Platform and Product Roles

When creating a new user or editing an existing user from the User Management page of the Insight Platform, you can assign them the Platform Admin role as well as 1 of 3 product roles.

Roles by organization

If your company uses the concept of organizations, note that product user roles only apply to the organizations the user is assigned to.

Platform Admin role

Platform Admin is a global, or platform-wide user role. A Platform Admin has full, administrative access to the Insight Platform and can perform all of the tasks outlined in the Platform Overview, including organization-wide operations.

Product access for Platform Admins

Platform Admins don’t have product access by default and can’t complete product-specific tasks unless assigned to a product.

If you want a user to have administrative capabilities on the platform as well as within each product they’re assigned, give them both the Platform Admin and product Admin user roles.

Product roles

An Insight Platform user’s product role determines what they are able to see and do in each of the Insight products they’re assigned. Here’s how product roles are defined at the Platform level.

Product Role

Capabilities

(Product) Admin

A product admin can view all data, perform all functions, and manage all settings for any products they’re assigned. Product admins can create, edit, and delete users for any products they’re assigned, though they can’t create Platform Admin users.

Read Write

Users with Read Write access can view and edit all data within the product they’re assigned. Read Write users cannot perform any administrative actions or change any settings.

Read Only

Read Only users can view all data within any products they’re assigned, but they can’t edit or manage it in any way.

Product roles sometimes vary

Many Insight products use these standard product user roles. This means that the way roles are defined at the Platform level, where they’re assigned, is how they are defined and implemented at the product level. However, some products interpret or apply these product user roles a little differently based on specific product use cases.

InsightAppSec

Product Role

Capabilities

(Product) Admin

Product admin users can view all data for all apps.

Read Write

Read Write users can view and manage data for all apps they’ve been given access to.

Read Only

Read Only users can only view data for apps they’ve been given access to.

InsightConnect

InsightConnect uses standard Admin, Read Write, and Read Only product roles.

InsightIDR

Product Role

Capabilities

(Product) Admin

This role is required to access the Agent Management page. If an account does not have the Collector or Insight Agent, a product admin is the only user that can initially download them.

Read Write

A user with read write access can conduct investigations within InsightIDR. The user also has permissions to create, edit, and delete their own InsightIDR dashboards, though they can't edit or delete dashboards created by others.

Read Only

A read only role allows for a non-expiring session.

Use a Read Only user for dashboard display

Because the Insight IDR Read Only user role provides non-expiring sessions, you can create a generic Read Only user and use them to display one of your organization’s dashboards 24/7.

InsightOps

Product Role

Capabilities

(Product) Admin

This role is required to access the Agent Management page. If an account does not have the Collector or Insight Agent, a product admin is the only user that can initially download them.

Additionally, this role can configure settings, such as plan information, API Keys, user roles, S3 archiving, and collector credentials.

Read Write

A user with read write access can add data, view and edit their dashboards, manage and create alerts, and access Analytics Packs.

This user cannot edit dashboards created by others.

If a product admin already installed an initial Collector or Insight Agent, a read write user can download additional ones.

Read Only

This user can access Log Search and Dashboards and can generate reports and view alerts.

This user cannot add data.

InsightVM

Product roles assigned to InsightVM users at the Platform level are ignored in favor of the more detailed and specialized InsightVM user roles, which are assigned to users by an product admin in InsightVM. That means that Platform users who are also InsightVM users are given InsightVM permissions associated with whatever role they’re assigned in InsightVM. Platform users who are not also InsightVM users are treated as global administrators.

Rapid7 Services

Product Role

Capabilities

(Product) Admin

A Product Admin has access to all functions within their assigned products and services. These actions include:
* Uploading and removing documents and reports.
* Commenting on forms and reports.
* Completing all onboarding actions for any Managed/Consulting services on the Insight platform.
* Viewing all assigned and unassigned services.
* Adding existing platform users and managing users within the same product that they administrate.

Read Write

A user with read write access can complete any onboarding actions for the team to which you are assigned, such as completing forms, uploading documents, and removing any owned documents. This user cannot add or manage users.

Read Only

A user with read only access can view the status of the onboarding process, as well as documents or reports from any assigned product or service. This user cannot modify any data,such as filling out forms or uploading documents.

Want a user who can only see reports?

Create a user with a Read Only user role without admin privileges if you only want to provide viewing access to reports.

tCell

Product Role

Capabilities

(Product) Admin

Product Admin users have all of the same permissions as Read Write users, but they can also add, remove, and edit other users, as well as create and delete tCell apps.

Read Write

Read Write users can view information across all apps and make changes to app policies. Users with this role can also modify collected data and requests, and specify which client IP addresses to block. However, they can’t create or delete tCell Apps, or modify other users.

Read Only

Read Only users can view information across all apps in tCell. Users with this role can see all app data such as events, package version information, and agents installed. Users in this role cannot modify the configuration of any apps such as changing policies or setting up alerts.

tCell application roles

In addition to these product roles, tCell also has the concept of application roles. With application roles, user permissions can be scoped to a specific tCell application. These roles don’t restrict access to the app, only increase it.