Managing roles and permissions
We offer Identity and Access Management (IAM) control to allow you to manage user accounts by assigning roles.
When inviting new users (for example your team members) to join your organisation, you specify what roles to assign to them based on what tasks they are responsible for.
This is relevant to you if you are the Dashboard administrator. You can administer who has access to your accounts and organisations in the Signicat Dashboard and what permissions they have.
About roles and permissions
Roles are groups of permissions that you can assign to users or API/machine clients (we refer to these entities collectively as principals).
Permissions allow principals to perform specific actions on Signicat resources, such as the ability to access an API, view invoices or invite other users. To make permissions available to principals, you grant roles to the principals.
We divide roles into the following basic types:
Basic role | Request method | Action | Permissions |
---|---|---|---|
Viewer | GET | read | Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data. |
Writer | POST | Action tags | Permissions for write-only actions, but not read or update. An example for this is in Digital Evidence Management (DEM), where a service can create DEM records but not update, delete or read them. |
Editor | PUT/CREATE/DELETE | create update delete | All viewer permissions, plus permissions for actions that modify state, such as changing existing resources. |
Admin | All + Invite users | * (all) | All Editor permissions, plus permission to invite, remove and grant access to users. |
A role contains one or more permissions, which offer a granular way of specifying rights. There can be multiple roles with the same permissions.
An Organisation Admin
has all the permissions for the organisation, and all the accounts belonging to that organisation.
An Account Admin
has all the permissions for a given account but not for the overlying organisation.
Some roles apply to a particular product or service, whereas the Organisation Admin
role has access to all products in the Signicat Dashboard.
Grant access
You give access to use resources by assigning specific roles to your users and API/machine clients (collectively referred to as principals). You can also control the scope by deciding whether to assign a role at the organisation or account level.
You can assign or remove roles to a principal in the Signicat Dashboard. To grant access to an existing principal, do the following:
- Go to Access Management > Permissions.
- Select Grant access in the top right.
- In the "Grant access" form, configure:
Attribute Description Scope Required. The organisation or account that the role applies to. Principals Required. The user, domain or API/machine client for which you want to change access rights. Roles Required. Browse available roles in the "Recommended", "By category" or "All available" tabs. Select at least one role. - Click Save to apply the changes.
Users must log in again to view and use a new role.
Which roles to assign
You control users access to resources with roles. In the following table, you can find some recommendations for common scenarios.
User type | Role | Details | Scope* |
---|---|---|---|
Business owner | Organisation Admin | Access to create/update/delete accounts and configurations. Can invite/edit/delete users on the Organisation and child accounts. Gives billing rights to purchase products on Signicat Marketplace. | Organisation level |
Technical owner | Organisation Admin | Same rights as Business owner. | Organisation level |
Financial owner | Usage Viewer | Access to view usage and invoices. | Organisation level |
Developer/Technical consultant | Account Admin | Access to update account and account configurations. Allowed to invite users and remove users not inherited from parent Organisation. | Account level |
Support roles | Support Editor | Access to create, update and view support tickets and comments, including sensitive data. | Organisation level |
* Lowest level where you can grant the role.
Usage guidelines
You can view, search and sort roles in the Dashboard > Access Management > Roles.
To view the details and definition of a role, do the following.
- Go to Access Management > Roles.
- Here, select the role name, for example "Account Admin".
- In the "Account Admin" page, you can view the following fields:
- Name: The name of the role
- Id: Identifier of the role
- Description: Additional information explaining the role function.
- Category: The class a role belongs to.
- Permissions: A list of all permissions associated with the role.
Remove access
To remove access for a principal:
- Go to Access Management > Permissions.
- Hover over the row of the principal you want to remove access for and click Edit.
- In the "Edit access" overview, click Remove access. On the confirmation dialog, approve the changes to remove all the roles assigned to the principal.
- To only remove access for specific roles, select the bin icon next to a role in the Roles section. Then, Save at the bottom of the "Edit access" overview.
Advanced information
Roles hierarchy
Assigning a role to a user for a specific account or organisation impacts the way a user can access resources at the account or organisation level.
Imagine you have configured the following in the Dashboard:
- Organisation 1
- Account A
- Account B
- Organisation 2
- Account C
Scenario 1
If a user is assigned role X on Organisation 1, they will also receive the same role for any sub-level, such as Account A and Account B. The user will not receive any role on Organisation 2 or Account C.
Scenario 2
If a user is assigned role X on Account A, they will not receive the same role for Organisation 1 and Account B.
Granting access at the account level limits user access to the resources of the account.
Tutorial video
How to invite users and set permissions
This tutorial video shows you how to invite users, set roles and set permissions in the Signicat Dashboard.