Roles and Permissions
Codepure’s Role-Based Access Control (RBAC) is designed to support secure collaboration between security teams and developers. It ensures that each role has only the necessary access to perform their tasks while maintaining strong governance over security workflows.✅ Role Summary Table
| Feature / Action | Admin | AppSec | Developer |
|---|---|---|---|
| System & Administration | |||
| Manage users, roles, and billing | ✅ | ❌ | ❌ |
| View Audit Logs | ✅ | ❌ | ❌ |
| Configure system-wide settings (LDAP, SMTP) | ✅ | ❌ | ❌ |
| Generate and manage API Tokens | ✅ | ❌ | ❌ |
| Integrations & Setup | |||
| Setup/Delete Integrations (GitHub, GitLab, Azure) | ✅ | ❌ | ❌ |
| Import projects / Clone repositories | ✅ | ✅ | ❌ |
| Configure DevSecOps CI/CD Policies | ✅ | ✅ | ❌ |
| Project & Vulnerability Management | |||
| View all projects and dashboards | ✅ | ✅ | ❌ (only assigned) |
| Assign projects to developers | ✅ | ✅ | ❌ |
| Run/Trigger Scans (SAST, SCA, Container, Secret) | ✅ | ✅ | ❌ |
| Add/Manage Custom SAST Rules | ✅ | ✅ | ❌ |
| Approve/Reject vulnerabilities | ✅ | ✅ | ❌ |
| Generate PDF Security Reports | ✅ | ✅ | ❌ |
| View assigned scan results | ✅ | ✅ | ✅ |
| Verify bugs (Mark Fixed / False Positive) | ✅ | ✅ | ✅ |
🔑 Role Descriptions
Admin
- Has full control over the Codepure platform.
- The only role that can manage users, billing, API tokens, and Audit Logs.
- The only role that can setup or delete integrations (GitHub, GitLab, Azure).
- Can create/manage all projects, run scans, and approve vulnerabilities.
- Intended for platform owners, CTOs, or Lead Security Architects.
AppSec (Application Security Analyst)
- Can import projects from existing integrations (configured by Admins).
- Can run scans, view all projects, and generate PDF security reports.
- Manages the vulnerability lifecycle: after a developer marks a bug as fixed, the AppSec role can approve or reject it.
- Can manage custom SAST Rules and DevSecOps Policies.
- Cannot manage users, roles, system integrations, or view Audit Logs.
- Intended for Security Engineers and Analysts.
Developer
- Has access only to projects explicitly assigned to them.
- Can view vulnerabilities and bug summaries for their assigned projects.
- Can verify vulnerabilities by marking them as:
- ✅ Fixed (after applying a code fix), or
- 🚫 False Positive.
- Cannot run scans, approve their own fixes, generate reports, or access other projects.
- Intended for software engineers working on remediation.
⚙️ How to Assign Roles and Projects
- Navigate to User Management in the Codepure dashboard (Admin only).
- Assign the role (Admin, AppSec, or Developer) to a user.
- If assigning a Developer, navigate to the specific project and grant them access.
- Click Save to apply changes.
🛡️ Best Practices
- Keep Admin access strictly limited to a few key security leads.
- Use AppSec roles for your daily security engineers managing scans and triage.
- Assign Developers only the specific projects they are actively working on to maintain the principle of Least Privilege.
- (Admins) Regularly review the Audit Logs to ensure compliance and security integrity.