Manage Rapid7 users with role-based access control (RBAC)

The Rapid7 Command Platform’s web interface provides a central location to create and manage users who need access to your Rapid7 products. This user management system is powered by a role-based access control (RBAC) framework, which allows you to tune users’ access to applications and data privileges according to their role within your organization.

RBAC encourages the principle of least privilege, which helps prevent users from accessing sensitive data or information irrelevant to their roles.

The Rapid7 Command Platform’s implementation of RBAC provides these benefits:

Granular control: Control access to capabilities and resources at a granular level. For example:
- InsightIDR and InsightOps customers can control access to logs and their related dashboards and reports.
- InsightAppSec customers can control access to applications and features.
Reduced administrative burden: Manage access for many users at once by altering the privileges associated with roles and user groups.
Reduced complexity and errors: Create and maintain user accounts with ease by granting access based on user roles within your company.

Objects of the Rapid7 Command Platform RBAC system

The Command Platform’s implementation of RBAC defines these objects that you can use to configure access privileges for users:

Product roles - You can assign multiple roles to a user to provide the level of access that is appropriate for their job duties. For example, a user may have an Administrator role in InsightAppSec and an Analyst role in InsightIDR at the same time.
Product-specific Rapid7 Managed roles - These roles can vary by Rapid7 product, and are based on common use cases and scenarios.
Custom roles - InsightIDR, InsightAppSec & InsightOps customers can create custom roles or copy and customize Rapid7 Managed roles to suit your needs.
User groups - Create user groups to easily manage product access, role assignment, and data access for many users at once.
Data access - Configure specific data access rules by specifying the resources a user or user group should have access to.

How to create and manage user groups

User groups are collections of users that are assigned the same products, roles, and data access. What users, products, roles, and data access you include in a user group is entirely up to you. You can also include users in many user groups, giving you flexibility to manage access in the way that works best for you.

Create a user group

From the left menu of the Platform Home page, click the Administration link.
From the left menu of the Administration page, click User Management.
Click the User Groups tab.
Click the Create User Group button. The Create New Group panel appears.
Enter a Group Name and a Group Description to make it easy for you and others to find and identify this user group in the future.
In the Products tab, select what products you wish users within this group to have access to.
Click on the Roles tab to assign specific user roles to all users within the group.
Click on the Users tab to add users to the group.
Click on the Data Access tab to choose which resources the users within this group should have access to.
Click Save Group to finish creating the group.

Edit a user group

From the left menu of the Platform Home page, click the Administration link.
From the left menu of the Administration page, click User Management.
Click the User Groups tab.
Find the user group you want to edit.
Click on the edit icon.
Edit the products, user roles, and resources assigned to the group as needed. You can also edit the group’s user membership at this time.
Click Save Group to save your changes.

Delete a user group

From the left menu of the Platform Home page, click the Administration link.
From the left menu of the Administration page, click User Management.
Click the User Groups tab.
Find the user group you want to delete.
Click on the delete icon.
Click Yes, remove group to confirm.

User roles

RBAC allows you to restrict or grant user access and permissions according to an employee’s role within your organization. In this section, we describe what permissions are associated with each role so that you can decide how best to assign them.

Platform Administrator

A Platform Administrator user has full, administrative access to the Command Platform and can perform all of the tasks outlined in the Platform overview, including all aspects of User Management and Company Settings. You should appoint more than one Platform Administrator to ensure you have adequate administrative coverage.

The Platform Administrator role is distinct from other user roles and is treated as a binary state — a user can be a Platform Administrator, or not a Platform Administrator. When creating a new user, this will be the first data privilege decision you make.

⚠️

Product access for Platform Administrators

Platform Administrators do not have product access by default and can’t complete product-specific tasks unless assigned to a product. If you want a user to have full administrative capabilities on the Command Platform as well as within each product they’re assigned, ensure they are set as a Platform Administrator and are assigned the Admin user role for each product.

Rapid7 managed roles

Rapid7 managed roles are available to users of InsightIDR, InsightAppSec, and InsightOps. These roles are defined and maintained by Rapid7 and vary by Rapid7 product to align with product-specific workflows and contexts.

Shared managed roles

Role	Suitable for use with	Capabilities
Administrator (Shared)	InsightVM, InsightConnect, tCell, Rapid7 Services	An Administrator can view all data, perform all functions, and manage all settings for any products they’re assigned. Administrators can create, edit, and delete users for any products they’re assigned, though they can’t create Platform Administrator users.
View and Change (Shared)	InsightVM, InsightConnect tCell, Rapid7 Services	Users with View and Change access can view and edit all data within the product they’re assigned. View and Change users cannot perform any administrative actions or change any settings.
View Only (Shared)	InsightVM, InsightConnect tCell, Rapid7 Services	View Only users can view all data within any products they’re assigned, but they can’t edit or manage it in any way.

Note: users assigned InsightConnect recieve full access to the product regardless of the selected role. To restrict access to InsightConnect, deselect the InsightConnect product for that user.

InsightIDR managed roles

Feature reference

For more information on what each feature governs as well as the levels of access available to the feature, review the following table:

Feature	Permissions Options	Description
InsightIDR Core	View Only, View and Change, Administer	Determines access to all of the InsightIDR features that are not managed by another feature, including Assets and Endpoints, Automation, Alerts, Investigations, and Detection Rules View Only - This role will only be able to view (read) InsightIDR Core content View and Change - This role will only be able to view (read) and update InsightIDR Core content Administer - This role will be able to view (read), update, create, and delete InsightIDR Core content
Collector	View Only, Administer	Determines access to collectors and event sources View Only - This role will only be able to view (read) Event Sources and Collectors Administer - This role will be able to view (read), update, create, and delete Event Sources and Collectors
Log Search Dashboards	View Only, View and Change, Administer	Determines access to Dashboards and Reports View Only - This role will only be able to view (read) existing Dashboards and Reports View and Change - This role will only be able to view (read) and update existing Dashboards and Reports Administer - This role will be able to view (read), update, create, and delete Dashboards and Reports
Log Management and Querying	View Only, View and Change, Administer	Determines access to log management and query features View Only - This role will only be able to view (read) log management settings and existing log search queries View and Change - This role will only be able to view (read) and update log management settings and existing log search queries Administer - This role will be able to view (read), update, create, and delete log management settings and log search queries

Managed roles reference

For more information on what each InsightIDR managed role can access within the product, review the following drop-down sections:

InsightIDR Admin

The InsightIDR Admin role has full access to the product. The role allows for View and Change privileges on all product features and allows the user to view and manage collectors and other data collection objects. This role is suitable for use with the following products:

InsightIDR

Feature	Permission
InsightIDR Core	Administer
Collector	Administer
Detection and Response Dashboards	Administer

InsightIDR Analyst

The InsightIDR Analyst role has partial View and Change privileges and is able to edit most parts of the product except for collectors and data management in general. This role is suitable for use with the following products:

InsightIDR

Feature	Permission
InsightIDR Core	View and Change
Detection and Response Dashboards	View and Change

InsightIDR Viewer

The InsightIDR Viewer role allows for viewing most parts of the product. This role is suitable for use with the following products:

InsightIDR

Feature	Permission
InsightIDR Core	View Only
Detection and Response Dashboards	View Only

Log Search Admin

The Log Search Admin role has administrator privileges on Log Search features. This role is suitable for use with the following products:

InsightIDR
InsightOps

Feature	Permission
Log Management and Querying	Administer
InsightOps Log Archiving	Administer
InsightOps Log Usage	View Only

Log Search View and Change

The Log Search View and Change role has View and Change privileges on Log Search features. This role is suitable for use with the following products:

InsightIDR
InsightOps

Feature	Permission
Log Management and Querying	View and Change
InsightOps Log Archiving	View and Change
InsightOps Log Usage	View Only

Log Search View Only

The Log Search View Only role has View privileges on Log Search features. However, the user will be unable to save queries, create alerts, create dashboards, or manage S3 archiving. This role is suitable for use with the following products:

InsightIDR
InsightOps

Feature	Permission
Log Management and Querying	View Only
InsightOps Log Archiving	View Only
InsightOps Log Usage	View Only

InsightOps managed Roles

Role	Suitable for use with	Capabilities
InsightOps Admin	InsightOps	The InsightOps Admin role has full access to the product.
InsightOps View and Change	InsightOps	The InsightOps View and Change role has partial View and Change privileges throughout the product except for data management in general.
InsightOps View Only	InsightOps	The InsightOps View Only role has limited View access to the product.
Log Search Admin	InsightIDR and InsightOps	The Log Search Admin role has administrator privileges on Log Search features.
Log Search View and Change	InsightIDR and InsightOps	The Log Search View and Change role has View and Change privileges on Log Search features.
Log Search View Only	InsightIDR and InsightOps	The Log Search View Only role has View privileges on Log Search features. However, the user will be unable to save queries, create alerts, create dashboards, or manage S3 archiving.

InsightAppSec managed roles

Role	Suitable for use with	Capabilities
InsightAppSec Admin	InsightAppSec	The InsightAppSec Admin role has full access to the product.
InsightAppSec ReadWrite	InsightAppSec	The InsightAppSec ReadWrite role has partial View and Change privileges throughout the product.
InsightAppSec ReadOnly	InsightAppSec	The InsightAppSec ReadOnly role has limited View access to the product.
App Owner	InsightAppSec	The App Owner role can set up apps and configure settings within the app, but has lesser privileges to scan configurations and vulnerabilities.
Scan Manager	InsightAppSec	The Scan Manager role can create scan configurations and run scans, but can’t edit apps or view vulnerabilities.
Vulnerability Remediator	InsightAppSec	The Vulnerability Remediator role can fix, manage, and replay attacks on vulnerabilities within apps they can access, but can’t manage apps or scans.

Shared managed roles by product

ℹ️

Product roles sometimes vary

Many Rapid7 products use these shared user roles. However, some products interpret or apply these product user roles differently based on specific product use cases.

InsightVM

Product roles assigned to InsightVM users at the Platform level are ignored in favor of the more detailed and specialized InsightVM user roles, which are assigned to users by a Global Administrator in InsightVM. That means Platform users who are also InsightVM users are given InsightVM privileges associated with whatever role they’re assigned in InsightVM. Platform users who are not also InsightVM users are treated as Global Administrators.

InsightConnect

Due to the nature of using Automation, InsightConnect provides full access to all users who are assigned the InsightConnect product. The View and View and Change roles at the user level do not apply. To restrict access to InsightConnect, deselect the InsightConnect product for the given user.

tCell

Product role	Capabilities
Administrator (Shared)	tCell Administrator users have all of the same privileges as View and Change users, but they can also add, remove, and edit other users, as well as create and delete tCell apps.
View and Change (Shared)	View and Change users can view information across all apps and make changes to app policies. Users with this role can also modify collected data and requests, and specify which client IP addresses to block. However, they can’t create or delete tCell Apps, or modify other users.
View Only	View Only users can view information across all apps in tCell. Users with this role can see all app data such as events, package version information, and agents installed. Users in this role cannot modify the configuration of any apps such as changing policies or setting up alerts.

ℹ️

tCell application roles

In addition to these product roles, tCell also has the concept of application roles. With application roles, user permissions can be scoped to a specific tCell application. These roles don’t restrict access to the app, only increase it.

Rapid7 Services

Product role	Capabilities
Administrator (Shared)	A Rapid7 Services Administrator has access to all functions within their assigned products and services. These actions include uploading and removing documents and reports, commenting on forms and reports, completing all onboarding actions for any Managed/Consulting services on the Command Platform, viewing all assigned and unassigned services, adding existing Platform users, and managing users within the same product that they administer.
View and Change (Shared)	A user with View and Change access can complete any onboarding actions for the team to which they are assigned, such as completing forms, uploading documents, and removing any owned documents. This user cannot add or manage users.
View Only	A user with View Only access can view the status of the onboarding process, as well as documents or reports from any assigned product or service. This user cannot modify any data, such as filling out forms or uploading documents.

ℹ️

Want a user who can only see reports?

Create a user with a View Only user role without admin privileges if you only want to provide viewing access to reports.

ℹ️

Additional role information

Check out our Manage user groups and Manage users sections to learn more about how to assign these roles to groups as well as individual users.

Manage data access

The data access table, which is available when creating or editing a user or user group, displays the available resources you can assign to users depending on the Rapid7 products selected. Use the menu to the left of the table to switch between resource types, if applicable.

You can choose to view all available resource sets within an account or to view only the resource sets currently selected for the user. Use the check boxes to control which resources a user has access to.

Logs and log sets

Logs are available as assignable resources when there is an active InsightIDR or InsightOps product associated with your Rapid7 account.

Default log access

By default, InsightIDR and InsightOps users will be assigned access to all current and future logs and log sets. The ability to manage log access at a user or user group level will not be available within from this page unless this default behavior is turned off.

You can turn off this default setting from Data Access Controls tab so that all log access must be assigned to specific users or user groups by an Administrator in your account.

Restrict log access

As with other resources, use the check box next to each log to specify which user can access that particular log. Additionally, and unlike other resources, you have the option to restrict data access to individual logs by clicking the restricted icon in the log table.

If a user doesn’t belong to a user group, restricting log access amounts to the same thing as simply leaving the log unselected. However, if a user does belong to a user group, restricting log access allows you to override any log access the user inherited from the group.

To illustrate how restricting log access works in practice, here are a few common scenarios:

A user is individually given access to Log A, and Log B is left unchecked.
- Result: The user only has access to Log A.
A user is individually given access to Log A, and Log B is left unchecked. However, the user is also a part of a user group that has access to Log B.
- Result: The user has access to Log A and Log B.
A user is individually given access to Log A, and Log B is marked as restricted. But the user is also a part of a user group that has access to Log B.
- Result: The user only has access to Log A.

Log and log set selection

When you select which logs a user should have access to, you can select entire groups of logs, called log sets, by clicking the check box next to the name of the log set. Alternatively, you can select every log within the log set. Regardless of your assignment method, giving a user access to an entire log set automatically grants them access to any logs added to that log set in the future.

Similarly, if you restrict access to a log set, every log within the set is automatically restricted, as are any logs that are added to the set in the future.

You can also select, deselect, and restrict access to individual logs within a set.

If you select only some, and not all, of the logs within a particular log set, the user is only given access to the selected logs, even if additional logs are added to the set in the future.

Similarly, if you select a log set, but restrict access to at least one log within the set, the user is only given access to the selected logs, even if additional logs are added to the set in the future.

Manage users

In this section, we explain how to add, edit, and delete users, as well as how to view user access and troubleshoot some user account issues.

Add users

Platform Administrators can add a user to the Command Platform and grant them access to any product. Product Administrators can also add users, but can only grant access to products they themselves have access to.

To add a user:

From the left menu of the Platform Home page, click the Administration link.
From the left menu of the Administration page, click User Management.
Click Create User. The Add User panel appears.
Enter user details:
- Email: This must be a valid email address associated with the user. You can use a distribution list as the user email address if you want, but if you do, make sure to assign read-only access to the associated user account and verify that the account does not have Administrator privileges.
- First name, last name, and time zone: These fields are editable after the account is created from the user’s Profile Settings.
Click Next to assign the new user access to products.
If there is an existing user group that is appropriate for the user to be added to, you can add them to it from the Manage User Groups tab.
If you don’t want to manage access at the user group level, click the Manage Individual Permissions tab to directly assign products, roles, and resources to the user.
After you have assigned products, roles, and resources, click Save to create the new user.

Edit and delete users

You may need to edit an existing user’s privileges, product access, or account details, or you may need to delete their account altogether. You can do all of this from the User Management area of the Command Platform.

Edit user access

From the left menu of the Platform Home page, click the Administration link.
From the left menu of the Administration page, click User Management.
Find the user you want to make changes to.
Click the edit icon on the right. A panel appears similar to the one you used when creating the user.
To add or remove a user from user groups, click the Add to Group tab. From there, you can choose which groups the user should be a part of.
To edit the user’s product access, user roles, and resource access directly, click on Edit Individual Permissions and make changes as needed.
Click Save to apply your changes.

Edit user name and time zone

From the left menu of the Platform Home page, click the Administration link.
From the left menu of the Administration page, click User Management.
Find the user you want to make changes to.
Click the edit icon on the right. A panel appears similar to the one you used when creating the user.
Click Edit in the User Details bar.
Adjust the user’s First Name, Last Name, and Time Zone as needed.
Click Save to apply your changes.

Delete a user

From the left menu of the Platform Home page, click the Administration link.
From the left menu of the Administration page, click User Management.
Find the user you want to delete.
Click the delete icon.
Click Yes, remove user to confirm.

View user access

You can access individual user profiles to view all of the products, roles, groups, and resources a user is assigned. The user profile also highlights whether access was assigned directly or if it was inherited through a user group. This is helpful if you’re trying to troubleshoot issues with a specific user’s level of access.

Troubleshoot user account issues

If a user is having issues accessing their Rapid7 account, see the following common troubleshooting scenarios and the steps you can take to resolve the issue.

Account locked

If a user is having trouble signing in to the Rapid7 Command Platform, check the status of their account. If they are locked out, you can use the Reset Account button to send an email to the user, allowing them to reset their password, security question, and security question answer.

Account not activated

If a user’s account status shows that it is pending activation, you can use the Resend Activation Email button to send an email to the user, providing them with a new activation link.

If the user’s account is in a “Pending Approval” status, a Platform Administrator within the account must approve their access request.

Multi-factor authentication issue

If the user has issues with their multi-factor authentication (MFA) configuration or needs to register a new device for MFA, click the Reset MFA button and the user will receive an email letting them know how to reconfigure their MFA settings.

Resolve permission conflicts

The nature of RBAC assignments means that conflicts in privileges may sometimes arise. Platform Administrators can resolve conflicts by reviewing the cause of the conflict and adjusting privileges as needed.

Causes of privilege conflicts

You’re notified in a banner message on the User Management page if a user has conflicting privileges.

You can then take a look at the Conflicts tab to get more details about the type of conflict and a conflict description. There are 3 categories of conflicts: user conflicts, group conflicts, and conflicts associated with insufficient access.

In each conflict scenario, the Rapid7 Command Platform defaults to the principle of least privilege, meaning the user is given the lowest privilege assigned to them until the source of the conflict is resolved.

User conflicts

A user conflict can be caused by:

Directly assigning a user 2 roles that grant them access to the same feature but with different levels of privilege.
Directly assigning a user 1 role that has conflicting privileges with a role they inherited from a user group.
Inheriting roles with conflicting privileges from the same user group (affects all users in the group) or different user groups.

Group conflicts

A conflict can occur within a single user group when 2 or more roles within the group contain conflicting privileges. As always, the access level of all users within the group will be based on the principle of least privilege, meaning users will be granted the lowest privilege assigned to them.

Insufficient access conflicts

You’re notified of an insufficient access conflict when a user does not have the minimum required access for a product they are assigned. Minimum required access is what Rapid7 defines as the least access required for a user to be able to get value from the product they have access to. If these conflicts are not resolved, they impact a user’s ability to get valuable information from the product.

Resolve a privilege conflict

Privilege conflict resolution methods vary by conflict type.

To identify the type of conflict:

From the left menu of the Rapid7 Command Platform Home page, click the Administration link.
From the left menu of the Administration page, click User Management.
Click the Conflicts tab at the top of the panel.
You can then view conflicts by type by selecting either the User Conflicts, Group Conflicts, or Insufficient Access tabs.

To resolve user conflicts:

Edit the roles assigned to a user through individual privileges.
Edit the user groups a user is a member of.
Edit the roles assigned to a user group that the user is also a member of.

To resolve group conflicts:

Edit the roles assigned to a user group.

To resolve insufficient access conflicts:

Directly assign the appropriate role(s) to a user through individual privileges.
Edit the user groups a user is a member of so they inherit the appropriate role(s).
Edit the roles assigned to a user group that the user is also a member of so they inherit the appropriate role(s).