User Roles & Permissions
Role-based access control and permissions in CodeWall.
CodeWall uses role-based access control (RBAC) to manage what team members can see and do. Every user in an organization is assigned exactly one role.
Roles
Owner
The organization owner has unrestricted access to all features, including billing management and the ability to delete the organization. There is exactly one owner per organization. Ownership can be transferred to another admin from the organization settings page.
Admin
Admins can manage all operational aspects of the organization — team members, targets, tests, integrations, and settings. They cannot access billing or delete the organization. Best suited for team leads and security managers who need to configure the platform.
Member
Members can create and run tests, view and triage findings, and export reports. They cannot manage team membership, configure targets, or change organization settings. This is the default role for new invitations and is suited for security engineers and analysts who perform day-to-day testing.
Viewer
Viewers have read-only access to tests, findings, and reports. They cannot create tests, triage findings, or modify any settings. Ideal for stakeholders, compliance officers, or executives who need visibility without the ability to make changes.
Permission matrix
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View tests and findings | Yes | Yes | Yes | Yes |
| Export reports (PDF, CSV) | Yes | Yes | Yes | Yes |
| Create tests | Yes | Yes | Yes | No |
| Manage test configuration | Yes | Yes | Yes | No |
| Mark findings (resolve, false positive) | Yes | Yes | Yes | No |
| Import scan results | Yes | Yes | Yes | No |
| Manage targets | Yes | Yes | No | No |
| Invite / remove team members | Yes | Yes | No | No |
| Manage integrations | Yes | Yes | No | No |
| Configure SSO / authentication | Yes | Yes | No | No |
| Manage webhooks and notifications | Yes | Yes | No | No |
| Configure SLA targets | Yes | Yes | No | No |
| View audit log | Yes | Yes | No | No |
| Manage billing | Yes | No | No | No |
| Delete organization | Yes | No | No | No |
| Transfer ownership | Yes | No | No | No |
Default role
When inviting a new team member, the default role is Member. You can change this during the invitation flow.
SSO and role mapping
If your organization uses SSO (SAML or OIDC), you can map identity provider groups to CodeWall roles. This ensures team members are automatically assigned the correct role when they sign in. See Authentication Settings for SSO configuration.
When a user signs in via SSO with JIT (just-in-time) provisioning enabled, their role is determined by the group mapping. If no mapping matches, they are assigned the Member role by default.
Changing roles
Owners and admins can change a member's role from Settings > Team. Role changes take effect immediately — the user does not need to sign out and back in.
Removing members
Removing a member revokes their access immediately. Any tests they created or findings they triaged remain in the organization.