Team and roles - RBAC
- 13 Jun 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Team and roles - RBAC
- Updated on 13 Jun 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
RBAC stands for Role-Based Access Control, a method of regulating access to computer systems or network resources based on the roles of individual users within an enterprise. RBAC defines and enforces access policies that specify which users are authorized to perform which actions, such as accessing or modifying data, executing specific applications, or managing system configurations.
You can add your team members to the Traceable platform. When you add your team member to Traceable, you can assign one or more than one of the following three roles to them. Defining the correct role for a user helps in the separation of duties. Traceable also provides role-based access control based on the environment. This allows you to add the same user with different roles in different environments, allowing you granular control of their access.
- Account owner — An account owner manages the Traceable account, including managing users, assigning privileges, licensing, etc. There can be more than one account owner.
- Security admin — A security admin is typically someone who configures security policies, investigates attack information, monitors security events, etc.
- Security Analyst — A security analyst typically looks for security events and application threats. They are typically part of the Security operations center (SOC) teams or product security teams and need to be aware of any security events as soon as they occur. Security analysts can, for example, work with events and vulnerabilities, configure notifications, etc.
- Developer — A person who wants to view the risks associated with the APIs that they have developed.
- Global Reader — A person responsible for understanding API risk and posture, threat activity, and incidents from runtime protection and understands how Application security testing maps to the vulnerabilities found in pre-production. Global Reader is a read-only role that allows users to view and access the product to minimize inadvertent actions. They will then be able to prioritize vulnerabilities that need to be addressed based on overall exposure. Executives only interested in viewing the product and not getting into operational tasks can also leverage this role.
The account owner role is the highest in the hierarchy of roles and has complete control over all other users and their actions. The developer role has the least privileges. You can add a user with the same role as yours or a lower privilege role. For example, an account owner can add, edit, or delete another account owner, security admin, and developer. A security admin can add, edit, or delete another security admin or a developer. The developer has a read-only privilege. The account owner and security admin can edit all configurations, such as creating rules, notifications, etc. For more information, see Roles and privileges.
Environment based RBAC
Navigate to Settings (
) -> Team to add a new user to your account. Click on Invite User and assign a role to the user. Complete the following steps:
- Click on Invite User in the Users tab.
- Add the email of the user that you wish to invite.
- Assign the role and scope to the user. Note the following points regarding role and scope:
- Account Owner and Security Admin — The account owner and security admin roles are available across all environments. You cannot currently assign these two roles to a specific environment.
- Security Analyst and Developer — You can assign these roles to a specific environment. For example, John can be a security analyst in environments 1 and 2 and a developer across all environments.
.png)
.png)
As an Account Owner or Security Admin, you can also change the roles of existing users. Click on the three dots, as shown in the screenshot below. Click on Edit to change role assignments or apply specific roles in specific environments. This is helpful as the number of deployments increases; you can restrict user access for specific environments. For instance, Jane may be a security analyst for a production environment behind a Kong Gateway. At the same time, she has no access to another production environment behind an F5 load balancer, as that is outside his purview.
Roles and privileges
The following table provides high-level information about privileges related to each role that Traceable supports.
| Feature Category | Subcategory | Account Owner | Security Admin | Security Analyst | Developer | Global Reader |
|---|---|---|---|---|---|---|
| API Catalog | API Activity | Yes | Yes | Yes | Yes | Yes |
| API Endpoints | Yes | Yes | Yes | Yes | Yes | |
| Application Flow | Yes | Yes | Yes | Yes | Yes | |
| Domains | Yes | Yes | Yes | Yes | Yes | |
| Services | Yes | Yes | Yes | Yes | Yes | |
| Backends | Yes | Yes | Yes | Yes | Yes | |
| API Risk > Security Posture | Yes | Yes | Yes | Yes | Yes | |
| API Risk > Vulnerabilities | Yes | Yes | Yes | Yes | Yes | |
| API Risk > Sensitive Data | Yes | Yes | Yes | Yes | Yes | |
| API Risk > Conformance Analysis | Yes | Yes | Yes | Yes | Yes | |
| Feature Category | Subcategory | Account Owner | Security Admin | Security Analyst | Developer | Global Reader |
| API Protection | Protection Dashboard | Yes | Yes | Yes | No | Yes |
| Threat Actors | Yes | Yes | Yes | No | Yes | |
| API's under Threats | Yes | Yes | Yes | No | Yes | |
| Threat Activity | Yes | Yes | Yes | No | Yes | |
| Events | Yes | Yes | Yes | No | Yes | |
| User Behavior | Yes | Yes | Yes | No | Yes | |
| Data Exfiltration | Yes | Yes | Yes | No | Yes | |
| Settings > Detection Policy | Yes | Yes | No | No | No | |
| Settings > Threat Scoring | Yes | Yes | No | No | No | |
| Settings > Custom Policy | Yes | Yes | No | No | No | |
| Settings > API Overuse | Yes | Yes | No | No | No | |
| Feature Category | Subcategory | Account Owner | Security Admin | Security Analyst | Developer | Global Reader |
| API Analytics | Traces | Yes | Yes | Yes | Yes | Yes |
| Feature Category | Subcategory | Account Owner | Security Admin | Security Analyst | Developer | Global Reader |
API Security Testing (AST) | View Policies | Yes | Yes | Yes | Yes | Yes |
| Create Scan Policy | Yes | Yes | Yes | No | No | |
| Update Scan Policy | Yes | Yes | Yes | No | No | |
| Delete Scan Policy | Yes | Yes | Yes | No | No | |
| View Suites | Yes | Yes | Yes | Yes | Yes | |
| Create Suites | Yes | Yes | Yes | No | No | |
| Update Suites | Yes | Yes | Yes | No | No | |
| Delete Suites | Yes | Yes | Yes | No | No | |
| Run Quick Scan | Yes | Yes | Yes | No | No | |
| View Reports | Yes | Yes | Yes | Yes | Yes | |
| View Evaluation Criteria | Yes | Yes | Yes | Yes | Yes | |
| CreateEvaluation Criteria | Yes | Yes | Yes | No | No | |
| UpdateEvaluation Criteria | Yes | Yes | Yes | No | No | |
| DeleteEvaluation Criteria | Yes | Yes | Yes | No | No | |
| View Authentications | Yes | Yes | Yes | Yes | Yes | |
| Create Authentications | Yes | Yes | Yes | No | No | |
| Update Authentications | Yes | Yes | Yes | No | No | |
| Delete Authentications | Yes | Yes | Yes | No | No | |
| Configure Runners | Yes | Yes | No | No | No | |
| Environment Config | Yes | Yes | No | No | No | |
| Update Vulnerability Types | Yes | Yes | No | No | No | |
| Test Plugins | Yes | Yes | Yes | Yes | No | |
| Update Vulnerability Status | Yes | Yes | Yes | No | No | |
| View Scans | Yes | Yes | Yes | Yes | Yes | |
| Abort Scans | Yes | Yes | Yes | No | No | |
| Delete Scans | Yes | Yes | Yes | No | No | |
| Feature Category | Subcategory | Account Owner | Security Admin | Security Analyst | Developer | Global Reader |
| Settings | Onboarding | Yes | Yes | No | No | No |
| Configuration > Team > Users | Yes | Yes | No | No | No | |
| Configuration > Team > SAML Config | Yes | No | No | No | No | |
| Configuration > Team > Settings | Yes | No | No | No | No | |
| Configuration > Data Collection | Yes | Yes | No | No | No | |
| Configuration > Data Collection > Environment | Yes | Yes | No | No | No | |
| Configuration > Notifications | Yes | Yes | No | No | No | |
| Configuration > Integrations > Jira | Yes | Yes | No | No | No | |
| Configuration > Integrations > External WAF | Yes | Yes | No | No | No | |
| Configuration > Reports | Yes | Yes | No | No | No | |
| API Catalog > API Discovery | Yes | Yes | No | No | No | |
| API Catalog > Data Classification | Yes | Yes | No | No | No | |
| API Catalog > User Attribution | Yes | Yes | No | No | No | |
| API Catalog > Label management | Yes | Yes | No | No | No | |
| API Catalog > Risk Scoring | Yes | Yes | No | No | No | |
| License | Yes | No | No | No | No | |
| Access Token | Yes | Yes | No | No | No | |
| Action Log | Yes | Yes | No | No | No | |
| My Preference | - | Yes | Yes | Yes | Yes | Yes |
Following is a list of actions and the corresponding roles and access:
| Action | Account Owner | Security Admin | Security Analyst | Developer | Global Reader |
|---|---|---|---|---|---|
| Apply rate limit | Yes | Yes | Yes | No | No |
| Marking parameters as sensitive or not sensitive | Yes | Yes | No | No | No |
| Threat actor status change | Yes | Yes | Yes | No | No |
| Exclude an event | Yes | Yes | Yes | No | No |
| Vulnerability status change | Yes | Yes | Yes | No | No |
| Changing data type for sensitive parameter | Yes | Yes | Yes | No | No |
| Apply or remove tags | Yes | Yes | Yes | No | No |
| Create JIRA | Yes | Yes | Yes | No | No |
| Create label rule | Yes | Yes | Yes | No | No |
| Submit spec for conformance | Yes | Yes | Yes | No | No |
Was this article helpful?
