Skip to main content

Managing roles and permissions

We offer Identity and Access Management (IAM) control to allow you to manage user accounts by assigning roles.

When inviting new users (for example your team members) to join your organisation, you specify what roles to assign to them based on what tasks they are responsible for.

This is relevant to you if you are the Dashboard administrator. You can administer who has access to your accounts and organisations in the Signicat Dashboard and what permissions they have.

About roles and permissions

Roles are groups of permissions that you can assign to users or API/machine clients (we refer to these entities collectively as principals).

Permissions allow principals to perform specific actions on Signicat resources, such as the ability to access an API, view invoices or invite other users. To make permissions available to principals, you grant roles to the principals.

We divide roles into the following basic types:

Basic roleRequest methodActionPermissions
ViewerGETreadPermissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
WriterPOSTAction tagsPermissions for write-only actions, but not read or update. An example for this is in Digital Evidence Management (DEM), where a service can create DEM records but not update, delete or read them.
EditorPUT/CREATE/DELETEcreate
update
delete
All viewer permissions, plus permissions for actions that modify state, such as changing existing resources.
AdminAll + Invite users* (all)All Editor permissions, plus permission to invite, remove and grant access to users.

A role contains one or more permissions, which offer a granular way of specifying rights. There can be multiple roles with the same permissions.

Organisation and Account Admin

An Organisation Admin has all the permissions for the organisation, and all the accounts belonging to that organisation.

An Account Admin has all the permissions for a given account but not for the overlying organisation.

Some roles apply to a particular product or service, whereas the Organisation Admin role has access to all products in the Signicat Dashboard.

Grant access

You give access to use resources by assigning specific roles to your users and API/machine clients (collectively referred to as principals). You can also control the scope by deciding whether to assign a role at the organisation or account level.

You can assign or remove roles to a principal in the Signicat Dashboard. To grant access to an existing principal, do the following:

  1. Go to Access Management > Permissions.
  2. Select Grant access in the top right.
  3. In the "Grant access" form, configure:
    AttributeDescription
    ScopeRequired. The organisation or account that the role applies to.
    PrincipalsRequired. The user, domain or API/machine client for which you want to change access rights.
    RolesRequired. Browse available roles in the "Recommended", "By category" or "All available" tabs. Select at least one role.
  4. Click Save to apply the changes.
Note

Users must log in again to view and use a new role.

Which roles to assign

You control users access to resources with roles. In the following table, you can find some recommendations for common scenarios.

User typeRoleDetailsScope*
Business ownerOrganisation AdminAccess to create/update/delete accounts and configurations. Can invite/edit/delete users on the Organisation and child accounts. Gives billing rights to purchase products on Signicat Marketplace.Organisation level
Technical ownerOrganisation AdminSame rights as Business owner.Organisation level
Financial ownerUsage ViewerAccess to view usage and invoices.Organisation level
Developer/Technical consultantAccount AdminAccess to update account and account configurations. Allowed to invite users and remove users not inherited from parent Organisation.Account level
Support rolesSupport EditorAccess to create, update and view support tickets and comments, including sensitive data.Organisation level

* Lowest level where you can grant the role.

Usage guidelines

You can view, search and sort roles in the Dashboard > Access Management > Roles.

To view the details and definition of a role, do the following.

  1. Go to Access Management > Roles.
  2. Here, select the role name, for example "Account Admin".
  3. In the "Account Admin" page, you can view the following fields:
    • Name: The name of the role
    • Id: Identifier of the role
    • Description: Additional information explaining the role function.
    • Category: The class a role belongs to.
    • Permissions: A list of all permissions associated with the role.

Remove access

To remove access for a principal:

  1. Go to Access Management > Permissions.
  2. Hover over the row of the principal you want to remove access for and click Edit.
  3. In the "Edit access" overview, click Remove access. On the confirmation dialog, approve the changes to remove all the roles assigned to the principal.
  4. To only remove access for specific roles, select the bin icon next to a role in the Roles section. Then, Save at the bottom of the "Edit access" overview.

Advanced information

Roles hierarchy

Assigning a role to a user for a specific account or organisation impacts the way a user can access resources at the account or organisation level.

Imagine you have configured the following in the Dashboard:

Example configuration
  • Organisation 1
    • Account A
    • Account B
  • Organisation 2
    • Account C

Scenario 1

If a user is assigned role X on Organisation 1, they will also receive the same role for any sub-level, such as Account A and Account B. The user will not receive any role on Organisation 2 or Account C.

Scenario 2

If a user is assigned role X on Account A, they will not receive the same role for Organisation 1 and Account B.

Granting access at the account level limits user access to the resources of the account.

Tutorial video

How to invite users and set permissions

This tutorial video shows you how to invite users, set roles and set permissions in the Signicat Dashboard.