Allow-rules

Allow-rules are fine-grained permissions that gate specific actions, going beyond the coarse role a member has. Roles set the broad strokes; allow-rules let you tune access precisely.

How allow-rules work

A role like Editor grants a baseline of access. Allow-rules sit on top, deciding who can perform particular sensitive actions. When a member doesn’t have the rule needed for an action, the corresponding controls simply don’t appear for them — they won’t see buttons or panels they can’t use.

Owners and admins generally bypass these gates, so they retain access to the controls regardless of individual rules.

What allow-rules can gate

Allow-rules cover targeted, higher-impact actions, for example:

• Managing remediation — triggering, approving, or rejecting fixes in the Remediation Queue.
• Changing guardrail and auto-merge policy — the rules that decide whether an approved fix is also merged automatically.
• Managing integrations — connecting or disconnecting version control, Jira, SonarQube, and SSO. See Integrations.
• Managing test users — the credentials used to authenticate scans.
• Managing the white-label theme — your organization’s logo and brand colors. See White-label theming.
• Managing API tokens — credentials for programmatic access.

Grouping and assigning rules

Rules can be grouped and then assigned, which makes it practical to apply a consistent set of permissions to several members or teams at once instead of configuring each person individually.

Tip

If a member reports that a control is missing — for example, they can’t approve a remediation — check whether the relevant allow-rule is assigned to them. Missing controls usually mean a missing rule, not a bug.

Note

Allow-rules govern what a member can do, not what an admin can do. Admins and owners keep access to the gated controls.