Role Based Access Control
Gremlin provides role based access control
functionality that grants specific permissions to a role and then a role, or many roles, to each user. Any action taken in the Gremlin UI or API requires a role that grants a user permission for that action. Permissions cannot be assigned independently of roles.
Roles
Roles are split into two categories, company and team roles.
Team roles grant permissions to a user, specifically for work within that team. The team roles control which actions the user can take on behalf of the team, like starting an attack on that team's clients, or revoking that team's API key.
Permissions for work outside of a team are granted using company level roles. Company level roles control actions a user can take on behalf of the company, like changing single sign on settings, creating a new team, or removing a user from the company.
To view or edit users and roles, go to your company settings
Company roles
The following table describes the permissions that are available for each company role.
Owner | Admin | Manager | Coordinator* | User | |
---|---|---|---|---|---|
Authentication Management | |||||
SSO | ✔️ | ✔️ | |||
MFA | ✔️ | ✔️ | |||
Personal Account Management | |||||
Enable MFA | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Reset Password | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
User Management | |||||
Invite users to company | ✔️ | ✔️ | ✔️ | ||
Update user roles | ✔️ | ✔️ | ✔️ | ||
Add/remove users from teams | ✔️ | ✔️ | ✔️ | ||
Revoke users from company | ✔️ | ✔️ | |||
Reactivate revoked user | ✔️ | ✔️ | |||
Assign Company Owner role | ✔️ | ||||
Assign/remove Company/Team Manager roles | ✔️ | ✔️ | |||
Team Management | |||||
Create/delete teams | ✔️ | ✔️ | ✔️ | ||
List teams | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Reset team secrets | ✔️ | ✔️ | |||
Certificate Management | ✔️ | ✔️ | |||
Client Management | |||||
Reactivate any client | ✔️ | ||||
Access Logs | |||||
View user, team, company security logs | ✔️ | ✔️ | |||
Integration Management | |||||
Configure external integrations with Gremlin | ✔️ | ✔️ | |||
Scenario Management | |||||
Share or unshare Scenarios | ✔️ | ✔️ |
Team roles
The following table describes the permissions that are available for each team role.
Team Manager | Team Credential Manager* | Team User | Team Viewer | |
---|---|---|---|---|
Attacks | ||||
Create, start, halt, schedule | ✔️ | ✔️ | ||
List attacks, schedules and scenarios | ✔️ | ✔️ | ✔️ | |
User Management | ||||
List users | ✔️ | ✔️ | ✔️ | |
Invite new users to the company | ✔️ | |||
Invite/remove users to their team | ✔️ | |||
Client Management | ||||
List clients | ✔️ | ✔️ | ✔️ | |
Deactivate team clients | ✔️ | ✔️ | ||
Reactivate team clients | ✔️ | |||
API Key Management | ||||
Create, view, revoke API key | ✔️ | ✔️ | ||
Reactivate revoked API key | ✔️ | |||
Secrets/Certificates Management | ||||
Rollover, delete, create team certificate | ✔️ | ✔️ | ||
Reset team secret | ✔️ | ✔️ | ||
Notifications | ||||
Scheduled Status Checks | ✔️ | |||
Scenario Management | ||||
Share or unshare Scenarios | ✔️ |
Free vs. Enterprise users
All Company and Team roles are available to Enterprise customers. Free users can only be assigned either Company Owner or User roles.
An asterisk(*) next to the role name means the role is hidden in the UI. It can only be set via an API call.
FAQs
Is a user required to have both team and company roles?
No. All roles are granted independently of each other.
Do I have to have a team role to run attacks?
Yes. To run attacks for a team, you need user permissions or higher for that team.