and regenerate agent tokens in Veracode Software Composition Analysis (SCA). Can schedule consultation calls for scan configurations.

note

You can assign the Submitter role for all scan types, or only for specific scan types. A scan type restricted assignment limits the type of scans you can submit.

Team Admin

Can manage users, including creating new users, resetting passwords, and updating roles. Can only view or manage users who are in the teams that the team admin manages and do not belong to any team that the team admin does not manage. Can add or remove team memberships from a user who is in one of the teams managed by the team admin. Cannot add users to teams that the team admin does not manage. Team admins cannot edit the roles for users who have the Administrator, Executive, Policy Administrator, Security Lead, Team Admin, or Workspace Administrator roles. Cannot create teams or business units, both of which require the Administrator role. When the administrator creates a user with the Team Admin role, the administrator assigns team membership to that user.

Vendor Manager

Can view the list of all third-party vendors for the organization. This role may not be available for your account.

Workspace Administrator

Can edit and delete workspaces in Veracode Software Composition Analysis. Can create, edit, and delete agents in a workspace. Can add teams to a workspace and remove them. Can manage rules in a workspace and view workspace reports. Can create and comment on issues. Can manage project settings.

Workspace Editor

Can create, edit, and delete agents in a workspace in Veracode Software Composition Analysis. Can manage rules in a workspace and view workspace reports. Can create and comment on issues. Can manage project settings.

Actions by role

The following tables show the actions that each role allows you to perform.

ActionAdministratorCreatorDelete ScansSecurity LeadSubmitter
Create Application Profile X X 
Bulk Add Applications   X 
Assign Application to Team X   
Request Manual, Static, or Pipeline Scan X XX
Request Discovery ScanXX XX
Delete Scans XXX 

ActionAdministratorCreatorExecutiveReviewerSecurity Lead
Comment on Static Results    X
View or Delete File Exchange FilesX   X
Download Discovery ResultsX XXX
Download XML Results  XXX
Download Discovery Site ListsXX  X

ActionExecutiveMitigation ApproverPolicy AdministratorReviewerSecurity LeadVendor ManagerSecurity InsightsSecurity Labs UserAnalytics Creator
View AnalyticsX   X X X
Edit AnalyticsX
View ReportsX  XX   
Access eLearningX       
Access Security Labs       X
Propose Mitigations   XX   
Approve Mitigations X      
Create Policies  X     
View Vendors Page     X  
Publish Results    X   
note

Users with the Executive role must also have the eLearning role to be able to access eLearning summary reports. Users who are members of the team associated with the application can accept third-party terms or scan requests. Users with both the Reviewer and Security Insights role can view analytics only for the teams for which they have access.

Dynamic Analysis roles

The following tables summarize the Dynamic Analysis permissions available to certain roles on the Veracode Platform.

ActionAdministratorCreatorSubmitterReviewerSecurity Lead
Request/Create/ Submit AnalysisXXX X
Upload or Enter URLsXXX X
Import URLs From ApplicationsXXX X
Turn on Application Auto-LinkingX   X
Manually Link Results to ApplicationXXX X
Assign TeamsXXX X

ActionCreatorSubmitterReviewerSecurity Lead
Edit Analysis and ScheduleXX X
Edit Scan ConfigurationXX X
Add or Delete Scan from Existing AnalysisXX X
View Results  XX
View StatusXXXX
View Analysis ConfigurationXX X
Delete AnalysisXX X
View Vulnerability SummaryXXXX

Sandbox capabilities

The following table summarizes the Sandbox permissions available to each role on the Veracode Platform.

Developers can create sandboxes within existing application profiles, and use them to submit the application code for analysis while still in development. Sandbox scans do not affect the developer's ability to run a formal policy scan of the application, and the results of the sandbox scans do not degrade the policy status or flaw metrics of the production version of the application.

ActionCreatorSubmitterReviewerSandbox AdministratorSandbox UserSecurity Lead
Create Sandbox ProfileX  XXX
Delete SandboxX  X X
Create Policy ScanXX   X
Submit Policy ScanXX   X
Create Sandbox ScanXX  XX
Submit Sandbox ScanXX  XX
Review Scan Results  X XX
Review Scan Reports  X XX

Veracode Software Composition Analysis roles

ActionMitigation ApproverSecurity LeadExecutiveCreatorReviewerSubmitterWorkspace AdministratorWorkspace Editor
View the SCA Portfolio Page XXXXXXX
Create and Delete Applications X X    
Edit Applications X X    
Add Teams to Applications X X    
View All Applications XX     
View Specific Applications XXXX   
Request SCA (Static) Scans X X    
Propose Mitigations X  X   
Approve MitigationsX       
View the Workspace Portfolio Page XXXX XX
Create Workspaces X X    
Delete Workspaces X X  X 
Edit Workspaces X X  X 
Add Teams to Workspaces X X  X 
View All Workspaces XX     
View Specific Workspaces XX X XX
Manage Projects X    XX
Link Projects to Applications X    XX
Manage Agent-Based Scan Rules X    XX
Manage Integrations X      
Manage Agents X   XXX
Ignore and Unignore IssuesX       

Use APIs with a user account

The Upload Using the Veracode Plugins permission is available to the Submitter role on the Veracode Platform.

The Create Application Using the Veracode Plugins permission is available to the Creator role on the Veracode Platform.