Role-Based Access Control (RBAC)

Note

For more information about managing users, see User Management.

RBAC Overview

Role-based access control (RBAC) allows administrators to restrict read and write access to key parts of Fugue. This includes:

• Viewing or configuring environments

• Accessing compliance, drift, enforcement, or baseline data

• Accessing the visualizer

• Managing users, groups, custom rules, and API clients

• Managing notifications

• Running scans

RBAC promotes the principle of least privilege. It’s a security best practice to only give admin access to users who need it, and to limit other users from having unnecessary access to environments and actions.

You can manage RBAC from the Groups page:

For more details, see The Groups Page.

Note

RBAC is a Fugue Team and Fugue Enterprise feature.

Groups, Policies, Users

Note

If an admin creates a new environment, they need to assign the environment to a group so users in that group can access it. See How to Edit Groups.

Three key concepts in RBAC are groups, policies, and users.

A group represents a set of environments that users can access. Each group is associated with a single policy, which defines the actions that users can take in Fugue. Each user belongs to a single group and inherits the policy of that group.

You can view RBAC groups on the Groups page and users on the Users page.

By default, each organization starts with one group and one user – the Admin group and account owner. The user who created the organization is the account owner.

Users in the Admin group can create other groups, invite users, and assign/reassign users to groups on an individual basis.

Currently, Fugue supports three types of policies:

• Admin

• Editor

• Read Only

The Admin group has the Admin policy, which cannot be changed. All other groups may be given any policy. To learn more about each policy, see Policy Permissions.

Admin Policy

An Admin policy grants a user all access to all environments. It’s associated with the Admin group, the default group in Fugue. No other group can use the Admin policy.

Administrators can create groups and grant permissions to that group determine the actions, pages, and environments that users can view, access, or edit within Fugue.

The Admin policy cannot be modified, but users in the Admin group can be moved to another group – except the account owner, who cannot be reassigned. To change the account owner, contact support@fugue.co.

See Policy Permissions for a detailed list of Admin permissions.

Editor Policy

An Editor policy grants a user certain read and write permissions that allow them to edit environments, among other actions.

The Editor policy grants all the permissions in the Read Only policy and some of the permissions in the Admin policy. Editors cannot create or delete environments, configure custom rules, manage users, or configure API clients. They can, however, take actions such as changing environment settings, running scans, and configuring notifications and reports.

Editors can’t view or edit notifications associated with environments they don’t have access to. For example, if an Editor user has access to environments A and B, and an Admin user creates a notification for environments B and C, the Editor cannot see it.

See Policy Permissions for a detailed list of Editor permissions.

Read Only Policy

A Read Only policy grants a user read-only access to a group’s environments. Users cannot view environments their group doesn’t grant access to, and they can’t perform write actions on any environment.

For example, Alice Admin creates a group called Staging. The group is associated with the Read Only policy and enables access to two environments, Web Us-east-1 and Web Us-west-2. Alice assigns the user Bob to Staging, which allows Bob to view only those two environments. Bob cannot edit environment settings, enable/disable enforcement, manage users, and so on; he can only view the environments.

See Policy Permissions for a detailed list of Read Only permissions.

Policy Permissions

Feature	Read	Editor	Admin
UI Pages
View accessible environments on Environments Page	X	X	X
View compliance data	X	X	X
View drift and enforcement events	X	X	X
View baseline	X	X	X
View visualization	X	X	X
View environment configuration settings	X	X	X
Environment-Level Settings
Configure environment settings		X	X
Enable/disable drift and/or enforcement		X	X
Run scans (UI, API) or change scan interval (API only)		X	X
Create or delete environments			X
Organization-Level Settings
Configure notifications and reports		X	X
Configure custom rules			X
Create/update/delete users with respective groups			X
Configure API clients			X

Getting Started with RBAC

The admin should create one or more groups with the Read Only or Editor policy to limit what actions users can take and what environment(s) they can view within Fugue.

Here are the basics of RBAC with Fugue:

• Create a group to enable access to one or more environments.

• Assign existing users or new users to a group.

• Optionally, edit a group by changing the environments associated with it.

• Delete a group if needed.

Note

The Fugue API does not currently support RBAC or user management.

The Groups Page

The Groups page lists the name, policy, and environment(s) associated with each group:

You can hover over the i symbol next to the number of environments in a group to see the environment names:

You can also select the ellipsis ... to edit a group.

How to Create a Group

There are two steps to creating a group:

1. Define the group name and policy.

2. Select environments the group can access.

Step 1: Definition

1. Navigate to Organization > Groups.

2. Click the Create New Group button.

3. Enter a name for your group.

4. In the Policy drop-down, select the policy to be associated with the group.

Step 2: Environments

1. Select the environments this group can access.

2. Click Create Group.

Note

If you create new environments, you will need to update this group to include those environments if you want this group to access them.

Additionally, if you do not create any groups, all users will belong to the Admin group and they will have global access to everything within Fugue.

How to Assign Existing Users to a Group

1. Navigate to Organization > Users.

2. In the user row, select the ellipsis icon ... and choose Edit User.

3. From the Group drop-down, select the group you want the user to belong to.

4. Click Update User.

How to Invite and Assign New Users to a Group

1. Navigate to Organization > Users.

2. Click the Invite New User button.

3. From the Group drop-down, select the group you want the user to belong to.

4. Click Send Invitation Email.

See User Management for more information on inviting and managing users.

How to Edit Existing Groups

1. Navigate to Organization > Groups.

2. In the group row, select the ellipsis icon ... and choose Edit Group.

3. Select the environments this group can access.

4. Click Update Group.

Note

If you create new environments, you will need to update this group to include those environments if you want this group to access them.

How to Delete Groups

1. Navigate to Organization > Groups.

2. In the group row, select the ellipsis icon ... and choose Delete Group.

3. Select Delete Group.

Note

A group cannot be deleted if one or more users belong to it. You must first move each user to a different group. Otherwise, you’ll see an “Unable to Delete Group” error:

Unable to Delete Group

Please reassign {user name} to a different group to delete this group. Go to Users

More About User Management

For more information about managing users, see User Management.