Built-In Roles
CodeThreat provides two built-in role templates:ADMIN
Full access to manage organization, repositories, and team
USER
Standard member access with read permissions
Organizations can also create custom roles with specific permissions tailored to their needs.
ADMIN Role
Capabilities
Organization Management:- Manage organization settings
- Invite/remove members
- Assign roles
- Manage billing and subscription
- View audit logs
- Connect VCS integrations
- Import/remove repositories
- Configure repository settings
- Set up automated scanning
- Configure AI features
- View all violations
- Assign violations
- Suppress violations
- Run scans
- Generate reports
- Comment on violations
- Create and share reports
- Configure notifications
When to Use
- Organization owners
- Security team leads
- DevSecOps managers
- Anyone needing full administrative access
USER Role
Capabilities
Security Findings:- View violations in accessible repositories
- View scan history and results
- View dashboards and reports
- Comment on violations
- Cannot manage organization settings
- Cannot invite/remove members
- Cannot manage billing
- Cannot connect VCS integrations
- Cannot trigger scans
- Cannot assign or suppress violations
- Cannot configure repository settings
When to Use
- Software engineers (read-only access)
- Stakeholders
- Compliance/audit teams
- Product managers
- Anyone needing view-only access
Permission Matrix
| Action | ADMIN | USER | Custom Roles |
|---|---|---|---|
| Organization | |||
| Manage settings | ✅ | ❌ | ❌ |
| Invite members | ✅ | ❌ | ❌ |
| Manage billing | ✅ | ❌ | ❌ |
| Repositories | |||
| Connect VCS | ✅ | ❌ | ❌ |
| Configure settings | ✅ | ❌ | ❌ |
| View repositories | ✅ | ✅ | ✅ |
| Scanning | |||
| Trigger scans | ✅ | ✅ | ❌ |
| View scan results | ✅ | ✅ | ✅ |
| Configure automated scans | ✅ | ❌ | ❌ |
| Violations | |||
| View violations | ✅ | ✅ | ✅ |
| Assign violations | ✅ | ✅ | ❌ |
| Suppress violations | ✅ | ✅ | ❌ |
| Comment on violations | ✅ | ✅ | ✅ |
| Reporting | |||
| View reports | ✅ | ✅ | ✅ |
| Generate reports | ✅ | ✅ | ❌ |
| Share reports | ✅ | ✅ | ❌ |
Repository-Level Permissions
In addition to organization roles, control access to specific repositories.Grant Repository Access
1
Navigate to Repository Settings
Repository → Settings → Access Control
2
Add User or Team
Click Add Member or Add Team
3
Select User/Team
Choose from organization members or teams
4
Set Permission Level
Choose: Admin, Write, or Read
5
Save
Click Grant Access
Repository Permission Levels
Admin: Manage repository settings, run scans, manage violations, configure automation Write: Run scans, assign and suppress violations, comment on violations Read: View violations, view scan results, view reportsOrganization-level Admins have access to all repositories regardless of repository-level permissions.
Teams
Group users into teams for easier access management.Create a Team
1
Navigate to Teams
Organization Settings → Teams
2
Create Team
Click Create Team
3
Configure Team
Set name, description, and add members
4
Grant Repository Access
Assign team access to repositories
Benefits of Teams
- Simplified access management
- Organized collaboration
- Notification routing
- Ownership clarity
Changing Roles
1
Navigate to Members
Organization Settings → Members
2
Select User
Find user whose role you want to change
3
Change Role
Click role dropdown and select new role
4
Confirm
Confirm role change
Removing Team Members
1
Navigate to Members
Organization Settings → Members
2
Select User
Find user to remove
3
Remove
Click Remove button
4
Confirm
Confirm removal (cannot be undone)
- User loses access immediately
- Violations assigned to them remain assigned (reassign if needed)
- Comments and activity history preserved
- User is notified via email
Best Practices
- Principle of least privilege: Assign minimum required role
- Use teams: Group users for easier management
- Repository-level permissions: Restrict sensitive repository access
- Regular access review: Quarterly review of user access
- Remove departing employees: Remove access on last day
- Document role decisions: Note why users have specific roles
Audit and Compliance
Audit Logs
Track all permission-related actions:- Role assignments and changes
- User invitations and removals
- Repository access grants/revokes
- Team membership changes
Compliance Requirements
For compliance (SOC 2, ISO 27001, etc.):- Regular access reviews
- Principle of least privilege
- Audit log retention
- Timely access removal
- Documented RBAC policy