About user roles and permissions
This section provides details about the permissions available to each role on the Veracode Platform. To see which roles are often relevant to different users in your organization, see Common roles for user accounts.
To grant access to the Veracode APIs, administrators assign the necessary API roles to users with an API service account. To see the roles assigned to your account, select Your Account from the top navigation menu in the Veracode Platform.
Do not share your account credentials for the Veracode Platform with other users.
Administrator
Can manage users, teams, and SAML settings. Administrator access can be granted either by Veracode Technical Support or, if your organization uses SSO with IdP data preferred, through a SAML assertion. A user with the Administrator and eLearning roles is considered an eLearning administrator and can manage Veracode eLearning administration tasks.
Analytics Creator
Can access Veracode Analytics, where the user can view scan metrics of applications in the user's team portfolio, and create or edit custom reports.
Creator
Can create, edit, and delete workspaces and application profiles, as well as request and delete scans for applications belonging to the user's teams. Can only create workspaces and application profiles for teams the user belongs to. Can assign workspaces and applications to teams. Can allow next-day consultations for an application. Can schedule consultation calls for scan configurations. Can view the list of workspaces and applications they can access. Can also promote a sandbox scan to a policy scan and delete sandbox scans.
The Creator role can be assigned for specific scan types or for all scan types. In addition, if a user account is restricted to specific scan types, they can only request scans of those types.
Delete Scans
Can delete scans.
eLearning
Can access Veracode eLearning courses, assessments, and/or the Knowledge Base.
Assigning a role to an eLearning user (learner) consumes one of your purchased Veracode eLearning seats when the learner launches a course. If a learner does not launch a course, you can assign the role to another user. You can only assign as many roles as you have purchased seats.
Executive
Can view Veracode Analytics and reports for all applications. Users with the Executive role must also have the eLearning role to access the Veracode eLearning summary reports. Can view all the applications. Can schedule consultation calls for policy scan results.
Free Trial Admin
Can edit users and teams in their organization. Can create up to nine additional users and four additional teams in the free trial organization. Can submit a support request. Can access DAST Essentials in the Veracode Platform. There can only be one free trial administrator in each free trial organization.
Free Trial User
Can edit their user account. Cannot add, edit, or delete users or teams in their organization. Can submit a support request. Can access DAST Essentials in the Veracode Platform.
Greenlight IDE User
Can access the Veracode Greenlight plugin in your IDE, perform Greenlight scans, and review Greenlight scan results. This role is only available to organizations that have active Veracode Greenlight subscriptions.
Mitigation Approver
Can approve mitigations for flaws. Can view the list of applications to which you have access.
Policy Administrator
Can access the Policies page, enabling the ability to create and edit policies, set default policies and notification rules, and assign different policies to applications. When assigned in combination with the Creator or Security Lead role, you can change policy assignments for individual applications using the application profile.
Reviewer
Can access reports and flaw details for applications that belong to the user teams, and propose mitigations, but cannot access the review modules page. Can review scan results and scan reports for sandboxes. Can view the list of applications to which you have access. Can schedule consultation calls for policy scan results.
Sandbox Administrator
Can create development sandboxes for scanning code in development for applications associated with the user account. For applications which the Sandbox Administrator can access, can edit or delete development sandboxes and propose mitigation comments.
You use the Sandbox Administrator role in addition to another role (Creator, Submitter, Reviewer, or Security Lead).
Sandbox User
Can create and edit development sandboxes that enable scanning code in development for applications that belong to the user teams. Can scan code within a development sandbox, delete their scan, review results of a sandbox scan, add comments, and propose mitigations. Can schedule consultation calls for sandbox scan results. You can promote the sandbox scan to a policy scan, which counts toward your policy compliance score, if you:
- Have the Sandbox User role with the Creator or Submitter role
- Have All Scan Types or Static Scan selected
Security Insights
Can access Veracode Analytics, where the user can view scan metrics of applications in the user's team portfolio and custom reports. To create or edit dashboards, you must have the Analytics Creator role.
Security Labs User
Can access the Veracode Security Labs interactive training labs.
Assigning this role to a Veracode Security Labs user consumes one of your purchased Security Labs seats. To see the number of remaining seats, select the Security Labs User help icon 
when assigning roles on the Admin page.
Security Lead
Can create, edit, and delete application profiles. Can view Veracode Analytics, reports, and flaw details for all applications. Can submit applications and approve scan requests made by Creators and Submitters. Can assign applications to teams. Can review all applications and scans, including receiving all notifications for these applications and scans, without any restrictions or team assignment limitations. Can allow next-day consultations for an application. Can schedule consultation calls. Can promote a sandbox scan to a policy scan.
You can assign the Security Lead role for all scan types or only for specific scan types. A scan type restricted assignment limits the type of scans you can create.
Submitter
Can request scans for applications that belong to the user's teams, has access to the review modules page, and can upload binaries. Can view the list of applications to which you have access. Cannot create, edit, or delete applications, or delete scans. If you are a vendor receiving a third-party scan request to submit a scan, you need to accept the third-party scan request first. Can promote a sandbox scan to become a policy scan. Can create, rename, and delete agents and regenerate agent tokens in Veracode Software Composition Analysis (SCA). Can schedule consultation calls for scan configurations.
You can assign the Submitter role for all scan types, or only for specific scan types. A scan type restricted assignment limits the type of scans you can submit.
Team Admin
Can manage users, including creating new users, resetting passwords, and updating roles. Can only view or manage users who are in the teams that the team admin manages and do not belong to any team that the team admin does not manage. Can add or remove team memberships from a user who is in one of the teams managed by the team admin. Cannot add users to teams that the team admin does not manage. Team admins cannot edit the roles for users who have the Administrator, Executive, Policy Administrator, Security Lead, Team Admin, or Workspace Administrator roles. Cannot create teams or business units, both of which require the Administrator role. When the administrator creates a user with the Team Admin role, the administrator assigns team membership to that user.
Vendor Manager
Can view the list of all third-party vendors for the organization. This role may not be available for your account.
Workspace Administrator
Can edit and delete workspaces in Veracode Software Composition Analysis. Can create, edit, and delete agents in a workspace. Can add teams to a workspace and remove them. Can manage rules in a workspace and view workspace reports. Can create and comment on issues. Can manage project settings.
Workspace Editor
Can create, edit, and delete agents in a workspace in Veracode Software Composition Analysis. Can manage rules in a workspace and view workspace reports. Can create and comment on issues. Can manage project settings.
Actions by role
The following tables show which actions each role can perform.
| Action | Administrator | Creator | Delete Scans | Security Lead | Submitter |
|---|---|---|---|---|---|
| Create Application Profile | X | X | |||
| Bulk Add Applications | X | ||||
| Assign Application to Team | X | X | X | ||
| Request Manual, Static, or Pipeline Scan | X | X | X | ||
| Request Discovery Scan | X | X | X | X | |
| Delete Scans | X | X | X |
| Action | Administrator | Creator | Executive | Reviewer | Security Lead |
|---|---|---|---|---|---|
| Comment on Static Results | X | ||||
| View or Delete File Exchange Files | X | X | |||
| Download Discovery Results | X | X | X | X | |
| Download XML Results | X | X | X | ||
| Download Discovery Site Lists | X | X | X |
| Action | Policy Administrator | Mitigation Approver | Reviewer | Security Lead | Vendor Manager |
|---|---|---|---|---|---|
| Create Policies | X | ||||
| Propose Mitigations | X | X | |||
| Approve Mitigations | X | ||||
| View Vendors Page | X | ||||
| Publish Results | X |
| Action | Executive | Reviewer | Security Lead | Security Insights | Analytics Creator | Security Labs User |
|---|---|---|---|---|---|---|
| View Analytics | X | X | X | X | ||
| Edit Analytics | X | |||||
| View Reports | X | X | X | |||
| Access eLearning | X | |||||
| Access Security Labs | X |
To be able to access eLearning summary reports, users with the Executive role must also have the eLearning role. Users who are members of the team associated with the application can accept third-party terms or scan requests. Users with both the Reviewer and Security Insights role can view analytics only for the teams for which they have access.
Dynamic Analysis roles
The following tables summarize the Dynamic Analysis permissions available to certain roles on the Veracode Platform.
| Action | Administrator | Creator | Submitter | Reviewer | Security Lead |
|---|---|---|---|---|---|
| Request/Create/ Submit Analysis | X | X | X | X | |
| Upload or Enter URLs | X | X | X | X | |
| Import URLs From Applications | X | X | X | X | |
| Turn on Application Auto-Linking | X | X | |||
| Manually Link Results to Application | X | X | X | X | |
| Assign Teams | X | X | X | X |
| Action | Creator | Submitter | Reviewer | Security Lead |
|---|---|---|---|---|
| Edit Analysis and Schedule | X | X | X | |
| Edit Scan Configuration | X | X | X | |
| Add or Delete Scan from Existing Analysis | X | X | X | |
| View Results | X | X | ||
| View Status | X | X | X | X |
| View Analysis Configuration | X | X | X | |
| Delete Analysis | X | X | X | |
| View Vulnerability Summary | X | X | X | X |
Sandbox capabilities
The following table summarizes the Sandbox permissions available to each role on the Veracode Platform.
Developers can create sandboxes within existing application profiles, and use them to submit the application code for analysis while still in development. Sandbox scans do not affect the developer's ability to run a formal policy scan of the application, and the results of the sandbox scans do not degrade the policy status or flaw metrics of the production version of the application.
| Action | Creator | Submitter | Reviewer | Sandbox Administrator | Sandbox User | Security Lead |
|---|---|---|---|---|---|---|
| Create Sandbox Profile | X | X | X | X | ||
| Delete Sandbox | X | X | X | |||
| Create Policy Scan | X | X | X | |||
| Submit Policy Scan | X | X | X | |||
| Create Sandbox Scan | X | X | X | X | ||
| Submit Sandbox Scan | X | X | X | X | ||
| Review Scan Results | X | X | X | |||
| Review Scan Reports | X | X | X |
Veracode Software Composition Analysis roles
| Action | Mitigation Approver | Security Lead | Executive | Creator | Reviewer | Submitter | Workspace Administrator | Workspace Editor |
|---|---|---|---|---|---|---|---|---|
| View the SCA Portfolio Page | X | X | X | X | X | X | X | |
| Create and Delete Applications | X | X | ||||||
| Edit Applications | X | X | ||||||
| Add Teams to Applications | X | X | ||||||
| View All Applications | X | X | ||||||
| View Specific Applications | X | X | X | X | ||||
| Request SCA (Static) Scans | X | X | ||||||
| Propose Mitigations | X | X | ||||||
| Approve Mitigations | X | |||||||
| View the Workspace Portfolio Page | X | X | X | X | X | X | ||
| Create Workspaces | X | X | ||||||
| Delete Workspaces | X | X | X | |||||
| Edit Workspaces | X | X | X | |||||
| Add Teams to Workspaces | X | X | X | |||||
| View All Workspaces | X | X | ||||||
| View Specific Workspaces | X | X | X | X | X | |||
| Manage Projects | X | X | X | |||||
| Link Projects to Applications | X | X | X | |||||
| Manage Agent-Based Scan Rules | X | X | X | |||||
| Manage Integrations | X | |||||||
| Manage Agents | X | X | X | X | ||||
| Ignore and Unignore Issues | X |
Container and IaC Analysis
The following table summarizes the Container and IaC analysis permissions available to each role on the Veracode Platform.
| Action | Submitter | Reviewer | Delete Scans | Creator | Security Lead |
|---|---|---|---|---|---|
| Submit Container Scan and view Results | X | ||||
| Submit IaC scan and view results | X | ||||
| Review Container scan results | X | X | |||
| Review IaC scan results | X | X | |||
| Delete Container scans | |||||
| Delete IaC scans |
Custom roles
You can create custom roles that are specific to your organization. Custom roles define specific permissions assigned to users. For example, you can assign a custom role with specific permissions, such as managing application profiles, submitting scans, and managing teams, and apply it to selected user accounts.
If you have the Administrator role, you create custom roles with the Identity REST API. After you create a custom role, you assign it to users in the same way you assign standard Veracode roles.
Use APIs with a user account
The Upload Using the Veracode Plugins permission is available to the Submitter role on the Veracode Platform.
The Create Application Using the Veracode Plugins permission is available to the Creator role on the Veracode Platform.
Permissions
Roles are comprised of different permissions that allow users to perform specific Veracode tasks. To view the permissions associated with specific roles, use the Identity REST API.
The following table lists the Veracode permissions, their types, if applicable, and whether they apply to user accounts or API service accounts. Some roles have permission types. In some cases there are seemingly similar permissions types: retrieve, retrieveTeamOnly, and retrieveOg, for example. Individuals would have retrieve, a Team Admin would have retrieveTeamOnly, and an Administrator would have retrieveOrg.
| Permission | Permission name | Permission type 1 | User accounts | API service accounts |
|---|---|---|---|---|
| Access Admin API | adminApi | X | ||
| Application portfolio | appPortfolio | X | X | |
| Approve Dynamic scans | approveDynamicScans | X | ||
| Approve Dynamic scans for ISM | approveDynamicScansforVsa | X | ||
| Approve or reject proposed mitigations | approveMitigations | X | X | |
| Run Archer reports | archerReports | X | X | |
| Assign application to any team | assignAppToAnyTeam | X | X | |
| Assign application to team | assignAppToTeam | X | X | |
| Change application assurance level | changeAppAssuranceLevel | X | X | |
| Change the Archer name of an application | changeArcherName | X | X | |
| Create a new application | createApplicationProfile | X | X | |
| Create a collection | createCollection | X | X | |
| Create an eLearning curriculum | createCurriculum | X | X | |
| Create a login account | createLoginAccount | X | X | |
| Create a policy scan for an application | createPolicyScan | X | X | |
| Create a sandbox in an application | createSandbox | X | X | |
| Create a sandbox scan for an application | createSandboxScan | X | X | |
| Create a team | createTeam | X | X | |
| Create user for team | createUserForTeam | X | ||
| Custom report | customReport | X | ||
| Dashboard | dashboard | X | ||
| Delete an application | deleteApplicationProfile | X | X | |
| Delete collection | deleteCollection | X | X | |
| Delete Discovery scan | deleteDiscoveryScan | X | ||
| Delete a Dynamic Analysis | deleteDynamicAnalysis | X | ||
| Delete login account | deleteLoginAccount | X | X | |
| Delete module scan results | deleteModuleScan | X | ||
| Delete a policy scan | deletePolicyScan | X | X | |
| Delete a sandbox in an application | deleteSandbox | X | X | |
| Delete a sandbox scan | deleteSandboxScan | X | X | |
| Delete a team | deleteTeam | X | X | |
| Delete a user for team | deleteUserForTeam | X | ||
| Download Discovery site list | downloadDiscoverySiteList | X | ||
| Download scan reports | downloadScanReport | X | ||
| Download scan report as XML | downloadScanReportXML | X | ||
| Download crawl and login script | downloadScript | X | ||
| Download the site list for the scan | downloadSiteList | X | ||
| Dynamic Analysis result import | dynamicAnalysisResultImport | X | X | |
| Change application-related options for Dynamic Analysis auto-linking | editDynamicAnalysisAutoLinkAppOptions | X | ||
| Edit login account | editLoginAccount | X | X | |
| Edit ISM gateway | editMVSAGateway | X | ||
| Edit account SAML settings | editsamlsettings | X | ||
| Edit team | editTeam | X | X | |
| Access eLearning mentor content | eLearningMentor | X | ||
| Access eLearning professor content | eLearningProfessor | X | ||
| Enable applications for next-day consultations for creation and update | enableNextDayConsultation | X | X | |
| Allow user to schedule remediation consultations | enableRemediationConsultation | X | ||
| Allow user to schedule upload consultations | enableUploadConsultation | X | ||
| Expire another user's API credentials | expireApiCredentials | X | ||
| Expire another user's API credentials if on a managed team | expireApiCredentialsForTeam | X | ||
| Export custom data | exportCustomData | X | X | |
| Access file exchange | fileExchange | X | ||
| Generate WAF rules | generateWafRules | X | ||
| Import application profiles | importApplicationProfiles | X | ||
| Link to application | linkApp | X | ||
| Analytics creator | lookerAnalyticsCreator | X | ||
| Analytics viewer | lookerAnalyticsViewer | X | ||
| Maintain Dynamic application | maintainDynamicApplication | X | ||
| Manage API credentials | ManageApiCredentials | generate, retrieve, retrieveOrg, retrieveTeamOnly, revoke, revokeOrg, revokeTeamOnly | X | X |
| Manage business units | ManageBusinessUnit | create, retrieve, update, delete | X | X |
| Change mitigation behavior for flaws mitigated by custom cleanser | manageCustomCleanserManagement | X | ||
| Manage account-level eLearning | manageElearning | X | X | |
| Manage organizations | ManageOrganization | retrieve, update | X | X |
| Manage SCA component blacklist for policy | manageScaBlacklist | X | ||
| Manage teams | ManageTeam | create, retrieve, retrieveTeamOnly, update, updateTeamOnly, delete | X | X |
| Manage users | ManageUser | create, createTeamOnly, retrieve, retrieveOrg, retrieveTeamOnly, update, updateOrg, updateTeamOnly, delete, deleteTeamOnly | X | X |
| Manage vendor contact requests | manageVendorContact | X | ||
| Navigation for external Administrator | navExternalAdmin | X | ||
| Navigation for external eLearning | navExternalELearn | X | ||
| Navigation for external Executive | navExternalExecutive | X | ||
| Navigation for Security Insight only | navSecurityInsightOnly | X | ||
| Share your results in vendor directory | optIntoVendorDirectory | X | ||
| Manage policies | policyManagement | X | X | |
| Retrieve cross-profile flaw identifiers in XML reports | portableScopeResultsAggregation | X | X | |
| Promote scan to policy sandbox | promoteScans | X | X | |
| Publish applications with mitigations | publishMitigatedRatings | X | ||
| Publish results to enterprise | publishResultsEnterprise | X | ||
| Read collections | readCollection | X | X | |
| Enable the Reporting API | reportingApi | X | X | |
| Request a Dynamic Analysis | requestDynamicAnalysis | X | X | |
| Access Results API | resultsApi | X | ||
| View another user's API ID and status if on a managed team | retrieveApiCredentialsForTeam | X | ||
| Retrieve a team as Team Admin | retrieveTeamAsTeamAdmin | X | ||
| Retrieve a user for team | retrieveUserForTeam | X | ||
| Scan with Greenlight | scanWithGreenlight | X | X | |
| Access Security Labs | securityLabs | X | ||
| Set allow dependencies as top-level modules | setAllowDepAsTopLevelModules | X | ||
| Navigate to all workspaces in SCA agent-based scanning | srcclrAccessAllWorkspaces | X | ||
| Create workspace in SCA agent-based scanning | srcclrCreateWorkspace | X | ||
| View portfolio list page in SCA agent-based scanning | srcclrListPortfolioPage | X | ||
| Manage agents in SCA agent-based scanning workspace | srcclrManageAgents | X | ||
| Manage integration, agents, usage, and library catalog in SCA agent-based scanning | srcclrManageOrg | X | ||
| Manage SCA agent-based scanning workspaces | srcclrManageWorkspaces | X | ||
| Comment on issues in SCA agent-based scanning workspace | srcclrWorkspaceCommentIssues | X | ||
| Create third-party issues in SCA agent-based scanning workspace | srcclrWorkspaceCreateThirdPartyIssue | X | ||
| Ignore and unignore issues in SCA agent-based scanning workspace | srcclrWorkspaceIssuesVisibility | X | ||
| Manage project settings in SCA agent-based scanning workspace | srcclrWorkspaceManageProjectSettings | X | ||
| Manage rules in SCA agent-based scanning workspace | srcclrWorkspaceManageRules | X | ||
| Manage workspace settings in SCA agent-based scanning | srcclrWorkspaceManageWebhooks | X | ||
| View projects in SCA agent-based scanning workspace | srcclrWorkspaceViewProjects | X | ||
| View issues, vulnerabilities, libraries, and licenses in SCA agent-based scanning workspace | srcclrWorkspaceViewReports | X | ||
| View teams in SCA agent-based scanning workspace | srcclrWorkspaceViewTeams | X | ||
| Submit a Discovery scan | submitDiscoveryScan | X | ||
| Submit a manual policy scan | submitPolicyManualScan | X | X | |
| Submit a static policy scan | submitPolicyStaticScan | X | X | |
| Submit a manual sandbox scan | submitSandboxManualScan | X | X | |
| Submit a static sandbox scan | submitSandboxStaticScan | X | X | |
| Update results | updateResults | X | X | |
| Update team as Team Admin | updateTeamAsTeamAdmin | X | ||
| Update user for team | updateUserForTeam | X | ||
| View details for an account | viewAccountDetails | X | ||
| View asset inventory results | viewAssetInventoryResults | X | ||
| View policy custom severity setting | viewCustomSeverity | X | ||
| View Discovery results | viewDiscoveryResults | X | ||
| View application-related options for Dynamic Analysis auto-linking | viewDynamicAnalysisAutoLinkAppOptions | X | ||
| View Dynamic Analysis results | viewDynamicAnalysisResult | X | ||
| View Dynamic Analysis status | viewDynamicAnalysisStatus | X | ||
| View Dynamic Analysis URL configuration | viewDynamicAnalysisURLConfiguration | X | ||
| View ISM gateway | viewMVSAGateway | X | ||
| View open source | viewOpenSource | X | ||
| View reports | viewReports | X | X | |
| View results | viewResults | X | X | |
| View the list of sandboxes in an application | viewSandbox | X | X | |
| View portfolio for third-party components | viewScaPortfolio | X | ||
| Enable SCA agent-based scanning | viewSourceClearSca | X | ||
| View team for Discovery scan | viewTeamForDiscoveryScan | X | ||
| View details for Third-Party tab | viewThirdPartyDetails | X | ||
| View vendor list | viewVendorList | X | ||
| Submit container scan and view results | submitContainerScan | X | ||
| Submit IaC scan and view results | submitIaCScan | X | ||
| Review container scan results | viewContainerResults | X | ||
| Review IaC scan results | viewIaCResults | X |
Footnotes
-
Permission types allow you to perform specific tasks as part of certain permissions. For custom roles, you must specify the types when assigning those permissions to a role. ↩