Roles with SSO enabled
Roles
This page applies only to SSO enabled organisations, for normal organisations please refer to Roles
The system allows organisations to set 2 categories of roles:
- Global roles
- Application roles
Global Roles
Global roles are assigned to Users and they represent the permissions of those user on every object in the organisation.
There are 6 global roles assignable to a user:
| Role name | Role access | Typical use case |
|---|---|---|
| Global Admin | Can access all platform components and can change anything | Platform owners |
| Controls Admin | Can access all organisation controls and can change them | Security team |
| Access Admin | Can access all organisation groups and can change its members | Project leaders, application engineers, project managers |
| Application Admin | Can access all organisation applications and can change them | Application owners, team leaders, tech leaders and solution architects |
| Billing Admin | Can access all organisation details and can change billing related information | Finance users, contract owners |
| Auditor | Can access all platform components but can not change them | Managers, external consultants, auditors and risk analysts |
| User | Can login to the the platform, has no other permissions | Software engineers, Platform engineers, Cloud engineers, DevOps, consultants and analysts |
Each role allows to execute write (change object) or read (read object) actions on all objects belonging to the organisation.
These permissions are assigned to the guest organisation via JWT tokens. The token is retrieved upon successful login from our IDP.
When changing permissions for a user, the user must logout and login again to retrieve the updated permissions
Role permissions per component
| Component | Global Admin | Controls admin | Access Admin | Application Admin | Billing Admin | Auditor | User |
|---|---|---|---|---|---|---|---|
| Organisation | W | R | R | - | W (partial)* | R | - |
| Org associations | W | - | W | - | - | R | - |
| Org level controls | W | W | - | R | - | R | - |
| Applications | W | W | R | W | - | R | - |
| Groups | W | R | W | R | - | R | - |
Legend:
W = Write permissions
R = Read permissions
- = No permissions
* - Can only modify billing related information
How are roles represented in the JWT access token
Global roles are added to the JWT token element named ssoOrg.
The format is as following:
"ssoOrg": "[org UUID]:[permission_code]" The permission_code is a short name representing the global role name assigned to the guest organisation by the host organisation.
For example, a token showing the following:
"ssoOrg": "772631da-aa3b-11ec-8ccb-0ba239b17f28:ga" 772631da-aa3b-11ec-8ccb-0ba239b17f28
The complete mapping is below:
| Role complete name | Role short Name |
|---|---|
| Global admin | ga |
| Controls admin | con |
| Access admin | acc |
| Application admin | app |
| Auditor | aud |
| Billing admin | ba |
| User | u |
Assign a global role with SAML
In order to assign a global role to a user, the role must be passed as a claim in the SAML assertion (please follow your IDP documentation to understand how).
The name of the claim must be role and the value can be one of the following:
Global_AdminControls_AdminAccess_AdminApplication_AdminBilling_AdminAuditorUser
For example, to provide a user the Controls Admin role, the SAML claim should look like this:
"role": "Controls_Admin" Our system will read the value sent in the claims and dynamically set the role in the access token.
If the role claim is not passed via SAML assertions, the system will default to the Userrole
Change a global role with SAML
To change a role already assigned to a user, you need to change the value of the SAML claim role to the new role you wish to assign.
For example, if the user is currently Controls Admin and you want to change its role to Application_Admin, change the claim value as following:
From:
"role": "Controls_Admin" "role": "Application_Admin" In order for the permissions to be updated, the user must logout and login again
Application Roles
Application roles are applied to groups associated with applications and used to define what actions the members of the group are allowed to do on that specific application.
If a user has assigned both a global role and an application role, only the global role permissions will be applied.
There are 3 application roles assignable to a user:
| Role name | Role access | Typical use case |
|---|---|---|
| Manage | Can read application details, change groups associations, change controls | Application owner |
| Controls | Can read application details, change controls | Developer |
| Read | Can read application details, read controls | Analyst |
Assign an application role
Please refer to Applications