Summary and recommendation
Checkmarx user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Checkmarx One manages users through its portal at https://ast.checkmarx.net under Settings → User Management. There is no native SCIM provisioning; every app in your stack that relies on automated lifecycle management will need a workaround here, whether that is SAML JIT or manual invite flows.
SSO configuration is a prerequisite for IdP-based federation, and only users with the Admin role can invite or modify other users.
Quick facts
| Admin console path | Checkmarx One portal → Settings → User Management |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Admin | Full platform access: manage users, roles, groups, projects, scans, integrations, and tenant settings. | All plans | Counts as a named user seat | Only users with the Admin role can invite new users or modify role assignments. | |
| AST Admin | Manage application security testing configurations, projects, and scan results across the tenant. | Cannot manage tenant-level identity/SSO settings; that requires the Admin role. | All plans | Counts as a named user seat | |
| Scan Manager | Create and manage scans, view results, manage projects assigned to them. | Cannot manage users or tenant-level settings. | All plans | Counts as a named user seat | |
| Reviewer | View scan results and reports; can triage and comment on findings. | Cannot initiate scans or modify project configurations. | All plans | Counts as a named user seat | Read-only access to results; cannot remediate or re-scan. |
| Developer | View scan results for assigned projects; access IDE plugins and API tokens. | Cannot manage users, projects, or tenant settings. | All plans | Counts as a named user seat | Access is scoped to projects explicitly assigned to the user or their group. |
Permission model
- Model type: role-based
- Description: Checkmarx One uses predefined roles assigned at the tenant level. Access to projects and scan results can be further scoped via groups. Custom roles are not supported in the standard UI; permissions are tied to the predefined role set.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Role-level (tenant-wide) with project/group-level scoping for result visibility.
How to add users
- Log in to the Checkmarx One portal (https://ast.checkmarx.net) as an Admin.
- Navigate to Settings → User Management.
- Click 'Invite User'.
- Enter the user's email address.
- Select one or more roles to assign.
- Optionally assign the user to one or more groups.
- Click 'Send Invitation'. The user receives an email to set up their account.
Required fields: Email address, Role assignment
Watch out for:
- Users must accept the email invitation before they can log in; pending invitations occupy a seat.
- If SSO is enforced, users must authenticate via the configured IdP; local password login may be disabled.
- Group assignment is optional at invite time but required for project-scoped access control.
- There is no documented self-service user registration; all users must be invited by an Admin.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise (requires SSO configuration; SCIM is not natively supported - provisioning relies on SAML/OIDC JIT or manual invite) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Checkmarx One allows admins to delete users from the tenant via Settings → User Management. Deletion removes the user's access immediately. There is also a deactivation/disable option that revokes access without removing the account record.
- Log in to the Checkmarx One portal as an Admin.
- Navigate to Settings → User Management.
- Locate the user in the list.
- Select the user and choose 'Disable' to revoke access while retaining the account, or 'Delete' to remove the account entirely.
- Confirm the action.
| Data impact | Behavior |
|---|---|
| Owned records | Scan results, projects, and findings created by the user remain in the platform and are not deleted when the user is removed. |
| Shared content | Shared reports and project configurations remain accessible to other users with appropriate permissions. |
| Integrations | API keys and tokens associated with the deleted user are invalidated upon deletion; any CI/CD pipelines using those tokens will break. |
| License freed | Deleting or disabling a user frees the associated named-user seat, making it available for reassignment. |
Watch out for:
- API tokens tied to a deleted user are immediately invalidated; dependent integrations must be updated before removal.
- If the deleted user was the sole admin, tenant administration access may be lost - ensure at least one other Admin exists.
- Disabling a user (vs. deleting) retains audit trail and account history but still frees the seat.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named User Seat | Access to Checkmarx One platform features based on assigned role; includes SAST, SCA, Secrets, IaC, and ASPM modules depending on purchased package. | Custom enterprise pricing; typically bundled into per-application, per-developer, or lines-of-code-based contracts. |
- Where to check usage: Checkmarx One portal → Settings → User Management (shows active and pending users); license consumption details typically reviewed with Checkmarx account team or via tenant usage reports.
- How to identify unused seats: Admins can review the User Management list for users with no recent login activity. There is no built-in 'last login' filter exposed in the standard UI per public documentation; unused seat identification may require exporting user data or contacting Checkmarx support.
- Billing notes: Checkmarx One is priced on custom enterprise contracts based on number of applications, lines of code scanned, or number of developers. Pricing is not publicly listed. Sample enterprise contracts have been reported in the $67K–$70K/year range. On-premises (CxSAST) and cloud (Checkmarx One) are separate SKUs. Seat counts are negotiated at contract time; overages may require contract amendment.
The cost of manual management
Every app without automated provisioning creates recurring admin overhead, and Checkmarx One is no exception. Admins must individually invite each user, assign roles, and optionally assign groups - with no self-service registration path.
Pending invitations occupy a seat even before the user logs in, and there is no built-in last-login filter in the standard UI, so identifying unused seats requires exporting user data or engaging the Checkmarx account team.
API tokens are tied to individual user accounts, meaning offboarding a user without updating dependent integrations first will break those connections immediately.
What IT admins are saying
Practitioners consistently flag three friction points with Checkmarx One user management: the absence of native SCIM, opaque seat utilization reporting, and SSO migration complexity when moving from legacy CxSAST to Checkmarx One. The API-token-per-user model is a recurring offboarding risk noted in community discussions.
Licensing is custom and requires direct sales engagement, which makes it difficult to forecast seat costs without a contract in hand.
Common complaints:
- No native SCIM provisioning support; user lifecycle management requires manual invite or SAML JIT workarounds.
- Complex SSO configuration, especially when migrating from legacy CxSAST to Checkmarx One.
- Expensive and opaque licensing model; pricing requires direct sales engagement.
- Slow scan times reported for large codebases.
- Limited visibility into seat utilization within the admin UI; no built-in last-login reporting.
- API tokens are tied to individual users, creating fragility when users are offboarded.
- Role granularity is limited to predefined roles; no custom role creation available.
The decision
Checkmarx One is an Enterprise-tier product with custom pricing; there is no self-serve or lower-tier path that unlocks meaningful user management automation. If your team manages a large developer population, the manual invite model and lack of SCIM will create sustained operational load.
Groups provide project-scoped access control, but custom roles are not supported - permissions are tied to five predefined roles (Admin, AST Admin, Scan Manager, Reviewer, Developer). Evaluate whether your IdP can handle JIT provisioning via SAML before committing to a purely manual workflow.
Bottom line
Checkmarx One delivers strong application security testing capabilities but ships with a user management model that requires hands-on admin effort at every stage of the user lifecycle.
Every app in a mature security program eventually needs reliable provisioning and deprovisioning; without SCIM and with no built-in seat utilization reporting, Checkmarx One places that burden squarely on your admin team.
Teams running large developer populations or frequent contractor rotations should plan for the operational cost of manual invite management and proactive API token hygiene before offboarding any user.
Automate Checkmarx workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
