Member Roles

Feature availability This feature is available for Enterprise customers. See pricing plans for more details.

Snyk pre-defined roles, such as Group Admin, cannot be changed. The Member Roles feature provides Role-Based Access Control (RBAC) for Snyk, allowing you to create and enforce customized access by assigning a set of permissions to a role that will be granted to users.

You can manage roles, assign roles to users or to service accounts, and use roles with SSO.

Manage roles

The Member Roles feature allows Group Admins to:

You can manage custom roles, granting your users exactly the permissions they need to do their jobs across the Snyk platform. Thus you can ensure the right people have the right access to the right resources at the right time, thus maximizing transparency, and reducing organizational risk.

Create a Role

Group Admins can find this option under Select Group > Settings > Member Roles.

You will find the default roles, Org Admin and Org Collaborator. When you click each of these roles, you can view the associated permissions, but you cannot modify the default roles.

Click the Create new Role button and enter a role name and description. Role names should be unique and can contain alphanumeric characters plus spaces.

Click the Create role button. Basic details about the role appear in the top section.

The bottom section lists all the permissions available at the Organization level that you can use to define the role.

Choose the required permissions and click Update Role Permissions.

If you specify Move project permissions for the role, you must include Add project permissions for the Organization to which the Project is being moved.

When the process of creating a role completes, a confirmation message appears.

Edit a Role

Group Admins can select a role (except for the default roles that are marked as locked) from the Member Roles list page and update the name, description, and permissions at any time . You can view how the default roles are set up and duplicate those roles, but you cannot edit them.

Select the permissions from the list at the bottom and click Update Role Permissions.

When the process of updating a role completes, a confirmation message appears.

Duplicate a Role

Group Admins can create a copy of an existing role by using the Duplicate role functionality. The system copies only the permissions associated with the role that you are duplicating and role memberships are not copied over.

To copy a role, use the Duplicate button next to each role in the Member Roles list, or select a role from the Member Roles list page, and when the Role details page opens, click the Duplicate Role button.

Member Roles List with Duplicate button for each role

Enter a unique name and description and click the Duplicate Role button. A Group Admin can then edit this role to assign new permissions to it or rescind any permissions already assigned.

Delete a Role

Group Admins can delete a role if it is no longer needed by opening the role from the Member Roles List, clicking the Delete button, and confirming the delete action.

If the role is assigned to one or more users including Service Accounts, you must select another role for them in order to delete the current role. This restriction prevents the Group Admin from accidentally deleting a role and leaving members with no access to Snyk.

When the current role is deleted, all its existing members including Service Accounts are reassigned to the new role selected.

Prompt to delete a role and reassign members

Assign roles

Assign roles to users

Users who hold the permissions to manage members can assign roles to members across all Organizations in the Group.

Using the Update a member's role in the organization API call you can update the role of the members in their Organizations.

In the Web UI, select an Org > Members.

For any member (Name) except a Group Admin, you can select the dropdown next to the current role and choose any role to assign that role to the member.

You can invite new members to the Organization by assigning them a specified role.

Click the Add members button > Invite new members.

Click the Add members button > Add existing members to promote current Group Members to an org-specific role.

Snyk prevents users from assigning roles to others that have more privileges than those the user who is assigning roles already has. If you tried to update the role of a member, invite a new member, or add an existing member with a role that has more privileges than you have, you would see the error Cannot assign higher privilege role.

User cannot assign more privileged role to another user

Assign roles to Service Accounts

Users who have permission (Create Service Account) can set up new service accounts for their organization by choosing a role.

Select an Org > Settings > Service Accounts > Provide a name, choose a role, and click Create.

Select a Role while creating Org Service Account

When you open a role that is assigned to Service Accounts, the system displays a warning message. When you update the permissions associated with or delete a role that would lead to reassigning the Service Accounts and users to a new role, be mindful of the potential impact.

Warning that you are about to change a role assigned to a servie account

Snyk prevents users from creating Organization service accounts with a role that has more privileges than what the user creating the service account has. If you try to create a service account with a role that has more privileges than you have, you will see the error Cannot create a service account with a higher privilege role than yours.

User cannot assign a more privileged role to a service account

Use roles in custom SSO

Member roles are supported as part of a customized SSO authentication flow. All new and existing customers who have customized SSO can use new roles they create in their IDP SAML assertions to provision users in their Organizations with those roles.

If you are a customer who already has Custom SSO set up, or you are planning to create Member Roles after setting up Custom SSO, you can use Member Roles without any modification to the Custom SSO config on the the Snyk side, as long as you send the normalized role name in your payload in the agreed format.

New member role SAML assertions follow Snyk's existing pattern for declaring Organization memberships in IDP payloads: {snyk-prefix}-{org-slug}-{normalized-role-name}, for example: snyk-goof-developer_readonly

snyk-prefix: snyk
org-name: goof
role-name: developer_readonly

Noarmalized name for a member role displayed in the Web UI

Sample roles

Org Collaborator who cannot ignore issues

Create a new role similar to Org Collaborator but which blocks the ability to ignore issues.

Permissions:

Add Project
Create Jira issues
Create Pull Requests
Edit Project
Edit Project Tags
Project Status
Remove Project
Remove Targets
Test Packages
Test Project
User Leave
View Audit Logs
View Entitlements
View Integrations
View Jira issues
View Organization
View Organization Reports
View Preview Features
View Project
View Project History
View Project Ignores
View Targets
View Users

Dashboard and report reviewer

Create a new role with permissions only to review dashboards and reporting for their management and executive teams.

Permissions:

View Organization
View Organization Reports
View Project
View Project History

For additional operations on the Dashboard add:

Add Project
Create Pull Requests

Read-only CLI Tester

Create a new role that blocks use of snyk monitor.

Permissions:

View Organization
View Project
Test Packages
Test Project
View Preview Features

Full Access CLI Tester

Create a new role that can use snyk test and snyk monitor.

Permissions:

View Organization
View Project
View Project History
Test Packages
Add Project
Test Project
View Preview Features

Things to remember in working with Member Roles

Permissions granted to users via Roles enable the same capabilities across all Snyk environments: Web UI, API, CLI, and IDE.
The permission View Organization is needed by default for all Organization-level member roles.
If the role is expected to view project-related data of an organization along with other operations, the View Organization, View Project, and View Project History permissions should be added to the role at minimum.
The permission View Preview Features is required to run snyk container test and snyk iac test.
Snyk prevents role privileges from escalating so that users cannot assign a higher privileged role to others and cannot create service accounts with a higher privileged role.
It is advisable to use the Duplicate Role functionality and create a copy of a standard role and then amend the permissions rather than build a role from scratch if you are unsure about the permissions.

PreviousManage permissions NextUpdate Member Roles via API

Last updated 2 years ago

Was this helpful?