- 08 Dec 2023
- 4 Minutes to read
- PDF
Team and roles - RBAC
- Updated on 08 Dec 2023
- 4 Minutes to read
- PDF
RBAC stands for Role-Based Access Control, a method of regulating access to computer systems or network resources based on the roles of individual users within an enterprise. RBAC defines and enforces access policies that specify which users are authorized to perform which actions, such as accessing or modifying data, executing specific applications, or managing system configurations.
You can add your team members to Traceable's SaaS platform. When you add your team member to Traceable, you can assign one or more than one of the following three roles to them. Defining the correct role for a user helps in the separation of duties. Traceable also provides role-based access control based on the environment. This provides you the flexibility to add the same user with different roles in different environments, allowing you the granular control of their access.
- Account owner – An account owner is a person who manages the Traceable account. For example, managing users, assigning privileges, licensing, and so on. There can be more than one account owner.
- Security admin – A security admin is typically a person who configures the security policies, investigates the attack information, monitors security events, and so on.
- Security Analyst – A security analyst is typically a person who looks for security events and threats in the applications. They are typically part of the Security operations center (SOC) teams or part of product security teams and need to be aware of any security events as soon as they occur. Security analyst can, for example, work with events and vulnerabilities, configure notifications and so on.
- Developer – A person who wants to view the risks associated with the APIs that they have developed.
- Global Reader – A person who is responsible for understanding API risk and posture, threat activity, and incidents from runtime protection and understands how the Application security testing maps to the vulnerabilities found in pre-production. Global Reader is a read-only role for view access into the product to minimize inadvertent actions. They will then be able to prioritize vulnerabilities that need to be addressed based on overall exposure. Executives who are only interested in viewing the product and not getting into operational tasks can also leverage this role.
The account owner role is the highest in the hierarchy of roles and has complete control over all other users and their actions. The developer role has the least privileges. You can add a user with the same role as yours or a lower privilege role. For example, an account owner can add, edit, or delete another account owner, security admin, and developer. A security admin can add, edit, or delete another security admin or a developer. The developer has a read-only privilege. The account owner and security admin can edit all configurations, for example, creating rules, notifications, and so on. For more information, see Roles and privileges.
Environment based RBAC
Navigate to Administration () > Team to add a new user to your account. Click on Invite User and assign a role to the user. Complete the following steps:
- Click on Invite User in the Users tab.
- Add the email of the user that you wish to invite.
- Assign the role and scope to the user. Note the following points regarding role and scope:
- Account owner and Security Admin – The account owner and security admin roles are available across all the environments. This means that you cannot assign a specific environment to these two roles currently.
- Security analyst and Developer – You can assign these two roles to a specific environment. For example, John can be a security analyst in environment 1 and 2. He can also be a developer across all the environments.
As an Account Owner or Security Admin, you can also change the roles of existing users. Click on the three dots as shown in the screenshot below. Click on Edit to change role assignments or apply specific roles in specific environments. This is helpful as the number of deployments increase, you can restrict access to users for specific environments. For instance, Jane may be a security analyst for a production environment behind a Kong Gateway. At the same time, she has no access to another production environment behind a F5 load balancer, as that is outside his purview.
Roles and privileges
The following table provides high-level information about privileges related to each role that Traceable supports.
Feature Category | Subcategory | Account Owner | Security Admin | Security Analyst | Developer | Global Reader |
---|---|---|---|---|---|---|
API Catalog | API Activity | Yes | Yes | Yes | Yes | Yes |
API Endpoints | Yes | Yes | Yes | Yes | Yes | |
Application Flow | Yes | Yes | Yes | Yes | Yes | |
Domains | Yes | Yes | Yes | Yes | Yes | |
Services | Yes | Yes | Yes | Yes | Yes | |
Backends | Yes | Yes | Yes | Yes | Yes | |
API Risk > Security Posture | Yes | Yes | Yes | Yes | Yes | |
API Risk > Vulnerabilities | Yes | Yes | Yes | Yes | Yes | |
API Risk > Sensitive Data | Yes | Yes | Yes | Yes | Yes | |
API Risk > Conformance Analysis | Yes | Yes | Yes | Yes | Yes | |
Feature Category | Subcategory | Account Owner | Security Admin | Security Analyst | Developer | Global Reader |
API Protection | Protection Dashboard | Yes | Yes | Yes | No | Yes |
Threat Actors | Yes | Yes | Yes | No | Yes | |
API's under Threats | Yes | Yes | Yes | No | Yes | |
Threat Activity | Yes | Yes | Yes | No | Yes | |
Events | Yes | Yes | Yes | No | Yes | |
User Behavior | Yes | Yes | Yes | No | Yes | |
Data Exfiltration | Yes | Yes | Yes | No | Yes | |
Settings > Detection Policy | Yes | Yes | No | No | No | |
Settings > Threat Scoring | Yes | Yes | No | No | No | |
Settings > Custom Policy | Yes | Yes | No | No | No | |
Settings > API Overuse | Yes | Yes | No | No | No | |
Feature Category | Subcategory | Account Owner | Security Admin | Security Analyst | Developer | Global Reader |
API Analytics | Traces | Yes | Yes | Yes | Yes | Yes |
Feature Category | Subcategory | Account Owner | Security Admin | Security Analyst | Developer | Global Reader |
API Security Testing (AST) | Dashboards | Yes | Yes | Yes | Yes | Yes |
Reports | Yes | Yes | Yes | Yes | Yes | |
Create Scan Policy | Yes | Yes | Yes | No | No | |
Update Scan Policy | Yes | Yes | Yes | No | No | |
Delete Scan Policy | Yes | Yes | Yes | No | No | |
Delete Scan | Yes | Yes | Yes | No | No | |
Get Scan Policy | Yes | Yes | Yes | Yes | Yes | |
Update vulnerability | Yes | Yes | Yes | No | No | |
Abort scan | Yes | Yes | Yes | No | No | |
View Scan Results | Yes | Yes | Yes | Yes | Yes | |
Feature Category | Subcategory | Account Owner | Security Admin | Security Analyst | Developer | Global Reader |
Administration | Onboarding / Self service | Yes | Yes | No | No | No |
Configuration > Team > Users | Yes | Yes | No | No | No | |
Configuration > Team > SAML Config | Yes | No | No | No | No | |
Configuration > Team > Settings | Yes | No | No | No | No | |
Configuration > Data Collection | Yes | Yes | No | No | No | |
Configuration > Data Collection > Environment | Yes | Yes | No | No | No | |
Configuration > Notifications | Yes | Yes | No | No | No | |
Configuration > Integrations > Jira | Yes | Yes | No | No | No | |
Configuration > Integrations > External WAF | Yes | Yes | No | No | No | |
Configuration > Reports | Yes | Yes | No | No | No | |
API Catalog > API Discovery | Yes | Yes | No | No | No | |
API Catalog > Data Classification | Yes | Yes | No | No | No | |
API Catalog > User Attribution | Yes | Yes | No | No | No | |
API Catalog > Label management | Yes | Yes | No | No | No | |
API Catalog > Risk Scoring | Yes | Yes | No | No | No | |
License | Yes | No | No | No | No | |
Access Token | Yes | Yes | No | No | No | |
Action Log | Yes | Yes | No | No | No | |
My Preference | - | Yes | Yes | Yes | Yes | Yes |
Following is a list of actions and the corresponding roles and access:
Action | Account Owner | Security Admin | Security Analyst | Developer | Global Reader |
---|---|---|---|---|---|
Apply rate limit | Yes | Yes | Yes | No | No |
Marking parameters as sensitive or not sensitive | Yes | Yes | No | No | No |
Threat actor status change | Yes | Yes | Yes | No | No |
Exclude and event | Yes | Yes | Yes | No | No |
Vulnerability status change | Yes | Yes | Yes | No | No |
Changing data type for sensitive parameter | Yes | Yes | Yes | No | No |
Apply or remove tags | Yes | Yes | Yes | No | No |
Create JIRA | Yes | Yes | Yes | No | No |
Create label rule | Yes | Yes | Yes | No | No |
Submit spec for conformance | Yes | Yes | Yes | No | No |