> ## Documentation Index
> Fetch the complete documentation index at: https://guide.codepure.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles and Permissions

> Understand roles and permissions in Codepure’s platform for secure application development.

# Roles and Permissions

Codepure’s **Role-Based Access Control (RBAC)** is designed to support secure collaboration between security teams and developers. It ensures that each role has only the necessary access to perform their tasks while maintaining strong governance over security workflows.

## ✅ Role Summary Table

| **Feature / Action**                              | **Admin** | **AppSec** |    **Developer**    |
| :------------------------------------------------ | :-------: | :--------: | :-----------------: |
| **System & Administration**                       |           |            |                     |
| Manage users, roles, and billing                  |     ✅     |      ❌     |          ❌          |
| View Audit Logs                                   |     ✅     |      ❌     |          ❌          |
| Configure system-wide settings (LDAP, SMTP)       |     ✅     |      ❌     |          ❌          |
| Generate and manage API Tokens                    |     ✅     |      ❌     |          ❌          |
| **Integrations & Setup**                          |           |            |                     |
| Setup/Delete Integrations (GitHub, GitLab, Azure) |     ✅     |      ❌     |          ❌          |
| Import projects / Clone repositories              |     ✅     |      ✅     |          ❌          |
| Configure DevSecOps CI/CD Policies                |     ✅     |      ✅     |          ❌          |
| **Project & Vulnerability Management**            |           |            |                     |
| View **all** projects and dashboards              |     ✅     |      ✅     | ❌ *(only assigned)* |
| Assign projects to developers                     |     ✅     |      ✅     |          ❌          |
| Run/Trigger Scans (SAST, SCA, Container, Secret)  |     ✅     |      ✅     |          ❌          |
| Add/Manage Custom SAST Rules                      |     ✅     |      ✅     |          ❌          |
| Approve/Reject vulnerabilities                    |     ✅     |      ✅     |          ❌          |
| Generate PDF Security Reports                     |     ✅     |      ✅     |          ❌          |
| View assigned scan results                        |     ✅     |      ✅     |          ✅          |
| Verify bugs (Mark Fixed / False Positive)         |     ✅     |      ✅     |          ✅          |

***

## 🔑 **Role Descriptions**

### **Admin**

* Has **full control** over the Codepure platform.
* The *only* role that can manage **users, billing, API tokens, and Audit Logs**.
* The *only* role that can **setup or delete integrations** (GitHub, GitLab, Azure).
* Can create/manage all projects, run scans, and approve vulnerabilities.
* Intended for **platform owners, CTOs, or Lead Security Architects**.

### **AppSec (Application Security Analyst)**

* Can **import projects** from existing integrations (configured by Admins).
* Can **run scans**, view all projects, and generate PDF security reports.
* Manages the vulnerability lifecycle: after a developer marks a bug as fixed, the AppSec role can **approve or reject** it.
* Can manage custom **SAST Rules** and **DevSecOps Policies**.
* **Cannot** manage users, roles, system integrations, or view Audit Logs.
* Intended for **Security Engineers and Analysts**.

### **Developer**

* Has access **only to projects explicitly assigned to them**.
* Can view vulnerabilities and bug summaries for their assigned projects.
* Can **verify vulnerabilities** by marking them as:
  * ✅ **Fixed** (after applying a code fix), or
  * 🚫 **False Positive**.
* **Cannot** run scans, approve their own fixes, generate reports, or access other projects.
* Intended for **software engineers** working on remediation.

***

## ⚙️ **How to Assign Roles and Projects**

1. Navigate to **User Management** in the Codepure dashboard (Admin only).
2. Assign the role (**Admin**, **AppSec**, or **Developer**) to a user.
3. If assigning a **Developer**, navigate to the specific project and grant them access.
4. Click **Save** to apply changes.

***

## 🛡️ **Best Practices**

* Keep **Admin** access strictly limited to a few key security leads.
* Use **AppSec** roles for your daily security engineers managing scans and triage.
* Assign **Developers** only the specific projects they are actively working on to maintain the principle of **Least Privilege**.
* (Admins) Regularly review the **Audit Logs** to ensure compliance and security integrity.
