Team and roles - RBAC
  • 08 Mar 2024
  • 4 Minutes to read
  • PDF

Team and roles - RBAC

  • PDF

Article Summary

RBAC stands for Role-Based Access Control, a method of regulating access to computer systems or network resources based on the roles of individual users within an enterprise. RBAC defines and enforces access policies that specify which users are authorized to perform which actions, such as accessing or modifying data, executing specific applications, or managing system configurations.

You can add your team members to Traceable's SaaS platform. When you add your team member to Traceable, you can assign one or more than one of the following three roles to them. Defining the correct role for a user helps in the separation of duties. Traceable also provides role-based access control based on the environment. This provides you the flexibility to add the same user with different roles in different environments, allowing you granular control of their access.

  • Account owner — An account owner manages the Traceable account, including managing users, assigning privileges, licensing, and so on. There can be more than one account owner.
  • Security admin  A security admin is typically a person who configures the security policies, investigates the attack information, monitors security events, and so on.
  • Security Analyst    A security analyst is typically a person who looks for security events and threats in the applications. They are typically part of the Security operations center (SOC) teams or part of product security teams and need to be aware of any security events as soon as they occur. Security analysts can, for example, work with events and vulnerabilities, configure notifications, and so on.
  • Developer  A person who wants to view the risks associated with the APIs that they have developed. 
  • Global Reader  A person who is responsible for understanding API risk and posture, threat activity, and incidents from runtime protection and understands how Application security testing maps to the vulnerabilities found in pre-production. Global Reader is a read-only role that allows users to view and access the product to minimize inadvertent actions. They will then be able to prioritize vulnerabilities that need to be addressed based on overall exposure. Executives who are only interested in viewing the product and not getting into operational tasks can also leverage this role.

The account owner role is the highest in the hierarchy of roles and has complete control over all other users and their actions. The developer role has the least privileges. You can add a user with the same role as yours or a lower privilege role. For example, an account owner can add, edit, or delete another account owner, security admin, and developer. A security admin can add, edit, or delete another security admin or a developer. The developer has a read-only privilege. The account owner and security admin can edit all configurations, such as creating rules, notifications, etc. For more information, see Roles and privileges. 

Environment based RBAC

Navigate to Administration (Icon

Description automatically generated) -> Team to add a new user to your account. Click on Invite User and assign a role to the user. Complete the following steps:

  1. Click on Invite User in the Users tab.
  2. Add the email of the user that you wish to invite. 
  3. Assign the role and scope to the user. Note the following points regarding role and scope:
    • Account Owner and Security Admin  The account owner and security admin roles are available across all environments. This means that you cannot currently assign these two roles to a specific environment.
    • Security Analyst and Developer — You can assign these two roles to a specific environment. For example, John can be a security analyst in environments 1 and 2 and a developer across all environments.

As an Account Owner or Security Admin, you can also change the roles of existing users. Click on the three dots, as shown in the screenshot below. Click on Edit to change role assignments or apply specific roles in specific environments. This is helpful as the number of deployments increases; you can restrict access to users for specific environments. For instance, Jane may be a security analyst for a production environment behind a Kong Gateway. At the same time, she has no access to another production environment behind an F5 load balancer, as that is outside his purview.

Roles and privileges

The following table provides high-level information about privileges related to each role that Traceable supports.

Feature Category
Subcategory
Account OwnerSecurity AdminSecurity AnalystDeveloperGlobal Reader
API Catalog


API Activity

Yes

Yes

Yes

Yes
Yes
API Endpoints
Yes
Yes
Yes
Yes
Yes
Application Flow
Yes
Yes
Yes
Yes
Yes
Domains
Yes
Yes
Yes
Yes
Yes
Services
Yes
Yes
Yes
Yes
Yes
Backends
Yes
Yes
Yes
Yes
Yes
API Risk > Security Posture
Yes
Yes
Yes
Yes
Yes
API Risk > Vulnerabilities
Yes
Yes
Yes
Yes
Yes
API Risk > Sensitive Data
Yes
Yes
Yes
Yes
Yes
API Risk > Conformance Analysis
Yes
Yes
Yes
Yes
Yes
Feature Category
Subcategory
Account Owner
Security Admin
Security AnalystDeveloper
Global Reader
API Protection
Protection Dashboard
Yes
Yes
Yes
No
Yes
Threat Actors
Yes
Yes
Yes
No
Yes
API's under Threats
Yes
Yes
Yes
NoYes
Threat Activity
Yes
Yes
Yes
No
Yes
Events
Yes
Yes
Yes
No
Yes
User Behavior
Yes
Yes
Yes
No
Yes
Data Exfiltration
Yes
Yes
Yes
No
Yes
Settings > Detection Policy
Yes
Yes
No
No
No
Settings > Threat Scoring
Yes
Yes
No
No
No
Settings > Custom Policy
Yes
Yes
No
No
No
Settings > API OveruseYes
Yes
No
No
No
Feature Category
Subcategory
Account Owner
Security Admin
Security Analyst
Developer
Global Reader
API Analytics
Traces
Yes
Yes
Yes
Yes
Yes
Feature Category
Subcategory
Account Owner
Security Admin
Security Analyst
Developer
Global Reader
API Security Testing (AST)
Dashboards
Yes
Yes
Yes
Yes
Yes
Reports
Yes
Yes
Yes
Yes
Yes
Create Scan Policy
Yes
Yes
Yes
No
No
Update Scan Policy
Yes
Yes
Yes
No
No
Delete Scan Policy
Yes
Yes
Yes
No
No
Delete Scan
Yes
Yes
Yes
No
No
Get Scan Policy
Yes
Yes
Yes
Yes
Yes
Update vulnerability
Yes
Yes
Yes
No
No
Abort scan
Yes
Yes
Yes
No
No
View Scan Results
Yes
Yes
Yes
Yes
Yes
Feature Category
Subcategory
Account Owner
Security Admin
Security Analyst
Developer
Global Reader
 AdministrationOnboarding / Self service
Yes
Yes
No
No
No
Configuration > Team > Users
Yes
Yes
No
No
No
Configuration > Team > SAML Config
Yes
No
No
No
No
Configuration > Team > Settings
Yes
No
No
No
No
Configuration > Data CollectionYes
Yes
No
No
No
Configuration > Data
Collection > Environment
Yes
Yes
No
No
No
Configuration > Notifications
Yes
Yes
No
No
No
Configuration > Integrations > Jira
Yes
Yes
No
No
No
Configuration > Integrations > External WAF
Yes
Yes
No
No
No
Configuration > Reports
Yes
Yes
No
No
No
API Catalog > API Discovery
Yes
Yes
No
No
No
API Catalog > Data Classification
Yes
Yes
No
No
No
API Catalog > User Attribution
Yes
Yes
No
No
No
API Catalog > Label management
Yes
Yes
No
No
No
API Catalog > Risk Scoring
Yes
Yes
No
No
No
LicenseYes
No
No
No
No
Access Token
Yes
Yes
No
No
No
Action Log
Yes
Yes
No
No
No
My Preference
-
Yes
Yes
Yes
Yes
Yes

Following is a list of actions and the corresponding roles and access:

Action
Account Owner
Security Admin
Security Analyst
Developer
Global Reader
Apply rate limit
Yes
Yes
Yes
No
No
Marking parameters as sensitive or not sensitive
Yes
Yes
No
No
No
Threat actor status change
Yes
Yes
Yes
No
No
Exclude and event
Yes
Yes
Yes
No
No
Vulnerability status change
Yes
Yes
Yes
No
No
Changing data type for sensitive parameter
Yes
Yes
Yes
No
No
Apply or remove tags
Yes
Yes
Yes
No
No
Create JIRA
Yes
Yes
Yes
No
No
Create label rule
Yes
Yes
Yes
No
No
Submit spec for conformance
Yes
Yes
Yes
No
No

Was this article helpful?

What's Next