Get Started

Getting Started

Deploy

Onboard and Manage Accounts

Amazon Web Services (AWS)

Google Cloud Platform (GCP)

Microsoft Azure

Oracle Cloud Infrastructure (OCI)

Additional Providers

Collect and Integrate Data

Harvesting & Event-Driven Harvesting

Integrations

Understand Data

Visibility & Reporting

Inventory

Query Filters & Insights

Manage and Act on Data

Bots & Automation

Infrastructure as Code (IaC) Security

Cloud IAM Governance

Vulnerability Management

Workload Security

Manage System Settings

InsightCloudSec System Configuration

Developer Resources

APIs

Support

User Entitlements

Entitlements give Admins control over a Basic User Group's permissions to access the various components of the InsightCloudSec platform, e.g., Bot Factory, Access Explorer, Insights, and more. There are three types of entitlements: Viewer, Editor, and Admin -- permissions for each entitlement are detailed below. For information on the user types and InsightCloudSec application security features, review Users, Groups, and Roles (User Management). Some features and functionality of InsightCloudSec are not governed by Entitlements:

Feature	Details
Change Organization	Basic Users can only access one InsightCloudSec Organization (basic users are directly associated with their Organization). For information on InsightCloudSec Organizations, review Organizations.
Profile	All users can update their own profile (username, name, email address, password, theme, etc.). Basic Users must be granted permission by an Admin to generate their own API Keys. Admins, see User Configuration for more information.
Summary	Basic Users can access this page, but they will not be able to see any data unless they've been granted explicit permission to a (or all) Cloud Account, Resource Group, or Badge (and thus, Resources). These permissions are governed by Basic User Roles. Admins, see Basic User Role Permissions for more information.
Cloud > Cloud Accounts	Listing Basic Users can access this page, but they will not be able to interact with the page unless their Basic User Role scope includes a specific Cloud Account (or Accounts), whether explicitly or through Badges. Adding or Deleting a Cloud account requires explicit Basic User Role-based permissions. If a user has been granted access to a Cloud Account(s), they will be able to access the Cloud Account Details pages. Organizations Only Organization Admins and Domain Admins can interact with this page. Summary Basic Users can access this page, but they will not be able to interact with the page unless their Basic User Role scope includes a specific Cloud Account (or Accounts), whether explicitly or through Badges. Badges Basic Users can access this page, but they will not be able to interact with the page unless their Basic User Role scope includes a specific Cloud Account (or Accounts), whether explicitly or through Badges Admins, see Basic User Role Permissions for more information on configuring Basic User Roles.
Inventory > Resources	Basic Users can access this page, but they will not be able to interact with the page unless they have been granted explicit permissions to a specific Cloud Account (or Accounts), Resource Group, or Badge (and thus, Resources). These permissions are governed by Basic User Roles. Managing and/or Deleting resources can only be performed by the Editor and Admin roles respectively. Admins, see Basic User Role Permissions for more information.
Security > Access Explorer	Basic Users can access this page, but they will not be able to interact with the feature. Review the Access Explorer documentation for more information.
Security > Query Filters	All users can browse the list of Query Filters.

Domain Admins and Organization Admins Details

Entitlements do not apply to Domain or Organization Admins. For more information on what Domain Admins and Organization Admins can do, review Definitions.

Viewer Permissions

The following sections detail the access and functionality afforded to a Basic User with the Viewer role across InsightCloudSec. The sections are organized by InsightCloudSec navigation menu sections.

Cloud - Viewer Permissions

Entitlement	Details
Event-Driven Harvesting (Cloud Accounts)	This entitlement regulates access to four tabs (accessed from the Cloud Accounts page): EDH Consumers, EDH Producers, EDH Events Summary, and EDH Events Viewers can: Browse, search, and filter the EDH Consumers, EDH Producers, EDH Events Summary, and EDH Events pages
Kubernetes Clusters	This feature also requires Global Scope Viewers can: Browse, search, and filter onboarded Kubernetes clusters
Data Collections	Viewers can: Browse and search existing Data Collections

Inventory - Viewer Permissions

Entitlement	Details
Resource Groups	Viewers can: Browse and search the Resource Groups to which they have explicit access Review Resources associated with the Group (Go to Resources in the Action column) Resource Group permissions are governed by Basic User Roles; admins, see Basic User Role Permissions for more information.
Applications	Viewers can: Browse, search, and filter the Applications associated with the InsightCloudSec Organization to which they are a member View Resources associated with an Application Favorite an Application
Tag Explorer	Viewers can: Browse and search existing tags as they relate to the Cloud Accounts to which they have access

Security - Viewer Permissions

Entitlement	Details
Layered Context	Viewers can: Browse, search, and filter the entire feature set as it relates to the Cloud Accounts to which they have access Download data Use the items in the Action column
Identity Analysis	Viewers can: Browse, search, and filter the entire feature set as it relates to the Cloud Accounts to which they have access Use the items in the Action column Viewers cannot, however, review the Permission breakdown or Federated User context details.
Attack Path	Viewers can: Browse, search, and filter the Attack Paths associated with the InsightCloudSec Organization to which they are a member Download data Review Attack Path graphs Viewers cannot, however, access the resource properties of the nodes in an Attack Path graph
Threat Findings	Viewers can: Browse, search, and filter the Threat Findings associated with the InsightCloudSec Organization to which they are a member Review Finding details
Compliance Scorecard	Viewers can: Create a Compliance Scorecard for the Cloud Accounts/Kubernetes Clusters/Resource Groups/Applications to which they have access Download data Create subscriptions Manage subscriptions they have created
Host Vulnerability Assessment / Vulnerability Assessment	These entitlements regulate access to the Vulnerabilities feature. Viewers can: Browse, search, and filter the entire feature set as it relates to the Cloud Accounts to which they have access Download data Use the items in the Action column (except Reassess Resource)
Infrastructure as Code	Viewers can: Browse, search, and filter the entire feature set as it relates to the InsightCloudSec Organization to which they are a member
Insights	Viewers can: Browse, search, and filter the entire feature set as it relates to the InsightCloudSec Organization to which they are a member Review the Report Breakdown for Compliance Packs and Custom Packs Create subscriptions for Compliance Packs and Custom Packs Manage subscriptions they created for Compliance Packs and Custom Packs
Exemptions	Viewers can: Browse, search, and filter Exemptions as they relate to the Cloud Accounts to which they have access Use the items in the Actions (vertical ellipsis) menu

Automation - Viewer Permissions

Entitlement	Details
BotFactory	Viewers can: Browse, search, and filter the entire feature set as it relates to the InsightCloudSec Organization to which they are a member Download data
Scheduled Events	Viewers can: Browse, search, and filter Scheduled Events as they relate to the Cloud Accounts to which they have access

Editor Permissions

The following sections detail the access and functionality afforded to a Basic User with the Editor role across InsightCloudSec. The sections are organized by InsightCloudSec navigation menu sections.

Editor Permissions Encompass Viewer Permissions

The Editor role provides permissions in addition to the permissions provided to a Viewer.

Cloud - Editor Permissions

Entitlement	Details
Event-Driven Harvesting (Cloud Accounts)	This entitlement regulates access to four tabs (accessed from the Cloud Accounts page): EDH Consumers, EDH Producers, EDH Events Summary, and EDH Events Editors can: Add an EDH Consumer Configuration Add an EDH Producer Use the items in the Action menu (except Delete-related actions)
Kubernetes Clusters	This feature also requires Global Scope Editors can: Manage scanning for onboarded Kubernetes clusters
Data Collections	Editors can: Create Data Collections Modify existing Data Collections

Inventory - Editor Permissions

Entitlement	Details
Resource Groups	Editors can: Create Resource Groups Edit custom Resource Groups to which they have explicit access Resource Group permissions are governed by Basic User Roles; admins, see Basic User Role Permissions for more information.
Applications	The Editor role offers no additional permissions than the Viewer role.
Tag Explorer	Editors can: Create a new Tag Configuration Edit existing Tag Configurations

Security - Editor Permissions

Entitlement	Details
Layered Context	The Editor role offers no additional permissions than the Viewer role.
Identity Analysis	The Editor role offers no additional permissions than the Viewer role.
Attack Path	The Editor role offers no additional permissions than the Viewer role.
Threat Findings	The Editor role offers no additional permissions than the Viewer role.
Compliance Scorecard	The Editor role offers no additional permissions than the Viewer role.
Host Vulnerability Assessment / Vulnerability Assessment	These entitlements regulate access to the Vulnerabilities feature. Editors can: Trigger resource reassessment via the Action menu
Infrastructure as Code	Editors can: Create and edit Configurations Create and delete Run Task Integrations
Insights	Editors can: Create a Bot from an Insight Edit Insight Labels Create a custom Insight pack Edit custom Insight packs they have created
Exemptions	Editors can: Create and edit Exemptions

Automation - Editor Permissions

Entitlement	Details
BotFactory	Editors can: Use the items in the Actions menu (except Archive) Create a Bot from a Template
Scheduled Events	The Editor role offers no additional permissions than the Viewer role.

Admin Permissions

The following sections detail the access and functionality afforded to a Basic User with the Admin role across InsightCloudSec. The sections are organized by InsightCloudSec navigation menu sections.

Admin Permissions Encompass Viewer and Editor Permissions

The Admin role provides permissions in addition to the permissions provided to a Viewer and Editor.

Cloud - Admin Permissions

Entitlement	Details
Event-Driven Harvesting (Cloud Accounts)	This entitlement regulates access to four tabs (accessed from the Cloud Accounts page): EDH Consumers, EDH Producers, EDH Events Summary, and EDH Events Admins can: Delete EDH Consumer Configurations Delete EDH Producer Configurations
Kubernetes Clusters	This feature also requires Global Scope Admins can: Delete onboarded clusters
Data Collections	Admins can: Delete Data Collections

Inventory - Admin Permissions

Entitlement	Details
Resource Groups	Admins can: Delete custom Resource Groups to which they have explicit access Resource Group permissions are governed by Basic User Roles; admins, see Basic User Role Permissions for more information.
Applications	The Admin role offers no additional permissions than the Viewer and Editor roles.
Tag Explorer	The Admin role offers no additional permissions than the Viewer and Editor roles.

Security - Admin Permissions

Entitlement	Details
Layered Context	The Admin role offers no additional permissions than the Viewer and Editor roles.
Identity Analysis	Admins can: View Federated User context details
Attack Path	Admins can: View the resource properties of the nodes in an Attack Path Graph
Threat Findings	The Admin role offers no additional permissions than the Viewer and Editor roles.
Compliance Scorecard	The Admin role offers no additional permissions than the Viewer and Editor roles.
Host Vulnerability Assessment / Vulnerability Assessment	These entitlements regulate access to the Vulnerabilities feature. The Admin role offers no additional permissions than the Viewer and Editor roles.
Vulnerability Assessment	This entitlement regulates access to the Vulnerabilities feature. The Admin role offers no additional permissions than the Viewer and Editor roles.
Infrastructure as Code	The Admin role offers no additional permissions than the Viewer and Editor roles.
Insights	Admins can: Delete custom Insight packs
Exemptions	Admins can: Delete Exemptions

Automation - Admin Permissions

Entitlement	Details
BotFactory	Admins can: Archive Bots
Scheduled Events	The Admin role offers no additional permissions than the Viewer and Editor roles.

Did this page help you?

Identity, Access, & Permissions

Manage Groups, Roles, & Entitlements

Identity, Access, & Permissions

Manage Rapid7 Platform Login