Skip to content

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a cornerstone of modern access management, ensuring users have the exact permissions they need—no more, no less. Escape's RBAC features allow organizations to define roles and permissions with precision, ensuring robust security and streamlined operations.

Escape's RBAC is accessible under the Organization Settings and Application Settings.

Managing User Access

Role Configuration

rbac-role-create

Access user and role settings through your organization's name in the sidebar. Configure user roles in the "Roles" tab.

Here you can create new roles using the "Create a new role" feature.

Role Global Permissions

rbac-role-edit-overview

In the "Overview" sidepanel corresponding to the custom created role:

  • You can modify global permissions.
  • You can add and remove users.
Feature Administrator Editor Viewer None
All Applications Full control over applications and scans Browse results, start scans, update configurations Browse scan results No access
Inventory Full control over inventory operations Browse inventory, update endpoints, set labels Browse inventory and view endpoints No access
Integrations Full CRUD access N/A N/A No access
Reporting Full CRUD access N/A N/A No access
Workflows Full workflow control Create, update, and delete workflows View workflows No access
Labels Allow users to edit labels N/A Allow users to view labels No access

Role-Specific Permissions

rbac-role-specific-permission

In the "Permission" side panel corresponding to the custom-created role:

  • You can create and delete application permissions. These permissions allow you to assign specific application access levels to the role. Check the Application Management documentation for more information.
  • You can create and delete label permissions. These permissions allow you to assign specific label access levels to the role. Check the Label Management documentation for more information.

Permissions are additive, not subtractive

Permissions are additive, not subtractive. This means that if a user has both an application permission and a label permission, they will receive the most permissive access level from either one, in addition to any global permissions.

User Management

rbac-user-invite

  1. Navigate to the "Team" tab
  2. Access the user management panel
  3. Invite users by email and assign specific roles

Role Assignment

rbac-user-edit

To modify a user's role, use the "EDIT" button next to their name in the user table.

Roles and Permissions

Core Features

Escape defines roles through a mapping between features and CRUD permissions. Core features include:

  • Applications: Scan configurations and results for discovered endpoints
  • Inventory: Discovered endpoints from integrations and crawling
  • Integrations: Configuration for endpoint discovery and context enrichment
  • Reporting: Organizational dashboard for security posture visualization
  • Notifications: Notification workflow configuration and history
  • Workflows: Workflow configuration and execution history
  • Labels: Label configuration and assignment

Specific Level Permissions

Beyond core roles, Escape enables granular permissions at both the application and label levels.\ This ensures that users or business units can be restricted to specific applications and labels, following the principle of least privilege.

Application-Level Permissions

Configure permissions for each application by selecting the appropriate role in the application permission settings.

rbac-application

You can also manage application permissions for a specific role by navigating to the "Permissions" side panel from the "Roles" page.\ See the Role Management documentation for more information.

Label-Level Permissions

Label-level permissions allow you to assign specific access levels to any resource tagged with a particular label.\ For example, if you add a label to a resource such as an application, and want to grant access to that resource for a specific role, you can do so by creating a label permission using the same label.

This is a powerful feature that lets you quickly and easily manage access to multiple resources by grouping them under a shared label.

Only application resources are currently affected by labels

Currently, only application resources are affected by labels. Other resources such as workflows, integrations, etc., are not impacted by label-based permissions.

You can also manage label permissions for a specific role by navigating to the "Permissions" side panel from the "Roles" page.\ See the Role Management documentation for more information.