Permissioning
Individuals can be assigned a set of roles which permit or limit the ability to perform specific actions within Cortex. These actions range from creating API keys and adding integrations to editing Scorecards and creating entities. The default roles available are:
- Admins: Admins are the owners of the workspace. They have global access to everything within Cortex: settings, Scorecards, and entities.
- Managers: Managers have most of the same abilities as admins, but cannot modify permissions or other settings. Managers can create and edit Scorecards, entities, and teams.
- Users: Users cannot modify settings, nor can they edit or create Scorecards. Users can edit and create entities and teams.
- Viewers: Viewers cannot create or edit anything within the workspace. This is a read-only role.
| Permission | Viewer | User | Manager | Admin |
|---|---|---|---|---|
| View reports | ✓ | ✓ | ✓ | ✓ |
| Run query builder | ✓ | ✓ | ✓ | |
| Configure Scorecards | ✓ | ✓ | ||
| Manage discovery audit events | ✓ | ✓ | ||
| Refresh Scorecards | ✓ | ✓ | ||
| View Eng Intelligence | ✓ | ✓ | ||
| Configure actions | ✓ | |||
| Configure appearance | ✓ | |||
| Configure catalog | ✓ | |||
| Configure plugins | ✓ | |||
| Configure proxies | ✓ | |||
| Configure secrets | ✓ | |||
| Configure settings | ✓ | |||
| Discover dependencies | ✓ | |||
| Run query builder with external request | ✓ |
You can adjust permissions by navigating to Roles and permissions within Settings.
Only admins have access to this page.
From the Permissions page, you can view a list of all individuals who exist within your workspace, as well as the roles assigned to each individual. You can search this list or filter it by role.
Adding a new user to Cortex
To add a new user to the platform, first direct the user to attempt to log in and authenticate. If the user has the appropriate @domain.xyz, they will be added automatically. If the user sees an access denied error, this indicates that the user is not authorized to log in and access the app via your SSO tool.
For cloud customers looking to add a secondary @domain.xyz, please reach out to help@cortex.io to have this facilitated for you. This restriction does not apply to self-hosted customers.
Modifying permissions and removing users
From this page, you can also directly edit an individual’s roles. Click the dropdown next to their name to update their roles. Once you've selected the appropriate roles and pressed "Save," Cortex will automatically update the individual’s permissions.
You also have the ability to remove an individual from your workspace. Select the trash can icon to remove a user. You’ll be asked to confirm this action so you don’t accidentally remove users.
If you’re using a domain restriction and users retain access to their Okta or Google accounts, these deleted individuals will be reinstated in Cortex when they log back in through the SSO. If an individual leaves your organization, however, this will ensure that they can no longer access information within Cortex.
Default roles for new users
Default roles can be set on the Roles and permissions settings page, which is the assigned role for all new users who are provisioned for your workspace.
Team permissions
Team permissions allow you to assign the same role to a set of users all at once. To set team permissions, select Add new team.
When you select a Team, a dropdown menu will populate with all options from your team source (e.g. Okta, GitHub teams). Choose the Role that will apply to all members of the team.
Once you’ve selected the appropriate team and assigned a role, click Save. You’ll then see that team appear within the list of team permissions. From here, you can easily modify the roles assigned to each team by clicking the dropdown, just like with user permissions.
Cortex will automatically update individuals’ roles when they join or change teams, making this a particularly efficient way to set permissions.
Permissions in practice
Each role in Cortex is comprised of a set of permissions and a user's permissions are based on the unique union of all permissions associated with all of their user roles.
Individuals will retain the maximum role they’ve been given. For example, if an individual is assigned a manager role, but they’re part of a team with admin permissions, they will have admin permissions throughout Cortex. Note that this example is using the default role set; custom roles may introduce additional/other permissions that supersede default roles.
If an individual doesn’t have the permission to perform a certain action, the option simply will not appear. Typically, admins and managers can perform functions that rely on third party integrations, while users and viewers are limited to data within Cortex.
Permissioning allows you to make sure that only authorized individuals can make high-level changes to the workspace, while ensuring that team members can access the valuable information within Cortex.
Custom roles
While these roles are available to you by default, Cortex also gives users the ability to create custom roles with granular permissions so users have the access they need. You can learn more about custom roles in this article.