Roles (Preview) 
Roles let you define the applications, projects, and organization settings that users with a specific role can access.
Note
This feature is supported for hosted customers only and is in preview mode. For access to this feature, contact Contrast support.
On-premises customers manage access to Contrast by setting up organization users and groups.
Contrast provides a set of built-in roles or you can add custom roles.
Roles tab
The Roles tab displays the list of existing roles. From this tab, you can:
View a list of roles.

Associated user access groups
The summary for a specific role contains a list of associated user access groups. To view this list, select and edit the role.
Built-in roles and actions
Each action associated with a role provides permissions for a specific set of tasks and data.
Note
You cannot change the settings for the built-in roles. To view the settings for roles, select the View icon ().
Organization roles
This role: | Includes these built-in resource groups: | And these actions: |
---|---|---|
Organization viewer | All organization settings | View organization |
Organization editor | All organization settings | Edit organization settings Inherited actions:
|
Organization administrator | All access control settings All organization settings | Manage organization Manage platform organization Access Protect Manage Protect exclusions Manage Protect polices Manage Protect sensitive data policies View audit logs Inherited actions:
|
Organization rules administrator | All organization settings | Manage organization rules Inherited actions:
|
App Security roles
This role: | Includes these built-in resource groups: | And these actions: |
---|---|---|
App Security administrator | All applications All organization settings All projects | Manage application rule View, edit, delete projects View organization |
App security engineer | All applications | View attack data Inherited actions:
|
DevOps roles
This role: | Includes the built-in resource groups: | And these actions: |
---|---|---|
DevOps administrator | All applications All organization settings All projects All resource groups All roles All user access groups | Manage organization View application View project View organization Inherited actions:
|
Application roles
This role | Includes these built-in resource groups: | And these actions: |
---|---|---|
Application viewer | All applications | View application |
Application editor | All applications | Edit application Inherited actions:
|
Application administrator | All applications | Manage application Inherited actions:
|
Application rules administrator | All applications | Manage application rule Inherited actions:
|
Scan project roles
This role: | Includes these built-in resource groups: | And these actions: |
---|---|---|
Project viewer | All projects | View project |
Scan uploader | All projects | Upload scans Inherited actions:
|
Project administrator | All projects | View, edit, delete projects Create project Inherited actions:
|
Protect roles
This role: | Includes these built-in resource groups: | And these actions: |
---|---|---|
Protect viewer | All applications | Access Protect |
Protect policies administrator | All applications | Manage Protect policies |
Protect exclusions administrator | All Protect exclusions | Manage Protect exclusions Inherited actions:
|
Protect sensitive data administrator | All Protect sensitive data policies | Manage protect sensitive data policies Inherited actions:
|
SCA roles
This role: | Includes these built-in resource groups: | And these actions: |
---|---|---|
SCA project group administrator | All organization settings All SCA project groups | Create SCA projects View, edit, delete SCA projects Inherited actions:
|
SCA project group viewer | All SCA project groups | View SCA projects |
Serverless roles
This role: | Includes these built-in resource groups: | And these actions: |
---|---|---|
Serverless user | All functions | View Serverless |