Member Roles
Feature availability
This feature is available for Enterprise customers. See pricing plans for more details.
Snyk pre-defined roles (such as Group Admin) cannot be changed. Member Roles provides Role-Based Access Control (RBAC) for Snyk, allowing you to create and enforce advanced access by assigning a set of permissions to a role that will be granted to users.
Member roles allows Group Admins to:
This allows you to manage custom roles, granting your users the precise permissions they need to do their jobs across the Snyk platform. So you can ensure the right people have the right access to the right resources at the right time, while maximizing transparency and reducing organizational risk.
Group Admins can find the option under Select Group > Settings > Member Roles.
You can find the default roles - Org Admin and Org Collaborator. When you click each of these roles you can view the associated permissions, but cannot modify the default roles.
Click the Create new Role button and enter a role name and description. Role names should be unique and can contain alphanumeric characters plus spaces.
Create a new role
Click the Create role button. You will see basic details about the role in the top section.
Role basic info
The bottom section lists all the permissions available at the organization level that you use to define the role.
Organization level permissions
Organization level permissions
Choose the required permissions and click Update Role Permissions.
Update Role Permissions
When creating the role is complete, you will see the confirmation message at the top.
Role creation confirmation message
Group Admins can select a role (except for the default roles that are marked as locked) from the Member Roles list page and update the name, description and permissions at any time . You can view how the default roles are set up and duplicate those roles, but you cannot edit them.
Edit role details
Update Role Permissions
When updating the role is complete, you will see the confirmation message at the top.
Role change confirmation message
Group Admins can create a copy of an existing role by using Duplicate role functionality. The system copies only the permissions associated with the role that you are duplicating and role memberships are not copied over.
You can use the Duplicate button next to each role in the Member Roles list page. Or, select a role from the Member Roles list page. On the Role details page, click the Duplicate Role button.
Member Roles List page with Duplicate Role buttons
Role details page with Duplicate button
Enter a unique name and description and click the Duplicate Role button. Group Admin can then edit this role to assign new permissions to it or rescind any permissions already assigned.
Enter new role details
Group Admins can delete a role if it is no longer needed by opening the role from the Member Roles List page and clicking the Delete button.
Delate role
If the role is assigned to one or more users including Service Accounts, select another role for them in order to delete the current role. This is to avoid having the Group Admin accidentally delete a role leaving members with no access to Snyk.
When the current role is deleted, all its existing members including Service Accounts are reassigned to the new role selected.
Prompt to reassign members and delete a role
Users who hold the permissions to manage members can assign the roles to members across all Organizations in the Group.
In the Web UI, select an Org > Members.
For any member (Name) except a Group Admin, the user can select the dropdown next to the current role and choose any role to assign that role to the member.
.png?alt=media)
Select member role
Click the Add members button > Invite new members.
You can invite new members to the org by assigning them a specified role.
Invite new members
Choose Add members button > Add existing members to promote current Group Members to an org-specific role.
Snyk prevents users from assigning roles to others that have more privileges than what they already have. You would encounter the following error while trying to update the role of a member, invite a new member, or add an existing member with a role that has more privileges than the logged in user.
User cannot assign more privileged role to another user
Users who have permission (Create Service Account) can set up new service accounts for their organization by choosing a role.
Select an Org > Settings > Service Accounts >
Provide a name, choose a role, and click Create.
Select a Role while creating Org Service Account
When you open a role that is assigned to Service Accounts, the system would display a warning message. While updating the permissions associated with the role or deleting the role that would lead to reassigning the Service Accounts and users to a new role, be mindful of the potential impact.
Snyk prevents users from creating organization service accounts with a role that has more privileges than what they already have. You would encounter the below error while trying to create a service account with a role that has more privileges than the logged in user.
Member roles are supported as part of a Customized SSO authentication flow. All new and existing customers who have customized SSO will be able to use new roles they create in their IDP SAML assertions to provision users in their orgs with those roles.
If you are a customer who already has Custom SSO set up or you are planning to create Member Roles after setting up Custom SSO, you can use Member Roles without any modification to the Custom SSO config at Snyk side, as long as you send normalized role name in your payload in the agreed format.
New member role SAML assertions follow Snyk's existing pattern for declaring org memberships in IDP payloads:
{snyk-prefix}-{org-slug}-{normalized-role-name}, for example: snyk-goof-developer_readonly- snyk-prefix:
snyk - org-name:
goof - role-name:
developer_readonly
Create a new role similar to Org Collaborator but which blocks the ability to ignore issues.
Permissions:
Add ProjectCreate Jira issuesCreate Pull RequestsEdit ProjectEdit Project TagsProject StatusRemove ProjectRemove TargetsTest PackagesTest ProjectUser LeaveView Audit LogsView EntitlementsView IntegrationsView Jira issuesView OrganizationView Organization ReportsView Preview FeaturesView ProjectView Project HistoryView Project IgnoresView TargetsView Users
Create a new role with permissions only to review dashboards and reporting for their management and executive teams.
Permissions:
View OrganizationView Organization ReportsView ProjectView Project History
For additional operations on the Dashboard add:
Add ProjectCreate Pull Requests
Create a new role that blocks use of Snyk Monitor.
Permissions:
View OrganizationView ProjectTest PackagesTest ProjectView Preview Features
Full Access CLI Tester
Create a new role that can use Snyk Test and Snyk Monitor.
Permissions:
View OrganizationView ProjectView Project HistoryTest PackagesAdd ProjectTest ProjectView Preview Features
- Permissions granted to users via Roles enable the same capabilities across all Snyk environments: Web UI, API, CLI, and IDE.
View Organizationpermission is needed by default for all organization level member roles.- If the Role is expected to view project-related data of an organization along with other operations -
View Organization , View Project, and View Project Historypermissions should be added to the role at a minimum. View Preview Featurespermission is required to run a Snyk Container test and Snyk IaC test.- Snyk prevents role privileges from escalating so that users cannot assign a higher privileged role to others or cannot create service accounts with a higher privileged role.
- It is advisable to use the Duplicate Role functionality and create a copy of a standard role and then amend the permissions instead of building a role from scratch if you are unsure about the permissions.
Last modified 13h ago