Overview
Users are workspace members with assigned roles. Each role grants a set of permissions that control what actions a user can take. Your VCS identity (GitHub or GitLab account) can also be linked to your Cysmiq user to sync repository-level permissions.
Roles
Each workspace has predefined roles with different permission levels:
| Role | Description |
|---|
| Owner | Full workspace access. Can manage all settings, users, integrations, and billing. |
| Admin | Manage repositories, vulnerabilities, and reports. Cannot manage members or billing. |
| Security Engineer | Vulnerability management, scanning, and reports. Focused on security operations. |
| Reporting | Read-only access to repositories, vulnerabilities, and reports. |
| Developer | Base role with permissions inherited from VCS. See VCS permission sync. |
Users provisioned through VCS are assigned the Developer role by default.
VCS identity linking
When you authenticate with GitHub or GitLab, your VCS identity can be linked to your Cysmiq user. This enables:
- Automatic permission sync: your repository access in GitHub/GitLab maps to Cysmiq permissions
- Attribution: vulnerabilities can be attributed to the developer who introduced them
- VCS login: sign in with GitHub when enabled for the workspace
VCS permission sync
For users with the Developer role, permissions are inherited from your VCS platform:
| GitHub Permission | Cysmiq Access |
|---|
| Read | View repository |
| Write | View/edit repository, trigger scans, view vulnerabilities |
| Admin | Full repository and vulnerability access |
| GitLab Permission | Cysmiq Access |
|---|
| Guest | View repository |
| Reporter | View repository, trigger scans, view vulnerabilities |
| Developer | View/edit repository, trigger scans, view/edit vulnerabilities |
| Maintainer/Owner | Full repository and vulnerability access |
Permission structure
Permissions follow a domain:action:resource pattern:
repository:view:*: view all repositoriesvulnerability:edit:repo-123: edit vulnerabilities in a specific repositoryuser:invite: invite new users to the workspace
This structure allows both broad role-based access and fine-grained repository-level permissions.
