Role-Based Access Control

Role-Based Access Control Availability

Role-based access control (RBAC) is now available for some InsightIDR, InsightAppSec, and InsightOps customers. Customers with multi-product access can utilize RBAC capabilities in InsightIDR, InsightAppSec, or InsightOps, but not while managing users in InsightVM or their other Insight products. For more information, see Experience for Multi-Product Customers.

The User Management section of the Insight Platform is your central location to create and manage users who need access to Rapid7 Insight products. It’s powered by a Role-based access control solution, which allows you to restrict or grant user access and permissions according to an employee’s role within your organization. With the introduction of RBAC, it’s now even easier to manage users at scale.

Manage user access with Role-Based Access Control:

Role-Based Access Control

RBAC allows you to configure user access across your Insight products and effectively manage your data and user base as they grow in size and complexity. From the Insight Platform, you can assign products, roles & resources so that users only have access to the information necessary for their roles. This encourages the principle of least privilege, which helps prevent users from accessing sensitive data or information irrelevant to their roles.

RBAC provides the following benefits:

  • Granular control: Control access to capabilities and resources at a more granular level.
    • InsightIDR and InsightOps customers can control log access at a more granular level if required, via Data Access.
    • InsightAppSec customers can control access to applications, via Data Access, and feature access, via Custom Roles.
  • Reduced administrative burden: Manage access for many employees at once by altering the permissions associated with a role and by utilizing user groups.
  • Reduced complexity: Create and maintain user accounts with ease by granting access based on their role within your company.
  • Reduced errors: Assign a predefined role or roles to a user so you are less likely to grant the incorrect level of access.

What's changed with User Management?

User Management without RBAC (InsightIVM, InsightConnect, tCell)User Management with RBAC (InsightIDR, InsightAppSec, InsightOps)
Organization Roles - A user is assigned one role per organization, and that role applies to all products the user has access to within that organization.

For example, if a user has access to InsightIDR and InsightAppSec within the same organization, they must have the same role in both products.
Product Roles - A user can be assigned multiple roles to provide the level of access that is appropriate for their job duties.

For example, a user may have an administrative role in InsightAppSec, and an Analyst role in InsightIDR.
Platform-level Rapid7 Managed Roles - Three predefined roles are available - Admin, Read Write & Read Only and are shared across Insight products.Product-specific Rapid7 Managed Roles - Roles vary by Insight product, and are based on common use cases and scenarios in each.
No equivalentCustom Roles - Create custom roles or clone and customise Rapid7 Managed Roles to suit your needs. Available in InsightAppSec only.
No equivalentUser Groups - Create groups of similar users to easily manage product access, role assignment and data access for many users at once.
No equivalentData Access - Get more granular with access control by specifying the resources a user or group of users have access to.

For example, control what Log Sets and Logs a user has access to within InsightIDR/InsightOps and control what Applications a user has access to within InsightAppSec.

Experience for Multi-Product Customers

If you have multiple Insight products and one or more of these products offers RBAC capabilities but another does not, you will still see the RBAC experience but some capabilities (e.g. managing data access) may not be available for users depending on what products they have access to.

When creating or editing a user you will be prompted to select which product(s) you want to manage access to, this selection will determine whether the user can be assigned product specific roles, data access and/or user groups.

Manage user groups

Limited availability of user groups

User group functionality is currently only available to customers using InsightAppSec, InsightIDR and InsightOps.

User groups are collections of users that are assigned the same products, roles, and data access. They reduce the manual work needed to manage individual user access when many users have similar needs. What users, products, roles, and data access you include in a user group is entirely up to you. You can also include users in many user groups, giving you flexibility to manage access in the way that works best for you. In this section, we explain how to create, edit, clone, and delete groups from the User Groups tab of the User Management page.

Create a user group

  1. From the left menu of the Platform Home page, click the User Management icon.
  2. Click the User Groups tab.
  3. Click the Create Group button. The Create Group panel appears.
  4. Enter a Group Name and a Group Description to make it easy for you and others to find and identify this user group in the future.
  5. Click on the Products tab to select what products you wish users within this group to have access to.
  6. Click on the User Roles tab to assign specific user roles to all users within the group.
  7. Click on the Users tab to add users to the group.
  8. Click on the Data Access tab to choose which resources the users within this group should have access.
  9. Click the Save Group button to add the group.

Edit a user group

  1. From the left menu of the Platform Home page, click the User Management icon.
  2. Click the User Groups tab.
  3. Find the user group you want to edit.
  4. Click on the edit icon.
  5. Edit the products, user roles, and resources users within this group have access to as needed. You can also add users to the group or remove users from the group.
  6. Click on the Save Group button to save your changes.

Clone a user group

Cloning a user group is a great way to save time when you need to create a new user group. Instead of building the group from start to finish, you can clone a similar group and adjust as needed. For example, you may want to create a user group that has access to the same products and data as another group, but with a role that provides lower permissions.

  1. From the left menu of the Platform Home page, click the User Management icon.
  2. Click the User Groups tab.
  3. Find the user group you want to clone.
  4. Click on the clone icon.
  5. Enter a Group Name and a Group Description to make it easy for you and others to find and identify this user group in the future.
  6. The Products, User Roles, Users and Resource Sets assigned to the original group are automatically applied in the cloned group.
  7. Click on the Save Group button to save the group.

Delete a user group

  1. From the left menu of the Platform Home page, click the User Management icon.
  2. Click the User Groups tab.
  3. Find the user group you want to delete.
  4. Click on the trashcan icon.
  5. Click the Yes, remove group button to confirm.

User roles

RBAC allows you to restrict or grant user access and permissions according to an employee’s role within your organization. In this section, we describe what permissions are associated with each role so that you can decide how best to assign them.

Platform Admins

A Platform Admin user has full, administrative access to the Insight Platform and can perform all of the tasks outlined in the Platform Overview, including all aspects of User Management and Company Settings. You should appoint more than one Platform Administrator to ensure you have adequate administrative coverage.

Product access for Platform Admins

Platform Admins do not have product access by default and can’t complete product-specific tasks unless assigned to a product. If you want a user to have full administrative capabilities on the Insight Platform as well as within each product they’re assigned, ensure they are set as a Platform Admin and are assigned the Admin user role for each product.

Rapid7 Managed Roles

Rapid7 Managed Roles are available to users of InsightIDR, InsightAppSec and InsightOps who currently have access to RBAC functionality. These roles are defined and maintained by Rapid7 and vary by Insight product to align with product-specific workflows and contexts.

IDR Managed Roles

RoleSuitable for use withCapabilities
InsightIDR AdminInsightIDRUser Role with full access to product. Allows for view and change privileges on all product features. Allows user to view and manage collectors and data collection
InsightIDR AnalystInsightIDRUser Role with partial view and change privilege. User is able to view and change most parts of the product, excluding the Collector and Data Management
InsightIDR ViewerInsightIDRUser Role that allows for viewing most parts of the product
LogSearch AdminInsightIDR and InsightOpsUser Role with view and change privileges on Log Search features
LogSearch View and ChangeInsightIDR and InsightOpsUser Role with view and change privileges on Log Search features
LogSearch View OnlyInsightIDR and InsightOpsUser Role with view only privileges on Log Search features. However, User will be unable to save query, create alerts, create dashboards or S3 archiving

InsightOps Managed Roles

RoleSuitable for use withCapabilities
InsightOps AdminInsightOpsInsightOps Admin
InsightOps View and ChangeInsightOpsInsightOps View and Change
InsightOps View OnlyInsightOpsInsightOps View Only
LogSearch AdminInsightIDR and InsightOpsUser Role with view and change privileges on Log Search features
LogSearch View and ChangeInsightIDR and InsightOpsUser Role with view and change privileges on Log Search features
LogSearch View OnlyInsightIDR and InsightOpsUser Role with view only privileges on Log Search features. However, User will be unable to save query, create alerts, create dashboards or S3 archiving

InsightAppSec Managed Roles

RoleSuitable for use withCapabilities
InsightAppSec AdminInsightAppSecAdmin user of InsightAppSec
InsightAppSec ReadWriteInsightAppSecReadWrite user of InsightAppSec
InsightAppSec ReadOnlyInsightAppSecReadOnly user of InsightAppSec
App OwnerInsightAppSecSet up apps and configure settings within the app, but has lesser privileges to scan configurations and vulnerabilities
Scan ManagerInsightAppSecCreate scan configs and run scans, but not view and change apps or vulnerabilities
Vulnerability RemediatorInsightAppSecFix, manage, and replay attacks on vulnerabilities within apps they can access, but not manage apps or scans

Additional role information

Check out our Manage user groups and Manage users sections to learn more about how to assign these roles to groups as well as individual users.

Manage data access

Data access functionality allows you to control the resources a user should or should not be able to access within Insight products.

The data access table, which is available when creating or editing a user or user group, displays the available resources depending on the Insight products selected. Use the menu to the left of the table to switch between resource types, if applicable.

Data Access

You can choose to view all available resource sets within an account or to view only the resource sets currently selected for the user. Use the checkboxes to control which resources a user has access to.

Logs & LogSets

Logs are available as assignable resources when there is an active InsightIDR or InsightOps product associated with your Insight account.

Default Log Access

By default, InsightIDR and InsightOps users will be assigned access to all current and future Logs & LogSets and the ability to manage log access at a User or User Group level will not be available within User Management.

Data Access Toggle On

Data Access User Settings

You can disable this default setting within Data Access Controls so that all log access must be assigned to specific users or user groups by an Administrator in your account.

Data Access Toggle Off

Restrict log access

As with other resources, you use the checkbox next to each log to specify which a user can access that particular log. Additionally, and unlike other resources, you have the option to restrict data access to individual logs by clicking the restricted icon in the log table.

Log Sets

If a user doesn’t belong to a user group, restricting log access amounts to the same thing as simply leaving the log unselected. However, if a user does belong to a user group, restricting log access allows you to override any log access the user inherited from the group.

To illustrate how restricting log access plays out in real life, here are a few common scenarios:

  • A user is individually given access to Log A, and Log B is left unchecked.
    • Result: The user only has access to Log A.
  • A user is individually given access to Log A, and Log B is left unchecked. But the user is also a part of a user group that has access to Log B.
    • Result: The user has access to Log A and Log B.
  • A user is individually given access to Log A, and Log B is marked as restricted. But the user is also a part of a user group that has access to Log B.
    • Result: The user only has access to Log A.

Log and log set selection

When you select which logs a user should have access to, you can select entire groups of logs, called log sets, by clicking the checkbox next to the name of the log set. Alternatively, you can select every log within the log set. Regardless of how you do it, if you give a user access to an entire log set, they’ll be given automatic access to any logs added to that log set in the future.

Auto Access Logs

Similarly, if you restrict access to a log set, every log within the set is automatically restricted, as are any logs that are added to the set in the future.

Auto Restricted Logs

You can also select, deselect, and restrict access to individual logs within a set.

If you select only some, and not all of the logs within a particular log set, the user is only given access to the selected logs, even if additional logs are added to the set in the future.

Selected Logs

Similarly, if you select a log set, but restrict access to at least one log within the set, the user is only given access to the selected logs, even if additional logs are added to the set in the future.

Single Set Logs

Manage users

In this section, we explain how to add, edit, and delete users, as well as how to view user access and troubleshoot some user account issues.

Add users

Platform Administrators can add a user to the Insight Platform and can grant them access to any product. Product Administrators can also add users but can only grant access to products they themselves have access to.

To add a user:

  1. From the left menu of the Platform Home page, click the User Management icon.
  2. Click the Create User button. The Create User panel appears.
  3. If there are multiple products associated with your account, choose the products you want to add the user to, then click Continue.
  4. Enter user details:
    • Email: Valid email address associated with the user. You can use a distribution list as the user email address, but if you do, assign read-only access to the associated user account, and verify that the account does not have administrative privileges.
    • First and Last Name: User’s name. These fields are editable after account creation from the user’s Profile Settings.
    • Time Zone: User’s time zone. This field is editable after account creation from the user’s Profile Settings.
  5. Click Next.
  6. If there is an existing user group that is appropriate for the user to be added to, you can add them to it from the Add To Group tab.
  7. If you don’t want to manage access at the user group level, click on the Individual Permissions tab to directly assign Products, User Roles, and Resources to the user.
  8. After you have assigned Products, User Roles, and Resources, click the Add User button to create the new user.

Add or Edit Users (Multi-Product Customers)

RBAC provides the ability to control user access at a more granular level so depending on the products available within your account, the add and edit user experience may look a little different than it used to.

Within the Add or Edit User flow, if you have multiple Insight products you may be asked to select which product(s) you want to manage access to. This will determine whether user groups, product roles and data access are available when managing user access.

Add User First Screen

If you select a product that does not yet provide role-based access control you will have the option to assign one of three shared organization roles - Admin, Read Write or Read Only and to assign product access.

V1 Role Assignment

If you select a product that supports role-based access control you will have the option to add the user to existing user groups and/or to assign products, roles and data access directly to the user.

V2 Role Assignment

Edit and delete users

You may need to edit an existing user’s permissions, product access, or account details, or you may need to delete their account altogether. You can do all of this from the User Management area of the Insight Platform.

Edit user access

  1. From the left menu of the Platform Home page, click the User Management icon.
  2. Find the user you want to make changes to.
  3. Click the pencil icon on the right. A panel appears similar to the one you used when creating the user.
  4. To add or remove a user from user groups, click the Add to Group tab. From there you can choose which groups the user should be a part of.
  5. To edit the user’s product access, user roles, and resource access directly, click on Edit Individual Permissions and make changes as needed.
  6. Click the Save button to apply your changes.

Edit user name and time zone

  1. From the left menu of the Platform Home page, click the User Management icon.
  2. Find the user you want to make changes to.
  3. Click the pencil icon on the right. A panel appears similar to the one you used when creating the user.
  4. Click the Edit Button in the User Details bar.
  5. Adjust the user’s First Name, Last Name, and Timezone as needed.
  6. Click the Save button to apply your changes.

Delete a user

  1. From the left menu of the Platform Home page, click the User Management icon.
  2. Find the user you want to delete.
  3. Click the trashcan icon.
  4. Click the Yes, remove user button to confirm.

View user access

You can access individual User Profiles to view all of the products, roles, groups, and resources a user is assigned. The User Profile also highlights whether access was assigned directly or it was inherited through a user group. This is helpful if you’re trying to troubleshoot issues with a specific user's level of access.

Troubleshoot user account issues

If a user is having issues accessing their Insight Platform account, see the following common troubleshooting scenarios and the steps you can take to resolve the issue.

Account locked

If a user is having trouble logging in to the Insight Platform, check the status of their account. If they are locked out, you can use the Reset Account button to send an email to the user, allowing them to reset their password, security question, and security question answer.

Account not activated

If a user's account status shows that it is pending activation, you can use the Resend Activation Email button to send an email to the user, providing them with a new activation link.

If the user’s account is in a "Pending Approval" status, a Platform Administrator within the account must approve their access request.

Multi-factor authentication issue

If the user has issues with their multi-factor authentication (MFA) configuration or needs to register a new device for MFA, click the Reset MFA button and the user will receive an email letting them know how to reconfigure their MFA settings.

Resolve permission conflicts

RBAC makes user management more flexible, but the freedom to assign users multiple roles and leverage user groups means that conflicts in permissions may sometimes arise. Platform Admins can resolve permission conflicts by reviewing the cause of the conflict and adjusting permissions as needed by editing the individual user’s permissions, a user role, or the groups a user is assigned to.

Causes of permission conflicts

You’re notified in a banner message on the User Management page if a user has conflicting feature permissions.

Permission Conflict

You can then take a look at the Conflicts tab to get more details about the type of conflict and a conflict description. There are 3 types or categories of conflicts: user conflicts, group conflicts, and conflicts associated with insufficient access.

Insufficient Access

In each conflict scenario, the Insight Platform defaults to the principle of least privilege, meaning the user is given the lowest permission assigned to them until the source of the conflict is resolved.

User conflicts

A user conflict can be caused by:

  • Directly assigning a user 2 roles that grant access to the same feature but with different levels of permissions.
  • Directly assigning a user 1 role that has conflicting permissions with a role they inherited from a user group.
  • Inheriting roles with conflicting permissions from the same user group (affects all users in the group) or different user groups.

Group conflicts

A conflict can occur within a single user group when 2 or more roles within the group contain conflicting feature permissions. As always, the access level of all users within the group will be based on the principle of least privilege, meaning users will be granted the lowest permission assigned to them.

Insufficient access conflicts

You’re notified of an insufficient access conflict when a user does not have the minimum required access for a product they are assigned. Minimum required access is what Rapid7 defines as the least access required for a user to be able to get value from the product(s) they have access to. If these conflicts are not resolved, they impact a user’s ability to use and gain insight from the product.

Resolve a permission conflict

How to resolve a permission conflict depends on the type of the conflict, which you can determine from the Conflicts tab of the User Management page in the Insight Platform.

To identify the type of conflict:

  1. From the left menu of the Platform Home page, click the User Management icon.
  2. Click the Conflicts tab at the top of the panel.
  3. You can then view conflicts by type by selecting either the User Conflicts, Group Conflicts, or Insufficient Access tabs on the left hand side.

To resolve user conflicts, you can:

  • Edit the roles assigned to a user through individual permissions.
  • Edit the user groups a user is assigned to.
  • Edit the roles assigned to a user group that the user is also assigned to.

To resolve group conflicts, you can:

  • Edit the roles assigned to a user group.

To resolve insufficient access conflicts, you can:

  • Directly assign the appropriate role(s) to a user through individual permissions.
  • Edit the user groups a user is assigned to so they inherit the appropriate role(s).
  • Edit the roles assigned to a user group that the user is also assigned to, so they inherit the appropriate role(s).