Role-Based Access Control (RBAC)¶
Role-Based Access Control (RBAC) is a cornerstone of modern access management, ensuring users have the exact permissions they need—no more, no less. Escape's RBAC features allow organizations to define roles and permissions with precision, ensuring robust security and streamlined operations.
Escape's RBAC is accessible under the Organization Settings and Application Settings.
Managing User Access¶
Role Configuration¶
Access user and role settings through your organization's name in the sidebar. Configure user roles in the "Roles" tab.
Here you can create new roles using the "Create a new role" feature.
Role Global Permissions¶
In the "Overview" sidepanel corresponding to the custom created role:
- You can modify global permissions.
- You can add and remove users.
Feature | Administrator | Editor | Viewer | None |
---|---|---|---|---|
All Applications | Full control over applications and scans | Browse results, start scans, update configurations | Browse scan results | No access |
Inventory | Full control over inventory operations | Browse inventory, update endpoints, set labels | Browse inventory and view endpoints | No access |
Integrations | Full CRUD access | N/A | N/A | No access |
Reporting | Full CRUD access | N/A | N/A | No access |
Workflows | Full workflow control | Create, update, and delete workflows | View workflows | No access |
Labels | Allow users to edit labels | N/A | Allow users to view labels | No access |
Role-Specific Permissions¶
In the "Permission" side panel corresponding to the custom-created role:
- You can create and delete application permissions. These permissions allow you to assign specific application access levels to the role. Check the Application Management documentation for more information.
- You can create and delete label permissions. These permissions allow you to assign specific label access levels to the role. Check the Label Management documentation for more information.
Permissions are additive, not subtractive
Permissions are additive, not subtractive. This means that if a user has both an application permission and a label permission, they will receive the most permissive access level from either one, in addition to any global permissions.
User Management¶
- Navigate to the "Team" tab
- Access the user management panel
- Invite users by email and assign specific roles
Role Assignment¶
To modify a user's role, use the "EDIT" button next to their name in the user table.
Roles and Permissions¶
Core Features¶
Escape defines roles through a mapping between features and CRUD permissions. Core features include:
- Applications: Scan configurations and results for discovered endpoints
- Inventory: Discovered endpoints from integrations and crawling
- Integrations: Configuration for endpoint discovery and context enrichment
- Reporting: Organizational dashboard for security posture visualization
- Notifications: Notification workflow configuration and history
- Workflows: Workflow configuration and execution history
- Labels: Label configuration and assignment
Specific Level Permissions¶
Beyond core roles, Escape enables granular permissions at both the application and label levels.\ This ensures that users or business units can be restricted to specific applications and labels, following the principle of least privilege.
Application-Level Permissions¶
Configure permissions for each application by selecting the appropriate role in the application permission settings.
You can also manage application permissions for a specific role by navigating to the "Permissions" side panel from the "Roles" page.\ See the Role Management documentation for more information.
Label-Level Permissions¶
Label-level permissions allow you to assign specific access levels to any resource tagged with a particular label.\ For example, if you add a label to a resource such as an application, and want to grant access to that resource for a specific role, you can do so by creating a label permission using the same label.
This is a powerful feature that lets you quickly and easily manage access to multiple resources by grouping them under a shared label.
Only application resources are currently affected by labels
Currently, only application resources are affected by labels. Other resources such as workflows, integrations, etc., are not impacted by label-based permissions.
You can also manage label permissions for a specific role by navigating to the "Permissions" side panel from the "Roles" page.\ See the Role Management documentation for more information.