User Entitlements

Entitlements give Admins control over a Basic User Group's permissions to access the various components of the InsightCloudSec platform, e.g., Bot Factory, Access Explorer, Insights, and more. There are three types of entitlements: Viewer, Editor, and Admin -- permissions for each entitlement are detailed below. For information on the user types and InsightCloudSec application security features, review Users, Groups, and Roles (Identity Management). Some features and functionality of InsightCloudSec are not governed by Entitlements:

FeatureDetails
Change OrganizationBasic Users can only access one InsightCloudSec Organization (basic users are directly associated with their Organization). For information on InsightCloudSec Organizations, review Organizations.
ProfileAll users can update their own profile (username, name, email address, password, theme, etc.). Basic Users must be granted permission by an Admin to generate their own API Keys. Admins, see User Configuration for more information.
SummaryBasic Users can access this page, but they will not be able to see any data unless they've been granted explicit permission to a (or all) Cloud Account, Resource Group, or Badge (and thus, Resources). These permissions are governed by Basic User Roles. Admins, see Basic User Role Permissions for more information.
Cloud > Cloud AccountsListing
Basic Users can access this page, but they will not be able to interact with the page unless their Basic User Role scope includes a specific Cloud Account (or Accounts), whether explicitly or through Badges. Adding or Deleting a Cloud account requires explicit Basic User Role-based permissions. If a user has been granted access to a Cloud Account(s), they will be able to access the Cloud Account Details pages.

Organizations
Only Organization Admins and Domain Admins can interact with this page.

Summary
Basic Users can access this page, but they will not be able to interact with the page unless their Basic User Role scope includes a specific Cloud Account (or Accounts), whether explicitly or through Badges.

Badges
Basic Users can access this page, but they will not be able to interact with the page unless their Basic User Role scope includes a specific Cloud Account (or Accounts), whether explicitly or through Badges

Admins, see Basic User Role Permissions for more information on configuring Basic User Roles.
Inventory > ResourcesBasic Users can access this page, but they will not be able to interact with the page unless they have been granted explicit permissions to a specific Cloud Account (or Accounts), Resource Group, or Badge (and thus, Resources). These permissions are governed by Basic User Roles. Managing and/or Deleting resources can only be performed by the Editor and Admin roles respectively. Admins, see Basic User Role Permissions for more information.
Security > Access ExplorerBasic Users can access this page, but they will not be able to interact with the feature. Review the Access Explorer documentation for more information.
Security > Query FiltersAll users can browse the list of Query Filters.

Domain Admins and Organization Admins Details

Entitlements do not apply to Domain or Organization Admins. For more information on what Domain Admins and Organization Admins can do, review Definitions.


Viewer Permissions

Viewer Permissions

The following sections detail the access and functionality afforded to a Basic User with the Viewer role across InsightCloudSec. The sections are organized by InsightCloudSec navigation menu sections.

Cloud - Viewer Permissions

EntitlementDetails
Event-Driven Harvesting (Cloud Accounts)This entitlement regulates access to four tabs (accessed from the Cloud Accounts page): EDH Consumers, EDH Producers, EDH Events Summary, and EDH Events

Viewers can:
  • Browse, search, and filter the EDH Consumers, EDH Producers, EDH Events Summary, and EDH Events pages
Kubernetes ClustersThis feature also requires Global Scope

Viewers can:
  • Browse, search, and filter onboarded Kubernetes clusters
Data CollectionsViewers can:
  • Browse and search existing Data Collections

Inventory - Viewer Permissions

EntitlementDetails
Resource GroupsViewers can:
  • Browse and search the Resource Groups to which they have explicit access
  • Review Resources associated with the Group (Go to Resources in the Action column)
Resource Group permissions are governed by Basic User Roles; admins, see Basic User Role Permissions for more information.
ApplicationsViewers can:
  • Browse, search, and filter the Applications associated with the InsightCloudSec Organization to which they are a member
  • View Resources associated with an Application
  • Favorite an Application
Tag ExplorerViewers can:
  • Browse and search existing tags as they relate to the Cloud Accounts to which they have access

Security - Viewer Permissions

EntitlementDetails
Layered ContextViewers can:
  • Browse, search, and filter the entire feature set as it relates to the Cloud Accounts to which they have access
  • Download data
  • Use the items in the Action column
Identity AnalysisViewers can:
  • Browse, search, and filter the entire feature set as it relates to the Cloud Accounts to which they have access
  • Use the items in the Action column
Viewers cannot, however, review the Permission breakdown or Federated User context details.
Attack PathViewers can:
  • Browse, search, and filter the Attack Paths associated with the InsightCloudSec Organization to which they are a member
  • Download data
  • Review Attack Path graphs
Viewers cannot, however, access the resource properties of the nodes in an Attack Path graph
Threat FindingsViewers can:
  • Browse, search, and filter the Threat Findings associated with the InsightCloudSec Organization to which they are a member
  • Review Finding details
Compliance ScorecardViewers can:
  • Create a Compliance Scorecard for the Cloud Accounts/Kubernetes Clusters/Resource Groups/Applications to which they have access
  • Download data
  • Create subscriptions
  • Manage subscriptions they have created
Host Vulnerability Assessment / Vulnerability AssessmentThese entitlements regulate access to the Vulnerabilities feature.

Viewers can:
  • Browse, search, and filter the entire feature set as it relates to the Cloud Accounts to which they have access
  • Download data
  • Use the items in the Action column (except Reassess Resource)
Infrastructure as CodeViewers can:
InsightsViewers can:
  • Browse, search, and filter the entire feature set as it relates to the InsightCloudSec Organization to which they are a member
  • Review the Report Breakdown for Compliance Packs and Custom Packs
  • Create subscriptions for Compliance Packs and Custom Packs
  • Manage subscriptions they created for Compliance Packs and Custom Packs
ExemptionsViewers can:
  • Browse, search, and filter Exemptions as they relate to the Cloud Accounts to which they have access
  • Use the items in the Actions (vertical ellipsis) menu

Automation - Viewer Permissions

EntitlementDetails
BotFactoryViewers can:
Scheduled EventsViewers can:
  • Browse, search, and filter Scheduled Events as they relate to the Cloud Accounts to which they have access

Editor Permissions

Editor Permissions

The following sections detail the access and functionality afforded to a Basic User with the Editor role across InsightCloudSec. The sections are organized by InsightCloudSec navigation menu sections.

Editor Permissions Encompass Viewer Permissions

The Editor role provides permissions in addition to the permissions provided to a Viewer.

Cloud - Editor Permissions

EntitlementDetails
Event-Driven Harvesting (Cloud Accounts)This entitlement regulates access to four tabs (accessed from the Cloud Accounts page): EDH Consumers, EDH Producers, EDH Events Summary, and EDH Events

Editors can:
  • Add an EDH Consumer Configuration
  • Add an EDH Producer
  • Use the items in the Action menu (except Delete-related actions)
Kubernetes ClustersThis feature also requires Global Scope

Editors can:
  • Manage scanning for onboarded Kubernetes clusters
Data CollectionsEditors can:
  • Create Data Collections
  • Modify existing Data Collections

Inventory - Editor Permissions

EntitlementDetails
Resource GroupsEditors can:
  • Create Resource Groups
  • Edit custom Resource Groups to which they have explicit access
Resource Group permissions are governed by Basic User Roles; admins, see Basic User Role Permissions for more information.
ApplicationsThe Editor role offers no additional permissions than the Viewer role.
Tag ExplorerEditors can:
  • Create a new Tag Configuration
  • Edit existing Tag Configurations

Security - Editor Permissions

EntitlementDetails
Layered ContextThe Editor role offers no additional permissions than the Viewer role.
Identity AnalysisThe Editor role offers no additional permissions than the Viewer role.
Attack PathThe Editor role offers no additional permissions than the Viewer role.
Threat FindingsThe Editor role offers no additional permissions than the Viewer role.
Compliance ScorecardThe Editor role offers no additional permissions than the Viewer role.
Host Vulnerability Assessment / Vulnerability AssessmentThese entitlements regulate access to the Vulnerabilities feature.

Editors can:
  • Trigger resource reassessment via the Action menu
Infrastructure as CodeEditors can:
  • Create and edit Configurations
  • Create and delete Run Task Integrations
InsightsEditors can:
  • Create a Bot from an Insight
  • Edit Insight Labels
  • Create a custom Insight pack
  • Edit custom Insight packs they have created
ExemptionsEditors can:
  • Create and edit Exemptions

Automation - Editor Permissions

EntitlementDetails
BotFactoryEditors can:
  • Use the items in the Actions menu (except Archive)
  • Create a Bot from a Template
Scheduled EventsThe Editor role offers no additional permissions than the Viewer role.

Admin Permissions

Admin Permissions

The following sections detail the access and functionality afforded to a Basic User with the Admin role across InsightCloudSec. The sections are organized by InsightCloudSec navigation menu sections.

Admin Permissions Encompass Viewer and Editor Permissions

The Admin role provides permissions in addition to the permissions provided to a Viewer and Editor.

Cloud - Admin Permissions

EntitlementDetails
Event-Driven Harvesting (Cloud Accounts)This entitlement regulates access to four tabs (accessed from the Cloud Accounts page): EDH Consumers, EDH Producers, EDH Events Summary, and EDH Events

Admins can:
  • Delete EDH Consumer Configurations
  • Delete EDH Producer Configurations
Kubernetes ClustersThis feature also requires Global Scope

Admins can:
  • Delete onboarded clusters
Data CollectionsAdmins can:
  • Delete Data Collections

Inventory - Admin Permissions

EntitlementDetails
Resource GroupsAdmins can:
  • Delete custom Resource Groups to which they have explicit access
Resource Group permissions are governed by Basic User Roles; admins, see Basic User Role Permissions for more information.
ApplicationsThe Admin role offers no additional permissions than the Viewer and Editor roles.
Tag ExplorerThe Admin role offers no additional permissions than the Viewer and Editor roles.

Security - Admin Permissions

EntitlementDetails
Layered ContextThe Admin role offers no additional permissions than the Viewer and Editor roles.
Identity AnalysisAdmins can:
  • View Federated User context details
Attack PathAdmins can:
  • View the resource properties of the nodes in an Attack Path Graph
Threat FindingsThe Admin role offers no additional permissions than the Viewer and Editor roles.
Compliance ScorecardThe Admin role offers no additional permissions than the Viewer and Editor roles.
Host Vulnerability Assessment / Vulnerability AssessmentThese entitlements regulate access to the Vulnerabilities feature.

The Admin role offers no additional permissions than the Viewer and Editor roles.
Vulnerability AssessmentThis entitlement regulates access to the Vulnerabilities feature.

The Admin role offers no additional permissions than the Viewer and Editor roles.
Infrastructure as CodeThe Admin role offers no additional permissions than the Viewer and Editor roles.
InsightsAdmins can:
  • Delete custom Insight packs
ExemptionsAdmins can:
  • Delete Exemptions

Automation - Admin Permissions

EntitlementDetails
BotFactoryAdmins can:
  • Archive Bots
Scheduled EventsThe Admin role offers no additional permissions than the Viewer and Editor roles.