Role Based Access Control
Enhanced RBAC is in Early Access
Enhanced RBAC functionality is only available for InsightIDR, InsightAppSec, and InsightOps customers who are participating in our Early Access program. Participants with multi-product access can utilize our enhanced RBAC capabilities in InsightIDR, InsightAppSec, or InsightOps, but not while managing users in InsightVM or their other Insight product. For more information, see Experience for Multi-Product Customers .
The User Management area of the Insight Platform is your central location to create and manage users who need access to Rapid7 Insight products. It’s powered by a role-based access control system (RBAC), which allows you to restrict or grant user access and permissions according to an employee’s role within your organization.
How RBAC works in InsightIDR
Within InsightIDR, RBAC provides the ability to apply granular permissions to Log Data. Administrators can choose which logs or log sets a user or a group of users can see, including logs that are added at a later date. These controls cascade to Custom Alerts, Saved Queries and Dashboard Cards. Data access refers to the specific resources you can give a user access to within various Insight products. Data access functionality allows you to control user access at an even more granular level.
Rapid7 Managed Roles in InsightIDR
Rapid7 Managed Roles are available to users in InsightIDR who currently have access to enhanced role-based access control functionality. These roles are defined and maintained by Rapid7 and vary across Insight products to align with product-specific workflows and contexts.
| Role | Permissions |
|---|---|
| InsightIDR Admin | * All product access. * Allows a user to view and change all parts of the product. * Allows a user to view and manage collectors, and data collection |
| InsightIDR Analyst | * Allows a user to view and change most parts of the product, other than collector & data management |
| InsightIDR Viewer | * Allows a user to view most parts of the product |
| Platform Admin | Platform Admins are the owners of an Insight Platform account and have complete control over administration including: * Adding, deleting, and managing users * Approving access requests, including New User Requests, Free Trial Requests, Product Access Requests, External / R7 Access Requests * Managing Authentication Settings (e.g. Password Policy, MFA Settings, External IDP config) * Managing preferences such as Session Timeout Settings, Platform Assistance links, Organization Names |
Log Search Roles
Independently manage what your users see in log search using the following roles. With these roles, you can choose how a user experiences log search in InsightIDR.
| Role | Permissions |
|---|---|
| Log Search Admin | User Role with view & change privileges on Log Search features |
| Log Search View & Change | User Role with view & change privileges on Log Search features |
| Log Search View Only | * User Role with view only privileges on Log Search features * Not able to save query, create alerts, create dashboards or S3 archiving |
Roles shared by InsightIDR and InsightOps
InsightIDR and InsightOps share functionality such as log search and the collector. Log Search roles are shared by both InsightIDR and InsightOPS products.
User Groups
User Groups are collections of users that are assigned the same product/s, role/s, and data access.
When you want to share a collection of Logs with a number of employees in your company, you can create a User Group that contains the data and then add all employees that require access to that User Group.
If a user has two roles and each of those roles has access to the same feature but with different permission levels, the the user will be assigned the lower permission level. In addition, a Platform Administrator will be notified of the conflicts and prompted to resolve them.
Manage data access
You can grant or restrict users access to entire groups of logs, called log sets, or individual logs within a set. If you restrict access to a log set, every log within the set is automatically restricted, as are any logs that are added to the set in future. Users are only given access to the logs you select within a log set. When you select some and not all of the logs within a particular log set, users will not have access to additional logs that are added to the set in the future.
If you select a log set, but restrict access to at least one log within the set, the user is only given access to the selected logs, even if additional logs are added to the set in the future.
Grant access to log sets
- From the left menu, select User Management.
- In the Users tab, select the user whose permissions you want to update.
- Click Add Individual Permissions > Data Access.
- To grant access to an entire log set, either select the checkbox next to the name of the log set or select every log within the log set. If you give a user access to an entire log set, they’ll be given automatic access to any logs added to that log set in the future.
Restrict Log Access
- From the left menu, select User Management.
- Find the user whose permissions you want to restrict.
- Click Individual Permissions > Data Access, and select the Restrict icon next to any log you want to hide from them. When you restrict data access for a user who belongs to a group, InsightIDR overrides any log access the user inherited from the group.
Manage Role Conflicts
Enhanced RBAC functionality makes user management more flexible, but the freedom to assign multiple roles to users and leverage user groups may occassionally result in conflicts in permissions. Platform Admins can resolve permission conflicts by reviewing the cause of the conflict and adjusting permissions as needed by editing the individual user’s permissions, a user role, or the groups a user is assigned to. For more information, view Resolve Permission Conflicts on the Insight Cloud Help site.