Welcome
Administration
Define users, applications, policies, and configure DevOps integrations.
Users
User management allows you to control access to sensitive applications by assigning them to asset groups and then adding specific users to those groups.
Functional users
A functional user is a non-human service account designed to facilitate automated tasks and system-to-system integrations. Unlike standard users, functional users are not tied to a specific individual or email address, ensuring that automated workflows remain uninterrupted even when team members change or leave the organization.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
- Users
  User management allows you to control access to sensitive applications by assigning them to asset groups and then adding specific users to those groups.
  - Manage users
    Examine your users and decide who needs access to which applications and asset groups. Consider grouping users by business unit or geography.
  - Functional users
    A functional user is a non-human service account designed to facilitate automated tasks and system-to-system integrations. Unlike standard users, functional users are not tied to a specific individual or email address, ensuring that automated workflows remain uninterrupted even when team members change or leave the organization.
  - Roles
    A user's permission is determined by their role. There are five pre-defined roles: Administrator, Manager, Application Manager, Tester, and Reporting Viewer that cannot be modified or deleted. An administrator assigns users to asset groups. Administrators have the ability to change the default user role to any role (except Administrator), including a custom role. Users who have the permission to manage and invite other users cannot assign them a role that is higher than their own role. For example, a Manager cannot invite a user and assign them an Administrator role. Additionally, a user cannot invite someone to a role that has privileges that the inviting user does not have.
  - Asset groups
    Asset groups represent abstract components of your organization, like "Finance" or "Engineering." Administrators can restrict access to specific applications by assigning them to an asset group and limiting the users who belong in the group.
- Applications
  An application is a collection of scans related to the same project. It can be a web site, a desktop app, a mobile app, a web service, or any component of an app. Applications enable you to asses risk, identify trends, and make sure that your project is compliant with industry and organization policies.
- DevOps
  Tools for incorporating ASoC in your software development lifecycle.
- Personal scans
  A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data (issues, for example), or compliance.
- Scan status
- Audit trail
  The audit trail (Organization > Audit trail) logs user activity.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
AppScan Model Context Protocol (MCP) server
The AppScan MCP server integrates HCL AppScan on Cloud directly with AI-powered development environments and agents. By implementing the Model Context Protocol (MCP), this server allows LLMs (such as Claude or models running in VS Code) to securely access your security data—including SAST, DAST, SCA, and IAST results—to help you triage issues, analyze findings, and automate workflows using natural language.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Functional users

A functional user is a non-human service account designed to facilitate automated tasks and system-to-system integrations. Unlike standard users, functional users are not tied to a specific individual or email address, ensuring that automated workflows remain uninterrupted even when team members change or leave the organization.

Creating functional users

For security, only an Administrator can create functional users, and only via the API.

Use the /api/v4/User/CreateFunctionalUser API endpoint to create a functional user. At minimum, include the following parameters:

firstName: A descriptive account name (for example, "Jira_Automation_Service").
role: The permission set to assign to the user.

Tip:

An active email address is optional, but you can assign one if needed.
If the user is not an Administrator, associate the user with asset groups. You can add this later, but it is essential for the user to perform tasks in application-related contexts.

After a successful POST request, the response includes the API key.

Important: The API key is shown only once. Copy and store it in a secure location (such as a secrets manager) immediately. It will not be visible in the UI or accessible via subsequent API calls.

Managing functional users in the UI

After you create them via the API, functional users appear in the User Management table alongside all other users and are treated as standard users. For available actions, see the User management page.

API key rotation

You can rotate API keys when needed.

Process: Perform key rotation through the API.
Immediate expiration: When you generate a new API key, the previous key expires immediately. Update your automation scripts and integrations right away to prevent downtime.
One-time view: As with initial creation, the new key is returned only once in the API response and must be saved locally.