Skip to main content

Add, edit, or delete an organization access group

Use organization access groups to assign users permissions and capabilities by role.

Contrast provides default access groups that you can use instead of creating your own:

  • View: Members of this group have read-only access to the Contrast interface to see scores, libraries, vulnerabilities and comments.

  • Edit: Members of this group can remediate findings, add tags, manage vulnerabilities, edit attributes, merge applications, add or delete applications, and create servers.

  • Rules Admin: Members of this group can edit rules and policies in the application, enable Protect, manage notifications and scoring.

  • Admin: Members of this group can configure and manage settings for the organization.

Before you begin

An Organization Administrator role is required.

  1. Under organization settings, select Groups.

  2. Select an existing group to edit, or select Add group to create a new group.


    To find groups you can use the quick filter dropdown or the search field in the top left, or use the up/down arrows at the top of each column to sort.

    The default groups that Contrast provides, indicated with a lock icon, have fixed applications and roles, and can't be deleted. You can only add or remove users from these default groups.

  3. Fill out the form with:

    • Group name: Choose something that reflects the purpose, permissions and capabilities you will assign to this group.

    • Application access: Select the application name here to associate this group with the application. You can also set a group name when you are setting up a new application.

    • Role: Select the application role you want the members of this group to have within the corresponding application.

    • Select Add access to add more applications and roles.

  4. Next to Members, on the right, type ahead to select one or more users to assign to the group.

  5. When you are finished, select Add to create the new group.


    If users are assigned to two groups with conflicting roles for all applications or organizations, the role that provides the most restrictive access applies.

  6. To delete a group, select User menu > Organization settings > Groups. Find the group you want to delete and select the Delete icon in that row.

    Once this is confirmed, the group is removed and any access provided by that group is revoked from all users assigned to the group.


To assign a user a role for all applications in the organization, assign them both an organization role and an application role from the default role groups. (For example, set both the organization and application roles to "Administrator" and they will have administrator permissions for all applications in your organization.)

To give a user access to a particular application, create an access group for that application and add the user to that group. Users not assigned to any application access groups won't have access. A user can have various roles across applications within a single organization.

Most Contrast customers use single organization deployments. Groups created at an organization level impact the roles and permissions across that particular organization. Organization access groups can also be created at a system level to allow users access to more than one organization