# Roles > **Note:** This capability is currently in Early Access (EA) and is not generally available. To request access, contact OX technical support. Roles define what users can view and do in OX by combining page access and action permissions, so you can align platform access with organizational responsibilities. OX provides [built-in immutable roles](#built-in-roles) and the ability to define [custom roles](#custom-roles) that match your organization’s structure.
## How permissions work Permissions in OX are structured and interdependent. Access is defined in two layers: * Page permissions determine whether a page appears in navigation. * Action permissions determine what can be done inside that page. Actions only work when the related page permission is selected. If page access is not granted, the page is hidden, and its actions cannot be used. For example, if the View Issues permission is not selected, actions such as Fix issue, Open PR, or Create Tickets cannot be performed. When creating a role, always select the required page permissions first, then enable the necessary actions. ## Built-in roles OX includes predefined roles for common responsibilities. | Role | Intended use | | -------------- | ----------------------------------------- | | Admin | Full access across the platform | | Policy Manager | Manage and enforce policies | | Developer | Investigate and remediate issues | | Read Only | View platform data without making changes | ## Custom roles Custom roles allow you to enforce least-privilege access and clearly separate operational responsibilities across teams. By defining granular page and action permissions, you can restrict exposure to sensitive configuration areas while granting teams only the access required for their function. You can define custom roles from scratch or by duplicating and editing existing roles. **To duplicate an existing role:** 1. Go to **Settings > Roles**. 2. Click the three dots next to the role you want to duplicate and select **Duplicate**.\ The **Edit Role** page appears with all the role settings defined for the role you selected.
3. [Edit the role settings](#permissions-reference) and select **Update Role**. **To create a role from scratch:** 1. Go to **Settings > Roles**. 2. Select **Create Role**. 3. Enter a role name and optional description. 4. Select the required [page permissions and actions](#permissions-reference) you want to allow. 5. Select **Create Role**. Review the role before saving to ensure all required page permissions are included. **To assign users to a role:** 1. Go to **Settings > Users**. 2. Select a user. 3. Select **Edit user (role/scope)**. 4. Choose a role. 5. Select **Save**. ## Permissions reference The following table reflects the current roles configuration model, including permission dependencies. | Area | Permission | What it allows | Prerequisite Permissions | | ---------------------------------- | ---------------------------------------------------------- | ----------------------------------------------------- | --------------------------------------- | | General | Initiate scan | Run regular scans | | | Dashboard | View dashboard | Allows viewing the Dashboard page | View issues | |


View applications

| | | | |


View policies

| | | | |


View pipelines

| | | | |


View SBOM

| | | | |


View API BOM

| | | | |


View Artifact BOM

| | | | |


View Cloud BOM

| | | | |


View SaaS BOM

| | | | |


View SLA Settings

| | | | | Issues | View issues | Access Issues page | | | | Export issues | Export issue data | View issues | | | Add/edit comments | Modify comments | View issues | | | Delete comments | Remove comments | View issues | | | Start ChatGPT | Use AI assistance | View issues | | | View code fix | View remediation | View issues | | | Fix issue | Mark issue as fixed | View issues | | | Open PR | Create a pull request | View issues | | | Exclude and snooze issue | Exclude or temporarily hide issue; remove exclusions | View issues | | | Report false positive | Mark as false positive | View issues | | | Cancel Report False Positive | Cancel false positive status | View issues | | | Change severity | Modify severity | View issues | | | Edit SLA | Modify SLA | View SLA settings | | | Import Issues | Import issue data | View Issues | | | Create tickets | Create external tickets | View Issues | | | Link tckets | Link issues to tickets | View issues | | | Unlink tickets | Remove ticket link | View issues | | | Triage issues | Perform triage | View issues | | | Send Issue to messenger | Send issue to messaging integration | View issues | | Filters | Edit public filter | Modify shared filters | | | | Delete public filter | Delete shared filters | | | Applications | View applications | Access Applications page | | | | Scan single application | Run targeted scan | View issues | | | Edit configuration | Modify configuration | View applications | | | View tags | View tags | View applications | | | Edit tags | Modify tags: add/delete tags, edit existing tags | View applications | | | Read app owners | View owners | View applications | | | Assign/add app owner | Assign owners | View applications | | | Delete app owner | Remove owners | View applications | | | Make app irrelevant | Mark irrelevant/relevant | View applications | | | Assign/reset containers | Manage containers | View applications | | | Set priority | Set priority | View applications | | | Export (application info, PBOM, SBOM) | Export data | View applications | | Connectors | View connectors | Access Connectors page | | | | Add/change connectors | Add or modify connectors | View connectors | | | Delete connectors | Remove connectors | View connectors | | | Upload connector config | Upload configuration | View connectors | | | Download connector config | Download configuration | View connectors | | Pipeline | View pipelines | Access pipelines | | | Policies | View policies | Access policies | | | | Edit policies | Modify policies; enable/disable policies | View policies | | Exclusions | View exclusions | Access exclusions | View issues | | BOM | View BOM overview page | Access BOM overview | | | | View SBOM | Access SBOM | View BOM Overview page | | | View API BOM | Access API BOM | View BOM Overview page | | | View Artifact BOM | Access Artifact BOM | View BOM Overview page | | | View SaaS BOM | Access SaaS BOM | View BOM Overview page | | | View Cloud BOM | Access Cloud BOM | View BOM Overview page | | Agentic Pentest | Access Agentic Pentest | Access DAST area | | | Workflows | View workflows | Access workflows | View issues | |


View connectors

| | | | |


View policies

| | | | | | Edit workflows | Manage workflows | View issues | |


View connectors

| | | | |


View policies

| | | | |


View users

| | | | |


View Code Fix

| | | | | Audit Logs | View audit logs | Access logs | | | Users | View users | Access Users page | | | | Edit/invite users | Modify users | View users | | | Remove user | Remove users | View users | | | View roles | View roles | View users | | | Edit roles | Modify roles | View roles | | | Delete roles | Delete roles | View roles | | Organization | Delete organization | Delete organization | View organization info | | | View org units | View org units | View organization info | | | Edit org units | Modify org units | View Org Units | | | Delete org units | Delete org units | View Org Units | | Settings | Edit organization settings | Modify organization settings | | | | Edit usability settings | Modify usability | | | | Edit scan settings | Modify scan behavior | | | | Edit application settings | Modify application defaults | | | | Edit AI settings | Modify AI configuration | | | | Edit notification settings | Modify notification settings | | | | Edit login settings | Modify login settings | | | | Edit API key settings | Manage API keys | | | | View API keys for all users | View user API keys | | | | Edit API keys for all users | Manage user API keys for all users | | | | Edit CI/CD Integration API keys | Manage CI/CD keys | | | | Edit API Integration keys | Manage API keys | | | | Edit API K8s Inspector/Runtime Sensor Integration API keys | Manage K8s integration keys | | | | Edit IDE/CLI Integration API keys | Manage IDE/CLI keys | | | | Edit MCP Integration API keys | Manage MCP keys | | | | Edit Audit Logs Exporter settings | Modify audit exporter | | | | Edit Secrets | Modify secret settings to meet specific requirements | | | | Edit Pipeline settings | Modify pipeline configuration | | | | View SLA settings | Access SLA | | |


configuration

| | | | | | Edit SLA settings | Modify SLA configuration | View SLA settings | | | Edit Ticketing and Messaging settings | Modify integrations related to ticketng and messaging | | | | Edit view settings | Modify view configuration | | | | Edit Executive report settings | Modify executive report settings | View executive reports | |


View application owners

| | | | |


View application tags

| | | | |


View org units

| | | | |


Edit org units

| | | | |


Delete org units

| | | | | Reports | View Reports page | Access Reports page |

View issues
View applications

| |


View SBOM

| | | | |


View SLA settings

| | | | |


View users

| | | | |


View org units

| | | | | | Edit Reports | Modify reports | View issues | |


View applications

| | | | |


View SBOM

| | | | |


View users

| | | | |


View SLA settings

| | | | |


View org units

| | | | | | View Executive reports | View executive report | View issues | |


View applications

| | | | |


View application tags

| | | | |


View application owners

| | | | |


View SBOM

| | | | |


View users

| | | | |


View SLA settings

| | | | |


View org units

| | | | | OSC\&R | View OSC\&R | Access OSC\&R report | |