Understand roles
Last updated: Mar 30, 2026
Members on the Fluid Attacks platform have distinct roles with associated permissions. You can view your role within the organization or group you are navigating in the user menu, which is in the upper-right corner of your screen.
This page explains the different roles that are available on the platform, along with the permissions they grant.
Client roles
Organization Manager role
Members assigned the Organization Manager role are automatically granted the Group Manager role within all groups belonging to the organization.
Designed for technical leaders within their organization, this role provides access to basic privileges on the platform and enables them to handle credentials, billing, members, mailmaps, and policy settings.
Group Manager role
Designed for technical leaders within their group, this role allows them to perform all actions available in the group on the platform. It is designed for product leaders, granting relevant capabilities like generating reports, defining treatments for vulnerabilities (e.g., accepting vulnerabilities permanently, approving vulnerability deletion requests by their company), and managing group members.
User role
This is the role most members are given. It is typically assigned to the developers responsible for remediating vulnerabilities. Members with this role can access vulnerability information required for remediation and request reattacks when they believe they have successfully fixed the code.
Vulnerability Manager role
Intended for technical leaders, this role provides access to features like generating reports, viewing group members, and assigning fix work.
Client roles permissions
Below are the descriptions of the permissions available to clients on Fluid Attacks' platform. These permissions are categorized into two levels: the group and organization levels.
Group-level permissions
Agent
- Generate/update agent token: Generate and update the token to use for the CI Gate, an application that inspects builds for noncompliance with organization policies and prevents deployment if it finds any. Available at DevSecOps > Manage token > Generate/Reset.
- View agent token and its expiration date: View the current CI Gate token and when it expires. Available at DevSecOps > Manage token > Reveal token.
- View agent executions: Access to reports of executions of the CI Gate in your CI/CD. Available at DevSecOps.
Design Map
Add/remove threat model files: Upload or delete threat model files that are correlated with the vulnerabilities reported by Fluid Attacks. Available at Design Map > Files.
Events
- Request verification on events: Request verification that events have been resolved. Available at Events > Request verification.
- Export file in Events: Download event data as a CSV file. Available at Events > Export.
Files
- Add/download file: Upload or download any files you find helpful or necessary for performing security tests on the group. Available at Scope > Files > Add.
- Delete file: Eliminate files that are considered unnecessary in the analysis of the group. Available at Scope > Files.
Group
- Delete group: Delete an unnecessary group. Available at Scope > Delete this group.
- Update group information: Update group information. Available at Scope > Information.
- Unsubscribe from group: Leave group. Available at Scope > Unsubscribe.
- Use Help options: Access help options. Available at Help.
Members
- Add member: Invite members to access the group and have some or all vulnerability management functions. Available at Members > Invite a member.
- Delete member: Remove members from the group. Available at Members > Manage members > Delete.
- Update member: Update member permissions and information (role or responsibility). Available at Members > Manage members > Edit.
- View members: View the table of members in the group. Available at Members.
- Invite contributor: Send invitations to contributor developers to register on the platform. Available at Authors.
Notifications
- Receive notifications: Get notifications related to your group.
- Add/edit/remove hook: Add, edit, and remove webhooks, which notify of events happening in groups. Available at Integrations > Webhooks > Edit/Connect.
Portfolio
- Create portfolio: Add tags by which to sort groups within an organization. This is useful to get analytics involving specific groups. Available at Scope > Portfolio > Add.
- Remove portfolio: Delete a group from a specific portfolio. Available at Scope > Portfolio > Remove.
Reports
- Generate certificate: Generate a certificate of security testing with Fluid Attacks. Available at Vulnerabilities > Generate report > Security testing certificate.
- Generate report: Generate vulnerability reports varying in detail for a specific group. Available at Vulnerabilities > Generate report.
Repositories or roots
- Activate/deactivate repository: Deactivate and activate assets to test. Available at Scope > Git Repositories/IP Roots/URL Roots.
- Move repository: Move an asset with all its associated data to another group. Available at Scope > Git Repositories.
- Sync to Git repository: Clone the Git repository again after changes have been made; this way, Fluid Attacks can test the up-to-date version. Available at Scope.
- Add Git repository/IP root: Add Git repositories and IP addresses to the scope of security testing. Available at Scope > Git Repositories/IP Roots > Add new root.
- Edit Git/IP/URL root: Modify URLs and branches. Available at Scope.
- Add URL root/environment: Add URLs or environments to the scope of security testing. Available at Scope.
- Edit IP/URL root: Update root details. Available at Scope.
- Add exclusions: Exclude files or folders from security assessments. Available at Scope.
- Add secrets: Add secrets (usernames, passwords, email addresses, tokens, etc.) that give Fluid Attacks access to repositories to test. Available at Scope.
- View secrets: View secrets associated with a specific root. Available at Scope.
- Delete secrets: Remove unnecessary secrets. Available at Scope.
- Manage environment secrets: Add environment secrets and view, edit or remove environment secrets added by oneself. Available at Scope.
- Edit Git environment: Edit environments associated with source code repositories. Available at Scope.
- Delete Git environment: Delete environments associated with source code repositories. Available at Scope.
- Move Git environment: Move environments associated with source code repositories. Available at Scope.
Vulnerabilities
- Vulnerability assignment: Assign vulnerability remediation responsibilities to team members. Available at Vulnerabilities > [Type] > Locations > Edit.
- False positive request: Request deletion of a vulnerability, as it poses no threat according to the organization. Available at Vulnerabilities > [Type] > Locations > Edit.
- Request reattacks: Request retests by Fluid Attacks' tool to verify the effectiveness of remediation efforts. In the Advanced plan, reattacks may involve both Fluid Attacks' tool and pentesters.
- Approve treatment: Accept and reject requests to change the treatments of vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Treatment acceptance.
- Update treatment: Change the treatments of vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Edit.
- Add/remove tag: Add and remove tags for vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Edit.
- Comments: In the Advanced plan, communicate questions, requests, and suggestions regarding a specific vulnerability or event. In the Essential plan, view comments about reattack outcomes. Available at Vulnerabilities/Events > Comments.
Organization-level permissions
Analytics
- Download org analytics: Download the charts and figures of the Analytics sections. Available at Analytics > Download Analytics and Portfolios > Analytics > Download Analytics.
- Vulnerability report in Analytics: Download a CSV file of details of all the vulnerabilities reported to the organization. Available at Analytics > Vulnerabilities.
Compliance
Compliance report: Download a report of compliance with several international standards. Available at Compliance > Standards > Generate report.
Credentials
- Add credentials: Add credentials so Fluid Attacks has access to assets for testing. Available at Credentials > Add credential.
- Delete credentials: Remove credentials, resulting in Fluid Attacks losing access to them. Available at Credentials > Remove.
- Update credentials: Update credentials to maintain Fluid Attacks' access to assets. Available at Credentials > Edit.
- OAuth connection: Authorize Fluid Attacks to import source code repositories from GitLab, GitHub, Bitbucket, and Azure accounts via Open Authorization, which eliminates the need to provide the credentials for these accounts. Available at Credentials > Add credential.
Members
- Add members: Add members with access to the organization's Analytics and Policies sections. Available at Members > Invite a member.
- View member: View members in the organization. Available at Members.
- Update member: Update roles of members. Available at Members > Edit.
- Delete member: Delete members at the organization level. Available at Members > Remove.
Policies
- Update organization/group policies: Manage policies at the organization and group levels. Available at Policies.
- Submit vulnerability for temporary acceptance in Policies: Submit requests to accept vulnerabilities temporarily. Available at Policies > Acceptance > Temporary acceptance.
- Submit vulnerability for permanent acceptance in Policies: Submit requests to accept vulnerabilities permanently. Available at Policies > Acceptance > Permanent acceptance.
- Approve and reject vulnerability for temporary acceptance in Policies: Approve and reject requests to accept vulnerabilities temporarily. Available at Policies > Acceptance > Temporary acceptance.
- Approve and reject vulnerability for permanent acceptance in Policies: Approve and reject requests to accept vulnerabilities permanently. Available at Policies > Acceptance > Permanent acceptance.
Project
- Add repositories in Outside: Add repositories identified through OAuth access that are not yet part of any group. Available at Outside > Add new roots.
- Add group: Create groups dedicated to managing the vulnerabilities of systems separately. Available at Groups > New group.
- Add organization: Create another organization on the platform. Available on the left side of the top menu of the platform.
Roles permissions summary table
The following tables specify the permissions that apply to each role on the platform.
Within groups
| Feature group | Feature | User | Vulnerability Manager | Group Manager |
| Agent | Generate/update agent token | ✅ | ✅ | ✅ |
| Agent | View agent token | ✅ | ✅ | ✅ |
| Agent | View agent token expiration date | ✅ | ✅ | ✅ |
| Agent | View agent executions | ✅ | ✅ | ✅ |
| Design Map | Add/remove threat model files | ✅ | ✅ | ✅ |
| Events | Request verification on events | ✅ | ✅ | ✅ |
| Events | Export file in Events | ✅ | ✅ | ✅ |
| Files | Add file | ✅ | ✅ | ✅ |
| Files | Download file | ✅ | ✅ | ✅ |
| Files | Delete file | ✅ | ✅ | ✅ |
| Group | Delete group | ❌ | ❌ | ✅ |
| Group | Update group information | ❌ | ❌ | ✅ |
| Group | Unsubscribe from the group | ✅ | ✅ | ✅ |
| Group | Use help options (Talk to a Pentester, chat, email) | ✅ | ✅ | ✅ |
| Members | Add/update/delete members | ❌ | ❌ | ✅ |
| Members | View members | ❌ | ✅ | ✅ |
| Members | Invite contributors | ❌ | ❌ | ✅ |
| Notifications | Receive notifications | ✅ | ✅ | ✅ |
| Notifications | Add/edit/remove hook | ❌ | ❌ | ✅ |
| Portfolio | Create portfolio | ✅ | ✅ | ✅ |
| Portfolio | Remove portfolio | ✅ | ✅ | ✅ |
| Reports | Generate certificate | ❌ | ❌ | ✅ |
| Reports | Generate report | ❌ | ✅ | ✅ |
| Repositories or roots | Activate/deactivate repository/root | ❌ | ❌ | ✅ |
| Repositories or roots | Move repository/root | ❌ | ❌ | ✅ |
| Repositories or roots | Sync to Git repository | ✅ | ✅ | ✅ |
| Repositories or roots | Add Git repository | ✅ | ✅ | ✅ |
| Repositories or roots | Edit Git repository | ❌ | ❌ | ✅ |
| Repositories or roots | Add/edit IP root | ✅ | ✅ | ✅ |
| Repositories or roots | Add/edit URL root | ✅ | ✅ | ✅ |
| Repositories or roots | Add exclusions | ❌ | ❌ | ✅ |
| Repositories or roots | Add/view/delete root secrets | ✅ | ✅ | ✅ |
| Repositories or roots | Add/view Git environment | ✅ | ✅ | ✅ |
| Repositories or roots | Edit Git environment | ✅ | ✅ | ✅ |
| Repositories or roots | Delete Git environment | ❌ | ❌ | ✅ |
| Repositories or roots | Move Git environment | ❌ | ❌ | ✅ |
| Repositories or roots | Manage environment secrets | ✅ | ✅ | ✅ |
| Vulnerabilities | Vulnerability assignment | ❌ | ✅ | ✅ |
| Vulnerabilities | False positive request | ✅ | ✅ | ✅ |
| Vulnerabilities | Request reattack | ✅ | ✅ | ✅ |
| Vulnerabilities | Approve treatment | ❌ | ✅ | ✅ |
| Vulnerabilities | Update treatment | ✅ | ✅ | ✅ |
| Vulnerabilities | Add/remove tag | ✅ | ✅ | ✅ |
| Vulnerabilities | Comments section | ✅ | ✅ | ✅ |
At the organization level
| Feature group | Feature | User | Organization Manager |
| Analytics | Download organization analytics | ✅ | ✅ |
| Analytics | Vulnerability report in Analytics | ❌ | ✅ |
| Compliance | Compliance report | ✅ | ✅ |
| Credentials | View credentials | ✅ | ✅ |
| Credentials | Add/update/delete credentials | ❌ | ✅ |
| Credentials | OAuth connection | ❌ | ✅ |
| Members | Add/view/update/delete members | ❌ | ✅ |
| Policies | Update org/group policies | ❌ | ✅ |
| Policies | Submit vuln for temporary acceptance in Policies | ✅ | ✅ |
| Policies | Submit vuln for permanent acceptance in Policies | ✅ | ✅ |
| Policies | Approve and reject vuln for temporary acceptance in Policies | ❌ | ✅ |
| Policies | Approve and reject vuln for permanent acceptance in Policies | ❌ | ✅ |
| Project | Add repositories in Outside | ❌ | ✅ |
| Project | Add group | ❌ | ✅ |
| Project | Add organization | ✅ | ✅ |
Fluid Attacks staff roles
There are roles on the platform available only for Fluid Attacks staff to ensure they access only the information and functions pertinent to their assignments.
Pentester
Pentesters are the security analysts who identify, exploit, and report vulnerabilities in organizations' systems.
Reattacker
Reattackers are members that verify the effectiveness of fixes implemented by organizations.
Customer Manager
Members assigned the Customer Manager role are automatically granted the Customer Manager role within all groups belonging to the organization.
Customer Managers provide support to organizations' tasks, such as adding assets, deleting groups, requesting the deletion of vulnerabilities, and managing members.
Resourcer
Resourcers help maintain the assets provided by organizations, such as environment credentials and mailmap authors, up-to-date.
Reviewer
Reviewers mainly evaluate drafts for approval or disapproval and analyze vulnerability deletion requests.
Architect
Architects ensure that secure code review and penetration testing as a service deliverables are of high quality. Among their functions are deleting false positives or errors, including or deleting evidence, and providing help to the organizations over the help channels.
Closer
Closers are responsible for verifying whether a reattack to a vulnerability has been requested and setting the vulnerability status to "Safe" after a positive reattack outcome.
Admin
The Admin is the member who has the most privileges, lacking only the permission to change treatments.
Fluid Attacks staff roles summary table
The following table specifies the permissions that apply to each Fluid Attacks staff role on the platform.
| Feature | Pentester | Reattacker | Resourcer | Reviewer | Architect | Customer Manager | Admin |
| Add draft | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ |
| Add event | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ |
| Add root | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
| Approve draft | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ |
| Change treatment | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Confirm/reject false positive | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ |
| Deactivate/activate root | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Delete group | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
| Edit root | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ |
| Edit environment | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ |
| Generate a report | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
| Manage evidence | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ |
| Remove vulnerability | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ |
| Request reattack | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| False positive request | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
| Solve event | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ |
| Verify reattack | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ |
| Manage mailmap | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ |
| Upgrade/Downgrade group services | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Members
Efficiently manage organization and group members on the Fluid Attacks platform, including invitations, role assignments, and removals.
Group-level authors
Learn how to view, filter, and manage authors (contributing developers) on the Fluid Attacks platform to enhance collaboration quality and security.