Roles
Roles
This page does not apply to organisation with SSO enabled, please refer to Roles with SSO enabled
The system allows organisations to set 2 categories of roles:
- Global roles
- Application roles
Global Roles
Global roles are assigned to a guest organisation and they represent the permissions of that organisation on every object in the host organisation.
There are 6 global roles assignable to a guest organisation:
| Role name | Role access | Typical use case |
|---|---|---|
| Global Admin | Can access all platform components and can change anything | Platform owners |
| Controls Admin | Can access all organisation controls and can change them | Security team |
| Access Admin | Can access all organisation groups and can change its members | Project leaders, application engineers, project managers |
| Application Admin | Can access all organisation applications and can change them | Application owners, team leaders, tech leaders and solution architects |
| Billing Admin | Can access all organisation details and can change billing related information | Finance users, contract owners |
| Auditor | Can access all platform components but can not change them | Managers, external consultants, auditors and risk analysts |
| User | Can login to the the platform, has no other permissions | Software engineers, Platform engineers, Cloud engineers, DevOps, consultants and analysts |
Each role allows to execute write (change object) or read (read object) actions on all objects belonging to the host organisation.
These permissions are assigned to the guest organisation via JWT tokens. The token is retrieved upon successful login from our IDP.
When changing permissions for a guest organisation, the guest organisation must logout and login again to retrieve the updated permissions
Role permissions per component
| Component | Global Admin | Controls admin | Access Admin | Application Admin | Billing Admin | Auditor | User |
|---|---|---|---|---|---|---|---|
| Organisation | W | R | R | - | W (partial)* | R | - |
| Org associations | W | - | W | - | - | R | - |
| Org level controls | W | W | - | R | - | R | - |
| Applications | W | W | R | W | - | R | - |
| Groups | W | R | W | R | - | R | - |
Legend:
W = Write permissions
R = Read permissions
- = No permissions
* - Can only modify billing related information
How are roles represented in the JWT access token
Global roles are added to the JWT token element named extension_org[n].
The format is as following:
"extension_org[n]": "[host org UUID]:[permission_code]" The permission_code is a short name representing the global role name assigned to the guest organisation by the host organisation.
For example, a token showing the following:
"extension_org1": "772631da-aa3b-11ec-8ccb-0ba239b17f28:ga" 772631da-aa3b-11ec-8ccb-0ba239b17f28
The complete mapping is below:
| Role complete name | Role short Name |
|---|---|
| Global admin | ga |
| Controls admin | con |
| Access admin | acc |
| Application admin | app |
| Auditor | aud |
| User | u |
Application Roles
Application roles are applied to groups associated with applications and used to define what actions the members of the group are allowed to do on that specific application.
If a guest organisation has assigned both a global role and an application role, only the global role permissions will be applied.
There are 3 application roles assignable to a guest organisation:
| Role name | Role access | Typical use case |
|---|---|---|
| Manage | Can read application details, change groups associations, change controls | Application owner |
| Controls | Can read application details, change controls | Developer |
| Read | Can read application details, read controls | Analyst |