Role-Based Access Control

This section describes how to manage user roles for your organization. For user management topics, see User Management. For more information on roles, see My Roles.

Add Roles

To add or remove user scopes and roles, navigate to Access > Users and click the user entry in question. A user detail panel opens.

  1. Click Add Role> Add Unscoped Role. (Scoped roles are not applicable to CloudSecure.)
  2. Select one or more of the roles listed below and click Grant Access.

The following roles are available for CloudSecure:

  • Multi-product Roles

    The user has these roles available for CloudSecure and other Illumio products on the Illumio Console:

    • Owner: All read and write permissions.
    • Viewer: Read permissions only.

  • CloudSecure-specific Roles

    The user has these roles available for CloudSecure only:

    • Cloud Security Onboarding Administrator: Grants permissions to add and delete cloud integrations and flow log access, and is used by AWS Lambda and Azure PowerShell callbacks.
    • Cloud Security Policy Author: Allows policy creation for all the workloads and applications in all the accounts that have been onboarded. This role includes permissions to view applications, labels, maps, inventory, and traffic.
    • Cloud Security Label Administrator: Access to Tag-Label Mapping only. This governance is useful when authoring policies based on CloudSecure labels.
    • Cloud Security Auditor: Grants read-only permissions to view Cloud Map, Inventory, Traffic, and Policies (Organization and Application).
    • Cloud Security Incident Responder: View access to Traffic, Inventory, and Cloud Map functions only.
    • etc.

Once a role is assigned to a user, you can click on the Role entry and see the detail page for that role. It lists all users with that role. You can then add or remove users to and from that role.

To view all available roles, browse to Access > Roles. This lists all the roles. Click on one of the roles to see all users assigned to it.

Remove Roles

To add or remove user scopes and roles, navigate to Access > Users and click the user entry in question. A user detail panel opens.

  1. Select a user and click Remove.
  2. In the dialog that appears, click Remove.

If a user has only one role, and you remove their access to that sole role, this removes the user account entirely. If the user has more than one role, removing a given role will not remove the user account.