This article provides a detailed breakdown of the high-level permissions within Snyk API & Web, explaining what actions each permission grants. Permissions are then grouped into roles (either built-in or custom) and, along with a scope, dictate the actions a user can perform.

Role/Scope Structure

Roles can be applied at three levels, dictating the scope of the actions a user can perform:

Account: actions apply across the entire account.
Team: actions apply only to the selected team.
Target: actions apply only to the selected target.

To learn more about roles, check out How do Roles and Permissions Work.

Detailed Permission Breakdown

The following table lists the Name, ID, and a detailed description of the actions allowed for each high-level permission:

Permission	Allowed Actions
Name: Account Settings ID: account_settings	Manage Integrations: Create, view, change, and delete third-party account integrations (e.g. Akamai, Azure DevOps, Jira Cloud, etc.) Manage Labels: Create, view, change, delete, and list Finding Labels, Target Labels, and User Labels Manage Automation: Create, view, change, delete, and list Webhooks
Name: Audit Log ID: audit_log	Review History: Obtain the Audit Log entries
Name: Billing ID: billing	Manage & View Billing: Manage billing and payment information List and download invoices
Name: Change Finding ID: change_finding	Modify Findings: List and view findings Perform bulk operations on findings List and assign users to a finding Add notes to findings Manually synchronize findings with integrations already configured (e.g. Azure DevOps, Jira Cloud, Shortcut) View Target Labels
Name: Change Finding State ID: change_finding_state	Modify Findings State: Change finding state (Accept risk, Mark as invalid, Reset) Change finding review status (Approved, Rejected)
Name: Change risk ID: change_risk	Modify Risk Level: Change the risk rating associated with a finding
Name: Change Target Settings ID: change_target_settings	Manage Target Configuration: Manage (add, change, delete, and view) Login/Logout configuration, Navigation Sequences, Partial Scans, Scanning Agents, Extra hosts, Seeds/Reject Lists, Custom Headers/Cookies, Blackout Period, Report types, Coverage details, and Technologies Manage (add, change, delete, view) Scan Profiles, and assign them to the target Configure API Schema files Manage target-specific integrations (Azure DevOps, DefectDojo, Jira Cloud/Server, Shortcut, Slack) Manage Domains: Manage (add, change, list, view, and verify) Domains Manage Labels: Create, change, delete, and list Finding Labels and Target Labels Manage Webhooks: Configure Scope Webhooks
Name: Correlation Admin ID: correlation_admin	Manage SAST/DAST Integration: View and manage Snyk Code integration View and assign/remove Snyk Code projects to/from targets View correlation data in the finding details Provide correlation feedback. Register correlation matches (thumbs up/thumbs down)
Name: Correlation Viewer ID: correlation_viewer	View SAST/DAST Integration: View Snyk Code projects assigned to targets View correlation data in the finding details Provide correlation feedback Register correlation matches (thumbs up/thumbs down) Disable and delete Snyk Code integration
Name: Create Target ID: create_target	Add Targets: Add, change, list, view, and verify Domains Add Targets (including uploading and downloading target files) View and list available Scanning Agents
Name: Delete Target ID: delete_target	Remove Targets: Delete Targets Delete Domains Delete Webhooks
Name: Discovery ID: discovery	Manage Discovery: List, and view Discovery Assets View Discovery Scans View Discovery Asset Logs Change Discovery Assets (Mark as new/not new, Hide / Show, Rename, Manage Target Labels, Add Notes)
Name: Discovery Read-Only ID: discovery_read_only	View Discovery Data: List and view Discovery Assets View Discovery Asset Logs View Discovery Scans
Name: Manage Credentials ID: manage_credentials	This permission allows you to create, view, update, and delete credentials created by other users, depending on your assigned scope: Team Scope: You can only manage credentials within the specific teams where you have been granted "Manage Credentials" permissions. Account Scope: Additionally, you can assign a credential to any team within the entire account.
Name: Password Login Override ID: password_login_override	Authentication: Override SSO configuration (i.e., log in with username and password when SSO is configured)
Name: Role Assignment ID: role_assignment	Manage User Roles: List high-level permissions List built-in roles Add, change, delete, list, and view custom-roles View User details Add, change, delete, list and view User Labels
Name: Scanning Agent Management ID: scanning_agent_management	Manage Scanning Agents: Add, change, delete, list, and view
Name: Start re-test ID: start_retest	Trigger Re-tests: Initiate a re-test for a finding
Name: Start Scan ID: start_scan	Manage Scans: Initiate a manual Scan on a Target Cancel, pause, and resume ongoing Scans Add, change, delete, list, and view Scheduled Scans
Name: Team Management ID: team_management	Manage Teams: Add, change, delete, and view teams Move targets between teams
Name: User Management ID: user_management	Manage Users & Roles (Account Level): View User Roles, High-Level Permissions, and available Roles Add, change, list, enable/disable Users and API Keys Manage Users and API Keys’ roles (list, view, assign, and remove role from User/API Key) Manage User Labels
Name: View Target ID: view_target	View Target Data and Reports: List and view Target, Target Settings (including integration-specific settings), Scans, Scheduled Scans, and Findings View integration-specific links View Target Labels View User details Manage Reports: Download Scan Reports Add, change, delete, list, and view Stored/Managed Reports

Understanding Permissions at Snyk API & Web

Role/Scope Structure

Detailed Permission Breakdown