Skip to main content

Roles & Role-Based Access Control

Plexicus uses role-based access control (RBAC) to manage what each team member can do. Assign built-in roles or create custom roles tailored to your organization's structure.


Built-In Roles

Developer

Permissions:

  • View findings from all applications
  • Create and manage remediations
  • Run scans
  • Review audit logs (read-only)

Limitations:

  • Cannot modify organization settings
  • Cannot manage team members or roles
  • Cannot access billing or plan information
  • Cannot delete applications

Use Case: Team members who focus on finding remediation and code quality.

Cyberoper (Security Operations)

Permissions:

  • All Developer permissions, plus:
  • Manage security policies
  • Configure integrations (SCM, cloud providers)
  • Manage application inventory
  • View organization-level analytics and dashboards
  • Configure container registry connections
  • Access compliance reports (Scale plan+)

Limitations:

  • Cannot manage billing or subscription
  • Cannot manage team members or roles
  • Cannot access audit logs (no retroactive access)

Use Case: Security engineers and DevSecOps professionals who configure tools and policies.

Admin

Permissions:

  • All Cyberoper permissions, plus:
  • Manage team members (invite, remove, assign roles)
  • Create and modify custom roles
  • Configure authentication (SSO, SAML, OIDC)
  • Manage billing and subscription (SaaS)
  • Export and archive audit logs
  • Access break-glass emergency recovery (self-hosted)

Limitations:

  • None — Admins have full access.

Use Case: Team leads and organizational admins responsible for team and system management.


Permission Matrix

FeatureDeveloperCyberoperAdmin
View findings
Create remediations
Run scans
Manage integrations
Manage policies
Manage team members
Create custom roles
Configure SSO/SAML
Manage billing
Export audit logs

Managing Team Members

Add a Team Member

  1. Navigate to Settings → Organization → Team.
  2. Enter the new member's email address.
  3. Select their role:
    • Developer
    • Cyberoper
    • Or a custom role (if you've created one)
  4. Click Create.
  5. The team member receives an email invitation.
note

If SSO is enforced, new users must log in via your organization's identity provider. Ensure they're already provisioned in your IdP before sending the invitation.

Remove a Team Member

  1. Navigate to Settings → Organization → Team.
  2. Find the team member in the list.
  3. Click Remove.
  4. Confirm the action.

The user's access is immediately revoked. Their account is not deleted; the admin can re-invite them later.

Change a Team Member's Role

  1. Navigate to Settings → Organization → Team.
  2. Click on the team member's row or Edit.
  3. Select a new role.
  4. Click Save.

The user's permissions update immediately on their next action.


Custom Roles

info

Creating custom roles requires Admin permissions.

Build custom roles by assigning granular permissions across Plexicus features.

Create a Custom Role

  1. Navigate to Settings → Organization → Roles.
  2. Click Create New Role.
  3. Enter:
    • Role Name — Unique identifier (e.g., security-lead, scan-manager)
    • Description — Human-readable summary
  4. Select permissions:
    • Finding Management — View, create remediation, manage false positives
    • Scanning — Run scans, configure scanners, manage tool parameters
    • Integrations — Connect repositories, configure cloud providers
    • Policies — Create and edit security policies
    • Audit & Compliance — View audit logs, export reports
    • Team & Organization — Invite members, manage roles, billing
  5. Click Create.

Permission Categories

CategoryActions
FindingsRead, write, delete findings; mark false positives; approve remediations
ScanningCreate/run scans; configure scan parameters; manage tool selections
IntegrationsAdd/remove repository and cloud provider connections
PoliciesCreate and edit security policies; assign policies to apps
Audit & ComplianceRead audit logs; export reports; view compliance dashboards
OrganizationManage team members; invite users; assign/modify roles
Billing (SaaS only)Modify subscription; manage payment methods; download invoices

Edit a Custom Role

  1. Navigate to Settings → Organization → Roles.
  2. Find the role and click Edit.
  3. Modify permissions as needed.
  4. Click Save.
warning

Built-in roles (Developer, Cyberoper, Admin) cannot be renamed or deleted, but their permission sets can be edited.

Delete a Custom Role

  1. Navigate to Settings → Organization → Roles.
  2. Find the custom role and click Delete.
  3. Reassign any users in that role to a different role.
  4. Confirm the deletion.

SSO Group-Based Role Assignment

If your organization uses SSO with group support, you can automatically assign roles based on IdP groups.

For full SSO configuration details, see SSO Setup Guide.

Configure Group-to-Role Mapping

  1. Navigate to Settings → Authentication → SSO.
  2. Click Advanced Settings.
  3. Add a Group Role Mapping:
    • IdP Group — e.g., security-team, devops-engineers
    • Plexicus Role — e.g., Cyberoper, Developer, or a custom role
  4. Click Save.

Example Scenario

Your Okta organization has groups:

  • security-team → Cyberoper role (can manage policies and integrations)
  • developers → Developer role (can view findings and create remediations)

When a user logs in via SAML for the first time:

  1. Plexicus checks their IdP groups.
  2. If they're in security-team, they're assigned Cyberoper.
  3. If they're in developers, they're assigned Developer.

This eliminates manual role assignment during onboarding.

note

Group-based role assignment applies only to newly provisioned users (first login). Existing users keep their manually assigned roles. Update existing users' roles manually if needed.


Audit & Monitoring

View Role Changes

  1. Navigate to Settings → Organization → Audit Log.
  2. Filter by event type: role_assignment_change, role_created, role_deleted.
  3. Review who made changes, when, and what changed.

Each audit log entry includes:

  • User — Who made the change
  • Action — What happened (e.g., role_assignment_change)
  • Timestamp — When it happened
  • Details — Before/after state (for modifications)

Export Audit Logs

  1. Navigate to Settings → Organization → Audit Log.
  2. Click Export (CSV or JSON).
  3. Save the file for compliance or records.

Best Practices

  1. Principle of Least Privilege:

    • Assign the minimum role needed for the job.
    • Prefer built-in roles over custom roles for simpler governance.
    • Regularly review team member roles.
  2. Use Groups with SSO:

    • Configure group-to-role mapping in your IdP for consistent role assignment.
    • Avoid manually assigning roles if using SSO.
  3. Monitor Privilege Escalation:

    • Check audit logs monthly for unexpected role changes.
    • Alert when someone is promoted to Admin.
  4. Custom Role Naming:

    • Use clear, descriptive names: security-engineer, platform-owner, compliance-reviewer.
    • Avoid vague names like member2 or temp-access.
  5. Regular Cleanup:

    • Remove inactive team members quarterly.
    • Delete unused custom roles to simplify governance.
  6. Incident Response:

    • If a team member leaves, immediately revoke access via Settings → Organization → Team → Remove.
    • Audit their recent actions in Audit Logs.

SaaS vs Self-Hosted

FeatureSaaSSelf-Hosted
Built-in roles✅ Developer, Cyberoper, Admin✅ Same
Custom roles✅ Yes✅ Yes
SSO group-based roles✅ Yes✅ Yes
Audit logging✅ Unlimited✅ Unlimited
SCIM user provisioningScale+ planIncluded
Break-glass Admin access✅ (via admin secret)

Troubleshooting

"Permission denied" error

  • Verify your role is assigned the required permission.
  • Contact an Admin to review your role's permissions.
  • Check Settings → Organization → Team to confirm your role.

Users not getting SSO-assigned roles

  • Ensure the IdP group name matches exactly in Group Role Mapping.
  • Verify the IdP returns the groups claim in SAML/OIDC responses.
  • Check the configured Attribute Mapping for the groups claim name.
  • Have the user log out and log in again to trigger role re-evaluation.

Cannot delete a role I created

  • Ensure the role is custom, not built-in.
  • Check that no team members are still assigned to that role.
  • Reassign those members to another role, then retry deletion.

Next Steps