Roles & Role-Based Access Control
Plexicus uses role-based access control (RBAC) to manage what each team member can do. Assign built-in roles or create custom roles tailored to your organization's structure.
Built-In Roles
Developer
Permissions:
- View findings from all applications
- Create and manage remediations
- Run scans
- Review audit logs (read-only)
Limitations:
- Cannot modify organization settings
- Cannot manage team members or roles
- Cannot access billing or plan information
- Cannot delete applications
Use Case: Team members who focus on finding remediation and code quality.
Cyberoper (Security Operations)
Permissions:
- All Developer permissions, plus:
- Manage security policies
- Configure integrations (SCM, cloud providers)
- Manage application inventory
- View organization-level analytics and dashboards
- Configure container registry connections
- Access compliance reports (Scale plan+)
Limitations:
- Cannot manage billing or subscription
- Cannot manage team members or roles
- Cannot access audit logs (no retroactive access)
Use Case: Security engineers and DevSecOps professionals who configure tools and policies.
Admin
Permissions:
- All Cyberoper permissions, plus:
- Manage team members (invite, remove, assign roles)
- Create and modify custom roles
- Configure authentication (SSO, SAML, OIDC)
- Manage billing and subscription (SaaS)
- Export and archive audit logs
- Access break-glass emergency recovery (self-hosted)
Limitations:
- None — Admins have full access.
Use Case: Team leads and organizational admins responsible for team and system management.
Permission Matrix
| Feature | Developer | Cyberoper | Admin |
|---|---|---|---|
| View findings | ✅ | ✅ | ✅ |
| Create remediations | ✅ | ✅ | ✅ |
| Run scans | ✅ | ✅ | ✅ |
| Manage integrations | ❌ | ✅ | ✅ |
| Manage policies | ❌ | ✅ | ✅ |
| Manage team members | ❌ | ❌ | ✅ |
| Create custom roles | ❌ | ❌ | ✅ |
| Configure SSO/SAML | ❌ | ❌ | ✅ |
| Manage billing | ❌ | ❌ | ✅ |
| Export audit logs | ❌ | ❌ | ✅ |
Managing Team Members
Add a Team Member
- Navigate to Settings → Organization → Team.
- Enter the new member's email address.
- Select their role:
- Developer
- Cyberoper
- Or a custom role (if you've created one)
- Click Create.
- The team member receives an email invitation.
If SSO is enforced, new users must log in via your organization's identity provider. Ensure they're already provisioned in your IdP before sending the invitation.
Remove a Team Member
- Navigate to Settings → Organization → Team.
- Find the team member in the list.
- Click Remove.
- Confirm the action.
The user's access is immediately revoked. Their account is not deleted; the admin can re-invite them later.
Change a Team Member's Role
- Navigate to Settings → Organization → Team.
- Click on the team member's row or Edit.
- Select a new role.
- Click Save.
The user's permissions update immediately on their next action.
Custom Roles
Creating custom roles requires Admin permissions.
Build custom roles by assigning granular permissions across Plexicus features.
Create a Custom Role
- Navigate to Settings → Organization → Roles.
- Click Create New Role.
- Enter:
- Role Name — Unique identifier (e.g.,
security-lead,scan-manager) - Description — Human-readable summary
- Role Name — Unique identifier (e.g.,
- Select permissions:
- Finding Management — View, create remediation, manage false positives
- Scanning — Run scans, configure scanners, manage tool parameters
- Integrations — Connect repositories, configure cloud providers
- Policies — Create and edit security policies
- Audit & Compliance — View audit logs, export reports
- Team & Organization — Invite members, manage roles, billing
- Click Create.
Permission Categories
| Category | Actions |
|---|---|
| Findings | Read, write, delete findings; mark false positives; approve remediations |
| Scanning | Create/run scans; configure scan parameters; manage tool selections |
| Integrations | Add/remove repository and cloud provider connections |
| Policies | Create and edit security policies; assign policies to apps |
| Audit & Compliance | Read audit logs; export reports; view compliance dashboards |
| Organization | Manage team members; invite users; assign/modify roles |
| Billing (SaaS only) | Modify subscription; manage payment methods; download invoices |
Edit a Custom Role
- Navigate to Settings → Organization → Roles.
- Find the role and click Edit.
- Modify permissions as needed.
- Click Save.
Built-in roles (Developer, Cyberoper, Admin) cannot be renamed or deleted, but their permission sets can be edited.
Delete a Custom Role
- Navigate to Settings → Organization → Roles.
- Find the custom role and click Delete.
- Reassign any users in that role to a different role.
- Confirm the deletion.
SSO Group-Based Role Assignment
If your organization uses SSO with group support, you can automatically assign roles based on IdP groups.
For full SSO configuration details, see SSO Setup Guide.
Configure Group-to-Role Mapping
- Navigate to Settings → Authentication → SSO.
- Click Advanced Settings.
- Add a Group Role Mapping:
- IdP Group — e.g.,
security-team,devops-engineers - Plexicus Role — e.g.,
Cyberoper,Developer, or a custom role
- IdP Group — e.g.,
- Click Save.
Example Scenario
Your Okta organization has groups:
security-team→ Cyberoper role (can manage policies and integrations)developers→ Developer role (can view findings and create remediations)
When a user logs in via SAML for the first time:
- Plexicus checks their IdP groups.
- If they're in
security-team, they're assigned Cyberoper. - If they're in
developers, they're assigned Developer.
This eliminates manual role assignment during onboarding.
Group-based role assignment applies only to newly provisioned users (first login). Existing users keep their manually assigned roles. Update existing users' roles manually if needed.
Audit & Monitoring
View Role Changes
- Navigate to Settings → Organization → Audit Log.
- Filter by event type:
role_assignment_change,role_created,role_deleted. - Review who made changes, when, and what changed.
Each audit log entry includes:
- User — Who made the change
- Action — What happened (e.g.,
role_assignment_change) - Timestamp — When it happened
- Details — Before/after state (for modifications)
Export Audit Logs
- Navigate to Settings → Organization → Audit Log.
- Click Export (CSV or JSON).
- Save the file for compliance or records.
Best Practices
-
Principle of Least Privilege:
- Assign the minimum role needed for the job.
- Prefer built-in roles over custom roles for simpler governance.
- Regularly review team member roles.
-
Use Groups with SSO:
- Configure group-to-role mapping in your IdP for consistent role assignment.
- Avoid manually assigning roles if using SSO.
-
Monitor Privilege Escalation:
- Check audit logs monthly for unexpected role changes.
- Alert when someone is promoted to Admin.
-
Custom Role Naming:
- Use clear, descriptive names:
security-engineer,platform-owner,compliance-reviewer. - Avoid vague names like
member2ortemp-access.
- Use clear, descriptive names:
-
Regular Cleanup:
- Remove inactive team members quarterly.
- Delete unused custom roles to simplify governance.
-
Incident Response:
- If a team member leaves, immediately revoke access via Settings → Organization → Team → Remove.
- Audit their recent actions in Audit Logs.
SaaS vs Self-Hosted
| Feature | SaaS | Self-Hosted |
|---|---|---|
| Built-in roles | ✅ Developer, Cyberoper, Admin | ✅ Same |
| Custom roles | ✅ Yes | ✅ Yes |
| SSO group-based roles | ✅ Yes | ✅ Yes |
| Audit logging | ✅ Unlimited | ✅ Unlimited |
| SCIM user provisioning | Scale+ plan | Included |
| Break-glass Admin access | ❌ | ✅ (via admin secret) |
Troubleshooting
"Permission denied" error
- Verify your role is assigned the required permission.
- Contact an Admin to review your role's permissions.
- Check Settings → Organization → Team to confirm your role.
Users not getting SSO-assigned roles
- Ensure the IdP group name matches exactly in Group Role Mapping.
- Verify the IdP returns the
groupsclaim in SAML/OIDC responses. - Check the configured Attribute Mapping for the groups claim name.
- Have the user log out and log in again to trigger role re-evaluation.
Cannot delete a role I created
- Ensure the role is custom, not built-in.
- Check that no team members are still assigned to that role.
- Reassign those members to another role, then retry deletion.