Roles and Permissions
Overview
Users and teams in Cortex can be assigned to a role which permits or limits the ability to perform specific actions within Cortex. These actions range from creating API keys and adding integrations to editing Scorecards and creating entities. Roles allow you to ensure that only authorized individuals can make high-level changes to your workspace. You can use the default roles or you can create custom roles.
If a user is assigned to more than one role, they will retain the permissions of the least restricted assigned role. For example, if a user is assigned a Manager role and they are a member of a team assigned the Admin role, then they will have admin permissions throughout Cortex. Using custom roles may introduce other permissions that supersede default roles.
If a user does not have permission to perform an action, the option will not appear for them.
Roles in Cortex
Default roles
When you first access your Cortex account, the following roles are available by default:
- Admins: Admins are the owners of the workspace. They have global access to everything within Cortex: settings, Scorecards, and entities.
- Managers: Managers have most of the same abilities as admins, but cannot modify permissions or other settings. Managers can create and edit Scorecards, entities, and teams.
- Users: Users cannot modify settings, nor can they edit or create Scorecards. Users can edit and create entities and teams.
- Viewers: Viewers cannot create or edit anything within the workspace. This is a read-only role.
| Permission | Viewer | User | Manager | Admin |
|---|---|---|---|---|
| View audit logs | ✓ | ✓ | ✓ | ✓ |
| View CQL reports | ✓ | ✓ | ✓ | ✓ |
| View initiatives | ✓ | ✓ | ✓ | ✓ |
| View onboarding management | ✓ | ✓ | ✓ | ✓ |
| View Scorecards | ✓ | ✓ | ✓ | ✓ |
| View catalogs | ✓ | ✓ | ✓ | ✓ |
| Edit and create entities | ✓ | ✓ | ✓ | |
| Archive and delete entities | ✓ | ✓ | ✓ | |
| Edit and create entity types | ✓ | ✓ | ✓ | |
| Edit CQL reports | ✓ | ✓ | ✓ | |
| Edit initiatives | ✓ | ✓ | ✓ | |
| Configure Scaffolder templates | ✓ | ✓ | ✓ | |
| Run the Scaffolder | ✓ | ✓ | ✓ | |
| Run query builder | ✓ | ✓ | ✓ | |
| View GitOps logs | ✓ | ✓ | ✓ | |
| View Workflows | ✓ | ✓ | ✓ | |
| View Workflow runs | ✓ | ✓ | ✓ | |
| Execute Workflow runs | ✓ | ✓ | ✓ | |
| View Scorecard exemptions | ✓ | ✓ | ✓ | |
| View Eng Intelligence | ✓ | ✓ | ||
| Configure Eng Intelligence custom metrics | ✓ | ✓ | ||
| Configure Eng Intelligence | ✓ | ✓ | ||
| Configure identity mappings | ✓ | ✓ | ||
| Edit and create Scorecards | ✓ | ✓ | ||
| Edit, create, and delete catalogs | ✓ | ✓ | ||
| Edit Eng Intelligence custom metric data | ✓ | ✓ | ||
| Edit Workflows | ✓ | ✓ | ||
| Run re-evaluation of Scorecards | ✓ | ✓ | ||
| View breaking API changes | ✓ | |||
| View notification logs | ✓ | |||
| View roles | ✓ | |||
| Configure actions | ✓ | |||
| Configure appearance | ✓ | |||
| Configure catalog | ✓ | |||
| Configure custom metrics | ✓ | |||
| Configure discovery audit events | ✓ | |||
| Configure entity verification periods | ✓ | |||
| Configure integrations | ✓ | |||
| Configure notifications | ✓ | |||
| Configure plugin appearance | ✓ | |||
| Configure Scorecard exemptions | ✓ | |||
| Edit, create, and delete API keys | ✓ | |||
| Edit CQL reports | ✓ | |||
| Edit custom metric data | ✓ | |||
| Edit initiatives | ✓ | |||
| Edit plugins | ✓ | |||
| Edit plugin proxies | ✓ | |||
| Edit, create, and delete secrets | ✓ | |||
| Enable entity dependency discovery | ✓ | |||
| Enable onboarding management | ✓ | |||
| Execute notification logs | ✓ | |||
| Configure IP allowlist | ✓ | |||
| Configure OpenID Connector and SCIM | ✓ | |||
| Configure roles | ✓ | |||
| Configure settings | ✓ | |||
| Run query builder with third-party integrations | ✓ |
Custom roles
Cortex gives you the ability to create custom roles with granular permissions so users have the access they need. Learn more in the Custom Roles documentation.
Permissioning in Workflows
In addition to the granular permissions listed on this page that apply to Workflows, it is also possible to:
- Configure specific users, teams, or roles who are allowed to run a Workflow
- Require a user to be an Owner or Editor of an entity in order to run a workflow
These configurations are described in more detail in the Workflow documentation under "Step 2: Configure your Workflow settings."
Viewing and assigning roles
View roles
In Settings > Roles and permissions in Cortex, users with the Admin role can view a list of all users in the workspace and their assigned roles. On this page, you can also assign roles and create custom roles.
Filter the list
To filter the list by role, click None next to "Filter by" in the upper right corner of the user list:
To filter the list by user, start typing a name into the search bar above the user list:
Assign role to a user
To change an existing role or add a role to a user:
- On the Roles and permissions page, locate the user in the User permissions list.
- Click the dropdown next to the user.
- Search for and select the desired role from the dropdown list.
- Next to the dropdown, click Save.
Assign role to a team
Team roles allow you to assign the team permissions to a set of users all at once. When you add a new member to a team, Cortex will automatically assign the team role to them.
To set team roles:
- On the Roles and permissions page, click the Team permissions tab.
- Click Add new team.
- In the "Team" dropdown menu, select a team.
- The teams listed here are populated from your team source (e.g., Okta, GitHub teams, Slack)
- In the "Roles" dropdown menu, select a role to assign to all members of the team.
- Click Save.
Adding and removing Cortex users
Set a default role for new users
To set a default role for all new users provisioned for your workspace:
- At the top of the Roles and permissions settings page, under "Default roles," click the dropdown menu.
- Select the desired role.
- Click Save.
![Select a role from the dropdown]../(../../../static/img/screenshots/workspace-settings/permissions/default-role.jpg)
Add a user
To add a new user to the platform, first direct the user to attempt to log in to your organization's Cortex account. If the user has the appropriate email domain, they will be added automatically upon login.
If the user sees an "access denied" error, this indicates that the user is not authorized to access the app via your SSO tool.
Add a secondary domain
Cloud customers who need to add a secondary email domain should contact help@cortex.io for assistance. This restriction does not apply to self-hosted customers.
Remove a user
To delete a user:
- In the list of User permissions, locate the user you need to delete.
- Click the trash icon for that user.
- In the confirmation modal, click Delete.
When a user is deleted, all data created by the user (such as Scorecards) will remain in Cortex. However, any personal access tokens created by the user will be removed.
If you worked with Cortex to configure domain restriction and users retain access to their identity provider account, such as Okta or Google, these deleted individuals will be able to regain access to Cortex by logging back in to Cortex via SSO. If an individual leaves your organization and is no longer a user in your identity provider, they will not be able to regain access your organization's Cortex account.