RBAC: Permissions

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

General

RBAC: Permissions

Under role-based access control (RBAC), a role can be assigned a particular permission for a particular resource. We call this relationship a role-permission.

This page describes the various CodeSonar permission types.

Overview
Available Permissions
Recommended Permission Combinations

Overview

Under role-based access control (RBAC), a permission denotes a specific operation that can be carried out on a specific type of element.

If the element is a securable resource, we refer to the permission as a resource permission.
Otherwise, the permission is a global permission.

	global permission	resource permission
Applies to	entire hub	an individual resource
Short name form	G_*	ANALYSIS_, PROJECT_, PTREE_, LAUNCHD_, LAUNCHDGROUP_, NAMEDSEARCH_, SAVEDCHART_, WPROCESSOR_, REPORTTEMPLATE_, or ROLE_.
Example	If a role has permission G_ADD_WPROCESSOR, users with that role can install a warning processor on the hub.	If a role has permission WPROCESSOR_DELETE for warning processor W, users with that role can delete W.

A role can be assigned a particular permission for a particular resource (or globally, for global permissions). We call this relationship a role-permission.

The remainder of this page contains the following.

Names and descriptions for all available permissions.
Recommendations for useful permission combinations.

Available Permissions

The set of available permissions is shown in the following table. Each permission has both a short name and a long name.

This manual generally uses the short name (such as "G_SIGN_IN") so that permission names are easily recognizable as such when they appear in blocks of text.
The CodeSonar user interface generally uses the long name (such as "Can Sign In").

Short Name	Long Name	Description
G_*: Global Permissions Assign on Global Role-Permissions page.
G_ADD_WPROCESSOR	Add Warning Processor	Add a warning processor. Roles with this permission should only be assigned to trusted users. G_ADMINISTER_USERS is required to assign/unassign this permission.
G_ADMINISTER_CONTENT_SETTINGS	Administer Content Settings	Administer the hub language, font, spaces per tab, public URL, analysis/autodelete settings, date/time locale settings. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_ADMINISTER_HTTP_SETTINGS	Administer HTTP Settings	Administer the hub HTTP settings: max processes, timeouts, backlog, TLS settings, etc. G_ADMINISTER_USERS is required to assign/unassign this permission.
G_ADMINISTER_SMTP_SETTINGS	Administer SMTP Settings	Administer the hub SMTP settings. G_ADMINISTER_USERS is required to assign/unassign this permission.
G_ADMINISTER_USERS	Administer Users	This is the "god" privilege, provided the user also has G_SIGN_IN. Edit other users, administer authentication services, delete users, enable/disable users, set template users, assign roles to users, create/delete roles, add/remove permissions from roles. Roles with this permission should only be assigned to trusted users. G_ADMINISTER_USERS is required to assign/unassign this permission.
G_ANNOTATION_EXPORT	Annotation Export	Export warning annotations. Note that this permits warning annotation export for all warnings on the hub, even if the user does not otherwise have access to the analyses that issued some or all of those warnings. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_ANNOTATION_IMPORT	Annotation Import	Import warning annotations. This permission is sufficient to create any warning groups that are present in the imported annotation set but not on the hub. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_CHANGE_OWN_CERTIFICATES	Change Own Certificates	Add or delete TLS certificates from the user's own set of user certificates. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_CHANGE_OWN_EMAIL	Change Own Email	Change the email address associated with your hub user account. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_CHANGE_OWN_EMAIL_ALERTS	Change Own Email Alerts	Change the email alert setting for your hub user account. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_CHANGE_OWN_PASSWORD	Change Own Password	Change your hub user account password. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_CREATE_USER	Create User	Create new hub user accounts. Note that G_ADMINISTER_USERS is required in order to fully configure the new account: in the absence of G_ADMINISTER_USERS, the new account will be created by copying the globally configured template user. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_FINDING_ADD	Finding Add	Add a new value to the set of Findings that can be applied to warnings. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_FINDING_DELETE	Finding Delete	Delete a value from the set of Findings that can be applied to warnings. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_HUB_BACKUP	Hub Backup	Use the Backup Database link. Roles with this permission should only be assigned to trusted users. G_ADMINISTER_USERS is required to assign/unassign this permission.
G_HUB_DEBUG	Hub Debug	Access certain hub command URLs. G_ADMINISTER_USERS is required to assign/unassign this permission.
G_HUB_INFO	Hub Info	Obtain hub information. G_ADMINISTER_USERS is required to assign/unassign this permission.
G_HUB_LOGS	Hub Logs	Access hub logs (as distinct from analysis-related logs, which are controlled by ANALYSIS_READ). Roles with this permission should only be assigned to trusted users. G_ADMINISTER_USERS is required to assign/unassign this permission.
G_HUB_METADATA	Hub Metadata	See hub metadata (including license information) and alerts in the GUI footer. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_HUB_SHUTDOWN	Hub Shutdown	Shut down a hub. G_ADMINISTER_USERS is required to assign/unassign this permission.
G_HUB_VACUUM	Hub Vacuum	Use the Vacuum Database link. G_ADMINISTER_USERS is required to assign/unassign this permission.
G_LICENSE_READ	License Key Read	Inspect the current hub license key, create a new unsigned license key. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_LICENSE_UTILIZATION_READ	License Utilization Read	View license utilization information. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_LICENSE_WRITE	License Key Write	Set up a hub license key. G_ADMINISTER_USERS is required to assign/unassign this permission.
G_LIST_PROPERTIES	List Properties	View pages that expose (or can expose) lists of available warning Priorities, States, or Findings. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_LIST_USERS	List Users	View pages that expose (or can expose) lists of hub users. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_MANAGE_USERS	Manage User Accounts and Permissions	Administer some users, create roles, administer authentication services, and edit most global permissions. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_PRIORITY_ADD	Priority Add	Add a new value to the set of available warning Priorities. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_PRIORITY_DELETE	Priority Delete	Delete a value from the set of available warning Priorities. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_RECOVER_OWN_PASSWORD	Recover Own Password	Use the password recovery functionality provided by the Sign In page Forgot Password and Enter Emailed Code tabs. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_SIGN_IN	Sign In	It is not possible to authenticate as a hub user account that does not possess the G_SIGN_IN permission. A user account that does not have this permission through any of its roles is considered to be inactive and is not counted against the licensed active users limit. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_SIGN_IN_CERTIFICATE	Sign In Certificate	Use TLS certificate authentication to sign into a hub user account, provided that the user also has G_SIGN_IN. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_SIGN_IN_PASSWORD	Sign In Password	Use password authentication to sign into a hub user account, provided that the user also has G_SIGN_IN. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_SQL_CONSOLE	SQL Console	Access the SQL Console. Roles with this permission should only be assigned to trusted users. G_ADMINISTER_USERS is required to assign/unassign this permission.
G_STATE_ADD	State Add	Add a new value to the set of available warning States. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
G_STATE_DELETE	State Delete	Delete a value from the set of available warning States. G_ADMINISTER_USERS or G_MANAGE_USERS is required to assign/unassign this permission.
PTREE_*: Project Tree Permissions Assign on Project Tree Role-Permissions page.
PTREE_ADD_CHILD	Project Tree Add Child	Add a child (project or project tree) to a project tree.
PTREE_ADMINISTER	Project Tree Administer	Edit the RBAC role-permission assignments for a project tree.
PTREE_DELETE	Project Tree Delete	Delete a project tree.
PTREE_EXISTS	Project Tree Exists	See a project tree in tables of project trees.
PTREE_READ	Project Tree Read	View information about a project tree.
PTREE_WRITE	Project Tree Write	Edit a project tree.
PROJECT_*: Project Permissions Assign on Project or Project Tree Role-Permissions page.
PROJECT_ADD_CHILD	Project Add Child	Perform an analysis of a project.
PROJECT_ADMINISTER	Project Administer	Edit the RBAC role-permission assignments for a project.
PROJECT_DELETE	Project Delete	Delete a project.
PROJECT_EXISTS	Project Exists	See a project in tables of projects. Also affects behavior when creating a new project.
PROJECT_READ	Project Read	View information about a project, including search results for searches scoped to that project, charts, management reports.
PROJECT_WRITE	Project Write	Change a project name or description.
ANALYSIS_*: Analysis Permissions Assign on Analysis, Project, or Project Tree Role-Permissions page.
ANALYSIS_ADMINISTER	Analysis Administer	Edit the RBAC role-permission assignments for an analysis.
ANALYSIS_ANNOTATE	Analysis Annotate	Add annotations to warnings and visualizations for an analysis. Web GUI sessions in an unlicensed state are always treated as if they have no ANALYSIS_ANNOTATE permissions, even if the user would otherwise have those permissions through their assigned roles. For details, see How Licenses Work: Licensed Behavior.
ANALYSIS_CONSOLE	Analysis Console	Access the Python console for an analysis.
ANALYSIS_DEBUG	Analysis Debug	Access special debug URLs related to an analysis. Most users will never need this permission. Web GUI sessions in an unlicensed state are always treated as if they have no ANALYSIS_DEBUG permissions, even if the user would otherwise have those permissions through their assigned roles. For details, see How Licenses Work: Licensed Behavior.
ANALYSIS_DELETE	Analysis Delete	Delete an analysis, or part of the information (logs, .prj_files directory) for an analysis. Required (at appropriate scope) in order to modify analysis autodeletion settings.
ANALYSIS_EXISTS	Analysis Exists	See an analysis in tables of analyses, view analysis-granularity metrics.
ANALYSIS_IR_QUERY	Analysis IR Query	Access special IR query URLs related to an analysis. Most users will never need this permission.
ANALYSIS_OWN_WARNINGS	Analysis Own Warnings	Be assigned as Owner for any warning from an analysis. (A user without ANALYSIS_OWN_WARNINGS may still be set as a warning Owner through the warning annotation import functionality.)
ANALYSIS_READ	Analysis Read	View information related to an analysis, including warnings, visualizations, charts, source files, search results for searches scoped to that project, management reports, directory-, file-, and procedure-granularity metrics, logs.
ANALYSIS_TERMINATE	Analysis Terminate	Access the close and close_daemon URLs for an analysis.
ANALYSIS_WARNING_EXISTS	Analysis Warning Exists	See any indication of the existence of warnings from an analysis, including in tables of warnings, warning notifications in source listings. Web GUI sessions in an unlicensed state are always treated as if they have no ANALYSIS_WARNING_EXISTS permissions, even if the user would otherwise have those permissions through their assigned roles. For details, see How Licenses Work: Licensed Behavior.
ANALYSIS_WARNING_READ	Analysis Warning Read	View information about the warnings from an analysis, including warning reports, warning-mode visualizations, warning notifications in source listings. Web GUI sessions in an unlicensed state are always treated as if the user have no ANALYSIS_WARNING_READ permissions, even if they would otherwise have those permissions through their assigned roles. For details, see How Licenses Work: Licensed Behavior.
ANALYSIS_WRITE	Analysis Write	Change an analysis name or description.
LAUNCHD_*: Launch Daemon Permissions Assign on Launch Daemon or Launchd Group Role-Permissions page.
LAUNCHD_ADMINISTER	Launch Daemon Administer	Edit the RBAC role-permission assignments for a launch daemon.
LAUNCHD_DELETE	Launch Daemon Delete	Remove a launch daemon from the hubs analysis cloud.
LAUNCHD_EXISTS	Launch Daemon Exists	See a report template in menus and tables of available launch daemons.
LAUNCHD_READ	Launch Daemon Read	View the RBAC role-permission assignments for a launch daemon.
LAUNCHD_START_MASTER	Launch Daemon Start Master	Initiate an analysis on a launch daemon.
LAUNCHD_START_SLAVE	Launch Daemon Start Slave	Request a new analysis slave from a launch daemon (automatically or manually).
LAUNCHD_WRITE	Launch Daemon Write	Change the process limit for a launch daemon.
LAUNCHDGROUP_*: Launchd Group Permissions Assign on Launchd Group Role-Permissions page.
LAUNCHDGROUP_ADD_CHILD	Launch Daemon Group Add Child	Add a child (launch daemon or launchd group) to a launchd group.
LAUNCHDGROUP_ADMINISTER	Launch Daemon Group Administer	Edit the RBAC role-permission assignments for a launchd group.
LAUNCHDGROUP_DELETE	Launch Daemon Group Delete	Delete a launch daemon group.
LAUNCHDGROUP_EXISTS	Launch Daemon Group Exists	See a launchd group in menus and tables of available launchd groups.
LAUNCHDGROUP_READ	Launch Daemon Group Read	View information about a launch daemon group.
LAUNCHDGROUP_WRITE	Launch Daemon Group Write	Edit a launch daemon group.
WPROCESSOR_*: Warning Processor Permissions Assign on Warning Processor Role-Permissions page.
WPROCESSOR_ADMINISTER	Warning Processor Administer	Edit the RBAC role-permission assignments for a warning processor.
WPROCESSOR_DELETE	Warning Processor Delete	Delete a warning processor.
WPROCESSOR_EXECUTE	Warning Processor Execute	Run a warning processor (manually or automatically).
WPROCESSOR_EXISTS	Warning Processor Exists	See a warning processor in menus and tables of available processors; also required to run a warning processor.
WPROCESSOR_READ	Warning Processor Read	View the RBAC role-permission assignments for a warning processor.
WPROCESSOR_WRITE	Warning Processor Write	Unused at this time
NAMEDSEARCH_*: Named Search Permissions Assign on Named Search Role-Permissions page.
NAMEDSEARCH_ADMINISTER	Named Search Administer	Edit the RBAC role-permission assignments for a named search.
NAMEDSEARCH_DELETE	Named Search Delete	Delete a named search.
NAMEDSEARCH_EXISTS	Named Search Exists	See a named search in menus and tables of available searches. Also affects behavior when saving a named search.
NAMEDSEARCH_READ	Named Search Read	See a named search in menus and tables of available searches, execute that search.
NAMEDSEARCH_WRITE	Named Search Write	Overwrite a named search
SAVEDCHART_*: Saved Chart Permissions Assign on Saved Chart Role-Permissions page.
SAVEDCHART_ADMINISTER	Saved Chart Administer	Edit the RBAC role-permission assignments for a saved chart.
SAVEDCHART_DELETE	Saved Chart Delete	Delete a saved chart.
SAVEDCHART_EXISTS	Saved Chart Exists	See a saved chart in menus and tables of available saved charts. Also affects behavior when saving a chart.
SAVEDCHART_READ	Saved Chart Read	View or preview a saved chart.
SAVEDCHART_WRITE	Saved Chart Write	Overwrite a saved chart.
REPORTTEMPLATE_*: Report Template Permissions Assign on Report Template Role-Permissions page.
REPORTTEMPLATE_ADMINISTER	Report Template Administer	Edit the RBAC role-permission assignments for a report template.
REPORTTEMPLATE_DELETE	Report Template Delete	Delete a report template.
REPORTTEMPLATE_EXISTS	Report Template Exists	See a report template in menus and tables of available templates; delete a template. Also affects behavior when saving a template.
REPORTTEMPLATE_READ	Report Template Read	View a report template; view a report generated from that template (provided the user also has G_LIST_USERS).
REPORTTEMPLATE_WRITE	Report Template Write	Overwrite a report template.
ROLE_*: Role (Resource) Permissions Assign on Role (Resource) Role-Permissions page.
ROLE_ADMINISTER	Role Administer	Edit the RBAC role-permission assignments for a role.
ROLE_ASSIGN	Role Assign/Unassign	Assign or unassign the associated role to users.
ROLE_DELETE	Role Delete	Delete a role.
ROLE_EXISTS	Role Exists	See a role in menus and tables of available roles.
ROLE_READ	Role Read	View information about a role, such as assigned users.
ROLE_WRITE	Role Write	Modify the name, description, or parent roles of a role.
RESERVED_*: Reserved Permissions
RESERVED_5	Reserved 5	-

Recommended Permission Combinations

In many cases, you will be making role-permission assignments that involve sets of related permissions, rather than assigning a single permission in isolation. The tables in this section are provided to aid you in choosing suitable permission sets.

Recommended Combinations for Global Role-Permissions
Recommended Combinations for Resource Role-Permissions
The recommendations can be expressed as a Boolean constraint system.

These recommendations reflect the typical intentions associated with the identified permissions and may not apply in all cases. Where they do apply, it may be appropriate to distribute the related assignments across multiple roles: this is particularly applicable for some of the user authentication recommendations.

Recommended Combinations for Global Role-Permissions

Global role-permissions are assigned from the Global Role-Permissions page.

	If you are assigning this permission for role R	...consider also assigning permission(s)	Notes
Managing Warning Properties	G_FINDING_ADD	G_FINDING_DELETE	Assigning both ADD and DELETE permissions allows easy correction of errors.
	G_PRIORITY_ADD	G_PRIORITY_DELETE
	G_STATE_ADD	G_STATE_DELETE
Hub Administration	G_ADMINISTER_USERS	G_MANAGE_USERS G_HUB_DEBUG G_HUB_LOGS G_SQL_CONSOLE	Assigning one of these permissions to a role may indicate that the role is intended to have a degree of administrative power over the hub, in which case the others may also be appropriate.
	G_HUB_DEBUG	G_ADMINISTER_USERS G_HUB_LOGS G_SQL_CONSOLE
	G_HUB_LOGS	G_ADMINISTER_USERS G_HUB_DEBUG G_SQL_CONSOLE
	G_SQL_CONSOLE	G_ADMINISTER_USERS G_HUB_DEBUG G_HUB_LOGS
Annotation Import/Export	G_ANNOTATION_EXPORT	ANALYSIS_WARNING_READ on the root project tree	A role with G_ANNOTATION_EXPORT can export (and thus read) annotations for all warnings on the hub. This may indicate that it is also appropriate to assign the role ANALYSIS_WARNING_READ permission. G_ANNOTATION_IMPORT and ANALYSIS_ANNOTATE have a similar relationship with respect to annotation import.
Annotation Import/Export	G_ANNOTATION_IMPORT	ANALYSIS_ANNOTATE on the root project tree
Licensing	G_LICENSE_UTILIZATION_READ	G_LICENSE_READ G_LIST_USERS	All three of these permissions are required to view the License Utilization page.
Licensing	G_LICENSE_WRITE	G_LICENSE_READ	A role with the ability to set up a hub license key will generally also benefit from the ability to examine that license key.
User Authentication	G_SIGN_IN_CERTIFICATE	G_SIGN_IN	A user can only be authenticated by the hub if they have both overall sign in permission (G_SIGN_IN) and access to an available authentication method. In many cases, non-Anonymous users will also require G_SIGN_IN_CERTIFICATE or G_SIGN_IN_PASSWORD permission to access an authentication method. See Hub Authentication: Authentication and Authorization for more details. You may prefer to handle {G_SIGN_IN} and {G_SIGN_IN_CERTIFICATE, G_SIGN_IN_PASSWORD} through separate Roles: in these cases you will need to take extra care to ensure that all users have a suitable combination of role assignments.
	G_SIGN_IN_PASSWORD	G_SIGN_IN
	G_SIGN_IN	G_SIGN_IN_CERTIFICATE or G_SIGN_IN_PASSWORD
	G_CHANGE_OWN_PASSWORD	G_SIGN_IN_PASSWORD	There is no value in having permission to change credentials that cannot be used.
	G_CHANGE_OWN_CERTIFICATES	G_SIGN_IN_CERTIFICATE

Recommended Combinations for Resource Role-Permissions

The recommended combinations for resource role-permissions are based on ensuring that users have full opportunity to access permitted information and functionality.

For example, suppose you have a Role that is assigned ANALYSIS_READ A permission for some analysis A. Users with this Role can therefore access the Analysis:Warnings page for A. Assigning an additional set of permissions to coordinate with ANALYSIS_READ will ensure that these users have a more coherent experience in accessing and using that page:

ANALYSIS_EXISTS A so that A appears in tables of analyses on the Project and Analysis Search Results pages.
PROJECT_EXISTS P for A's parent project P: the Role's users will see P in the breadcrumbs for A's Analysis page; PROJECT_EXISTS P allows them to also see P in tables on the Home/Project Tree and Project Search Results pages.

Resource role-permissions for an individual resource X are assigned from the Resource Role-Permissions page for X.

	If you are assigning this permission for role R on resource X	...then also assign permission(s)	Notes
Any Resource Type XTYPE	XTYPE_ADMINISTER X	XTYPE_DELETE X XTYPE_WRITE X XTYPE_READ X XTYPE_EXISTS X	These recommendations reflect a hierarchy of access types.
	XTYPE_DELETE X	XTYPE_WRITE X XTYPE_READ X XTYPE_EXISTS X
	XTYPE_WRITE X	XTYPE_READ X XTYPE_EXISTS X
	XTYPE_READ X	XTYPE_EXISTS X
Analysis (In addition to recommendations for any resource type)	ANALYSIS_ANNOTATE X	ANALYSIS_EXISTS X ANALYSIS_READ X ANALYSIS_WRITE X ANALYSIS_WARNING_READ X ANALYSIS_WARNING_EXISTS X G_LIST_PROPERTIES G_LIST_USERS	If you intend a role to be able to add annotations to warnings from an analysis, make sure they have full access to the annotation functionality on the Warning Report page and Analysis:Warnings tab.
	ANALYSIS_EXISTS X	PROJECT_EXISTS Y	Where Y depends on the the resource type of X: if X is a project tree or project, Y=X; if X is an analysis, Y is the project containing X. A user who is permitted to know about the existence of an analysis of a project will generally know the project exists; this recommendation reflects that reality.
	ANALYSIS_OWN_WARNINGS X	ANALYSIS_ANNOTATE X ANALYSIS_EXISTS X ANALYSIS_WARNING_EXISTS X ANALYSIS_WARNING_READ X ANALYSIS_WRITE X ANALYSIS_READ X G_LIST_USERS G_LIST_PROPERTIES	In most cases you will want warning owners to be able to annotate their warnings. (The remaining permissions on the list are associated with ANALYSIS_ANNOTATE).
	ANALYSIS_WARNING_READ X	ANALYSIS_WARNING_EXISTS X ANALYSIS_READ X G_LIST_USERS G_LIST_PROPERTIES	If you intend a role to be able to view Warning Reports, make sure you assign all the required permissions, along with sufficient permissions to ensure the warning is listed in the Analysis:Warnings tab (and other tables of warnings).
	ANALYSIS_WRITE X	ANALYSIS_ANNOTATE X ANALYSIS_EXISTS X ANALYSIS_READ X ANALYSIS_WARNING_READ X ANALYSIS_WARNING_EXISTS X G_LIST_USERS G_LIST_PROPERTIES	ANALYSIS_WRITE and ANALYSIS_ANNOTATE are frequently assigned together. (The remaining permissions on the list are associated with ANALYSIS_ANNOTATE).
	ANALYSIS_CONSOLE X	ANALYSIS_EXISTS X ANALYSIS_READ X	If you intend a role to be able to access functionality in the Analysis page, make sure you assign ANALYSIS_READ permission so the role can access that page.
	ANALYSIS_DEBUG X	ANALYSIS_EXISTS X ANALYSIS_READ X
	ANALYSIS_IR_QUERY X	ANALYSIS_EXISTS X ANALYSIS_READ X
	ANALYSIS_WARNING_EXISTS X	ANALYSIS_EXISTS X ANALYSIS_READ X
Project (In addition to recommendations for any resource type)	PROJECT_ADD_CHILD X	ANALYSIS_DELETE X ANALYSIS_EXISTS X ANALYSIS_READ X ANALYSIS_WARNING_READ X ANALYSIS_WARNING_EXISTS X ANALYSIS_WRITE X G_LIST_USERS G_LIST_PROPERTIES	If you are assigning permission to perform an analysis on a particular project, you will typically also want to assign permission to interact with that analysis in various ways. In particular, you may wish to assign sufficient permissions to access and interact with the Analysis: Warnings tab.
Project Tree (In addition to recommendations for any resource type)	PTREE_ADD_CHILD X	PROJECT_DELETE X PROJECT_EXISTS X PROJECT_READ X PROJECT_WRITE X	If you are assigning permission to add a project to a project tree, you will typically also want to assign permission to interact with that project in various ways.
Launchd Group (In addition to recommendations for any resource type)	LAUNCHDGROUP_ADD_CHILD X	LAUNCHD_DELETE X LAUNCHD_EXISTS X LAUNCHD_READ X LAUNCHD_WRITE X	If you are assigning permission to add a launch daemon to a launchd group, you will typically also want to assign permission to interact with that launch daemon in various ways.
Role (In addition to recommendations for any resource type)	ROLE_ADMINISTER X	ROLE_ASSIGN X ROLE_DELETE X	Reflects the hierarchy of access types.
	ROLE_ASSIGN X	ROLE_WRITE X ROLE_EXISTS X	Reflects the hierarchy of access types.
	ROLE_ASSIGN X	ROLE_ASSIGN Y	For all role ancestors Y of X. For any ancestor Y of X, X has a superset of the permissions in Y (though not necessarily a strict superset). It therefore makes little sense to permit assignment of X but not of Y.

Recommended Combinations Expressed as a Boolean Constraint System

The recommended permission combinations in the tables above can also be expressed as a Boolean constraint system. We use the following syntax.

A ⇒ B	If you assign permission A, we recommend also assigning permission B.
A ⇔ B	If you assign one of {A, B}, we recommend also assigning the other.
XTYPE	∈ {ANALYSIS, PROJECT, PTREE, LAUNCHD, LAUNCHDGROUP, NAMEDSEARCH, SAVEDCHART, WPROCESSOR, REPORTTEMPLATE, ROLE}

The constraints are as follows.

XTYPE_ADMINISTER X ⇒ XTYPE_DELETE X
XTYPE_DELETE X ⇒ XTYPE_WRITE X
XTYPE_WRITE X ⇒ XTYPE_READ X
XTYPE_READ X ⇒ XTYPE_EXISTS X
ANALYSIS_ANNOTATE X ⇒ ANALYSIS_WARNING_READ X
ANALYSIS_ANNOTATE X ⇔ ANALYSIS_WRITE X
ANALYSIS_ANNOTATE X ⇒ G_LIST_PROPERTIES
ANALYSIS_ANNOTATE X ⇒ G_LIST_USERS
ANALYSIS_CONSOLE X ⇒ ANALYSIS_READ X
ANALYSIS_DEBUG X ⇒ ANALYSIS_READ X
ANALYSIS_EXISTS X ⇒ PROJECT_EXISTS Y	If X is a project or project tree, Y= X. If X is an analysis, Y is the project containing X.
ANALYSIS_IR_QUERY X ⇒ ANALYSIS_READ X
ANALYSIS_OWN_WARNINGS X ⇒ ANALYSIS_ANNOTATE X
ANALYSIS_WARNING_EXISTS X ⇒ ANALYSIS_READ X
ANALYSIS_WARNING_READ X ⇒ ANALYSIS_WARNING_EXISTS X
ANALYSIS_WARNING_READ X ⇒ G_LIST_PROPERTIES
ANALYSIS_WARNING_READ X ⇒ G_LIST_USERS
PROJECT_ADD_CHILD X ⇒ ANALYSIS_DELETE X
PTREE_ADD_CHILD X ⇒ PROJECT_DELETE X
LAUNCHDGROUP_ADD_CHILD X ⇒ LAUNCHD_DELETE X
ROLE_ASSIGN X ⇒ ROLE_WRITE X
ROLE_ASSIGN X ⇒ ROLE_ASSIGN Y
ROLE_ADMINISTER X ⇒ ROLE_ASSIGN X	For all role ancestors Y of X.
G_ADMINISTER_USERS ⇔ G_HUB_DEBUG ⇔ G_SQL_CONSOLE ⇔ G_HUB_LOGS
G_ANNOTATION_EXPORT ⇒ ANALYSIS_WARNING_READ rootT	where rootT is the root project tree.
G_ANNOTATION_IMPORT ⇒ ANALYSIS_ANNOTATE rootT	where rootT is the root project tree.
G_CHANGE_OWN_CERTIFICATES ⇒ G_SIGN_IN_CERTIFICATE
G_CHANGE_OWN_PASSWORD ⇒ G_SIGN_IN_PASSWORD
G_FINDING_ADD ⇒ G_FINDING_DELETE
G_LICENSE_UTILIZATION_READ ⇒ G_LICENSE_READ
G_LICENSE_UTILIZATION_READ ⇒ G_LIST_USERS
G_LICENSE_WRITE ⇒ G_LICENSE_READ
G_PRIORITY_ADD ⇒ G_PRIORITY_DELETE
G_SIGN_IN_CERTIFICATE ⇒ G_SIGN_IN
G_SIGN_IN_PASSWORD ⇒ G_SIGN_IN
G_SIGN_IN ⇒ G_SIGN_IN_CERTIFICATE OR G_SIGN_IN_PASSWORD
G_STATE_ADD ⇒ G_STATE_DELETE

To report problems with this documentation, please visit https://support.codesecure.com/.

RBAC: Permissions

Overview

Available Permissions

G_*: Global Permissions

PTREE_*: Project Tree Permissions

PROJECT_*: Project Permissions

ANALYSIS_*: Analysis Permissions

LAUNCHD_*: Launch Daemon Permissions

LAUNCHDGROUP_*: Launchd Group Permissions

WPROCESSOR_*: Warning Processor Permissions

NAMEDSEARCH_*: Named Search Permissions

SAVEDCHART_*: Saved Chart Permissions

REPORTTEMPLATE_*: Report Template Permissions

ROLE_*: Role (Resource) Permissions

RESERVED_*: Reserved Permissions

Recommended Permission Combinations

Recommended Combinations for Global Role-Permissions

Recommended Combinations for Resource Role-Permissions

Recommended Combinations Expressed as a Boolean Constraint System