Custom roles
Overview
In Cortex, there are four default roles: Viewer, User, Manager, and Admin.
While each of these provides access to different Cortex features, you can also create custom roles to give users more granular permissions.
Creating custom roles
How to create a custom role
- In Cortex, go to the Roles and permissions settings page.
- Click your avatar in the lower left corner, then click Settings.
- Under "Authentication and access," click Roles and permissions.
- Click the "Custom roles" tab. On the right side, click Create custom role.
- In the "Create custom role" modal, fill in the basic information:
- Role name: Enter a name for the role.
- Tag: This field is automatically populated based on the role name. It is a unique identifier for the role, made of letters, digits, and hyphens.
- Description: Optionally, add a description of the role.
- Permissions: Expand each of the Permission sections to view and toggle on/off a permission setting for the role. All permissions are toggled off by default.
- Click Create.
Assign a custom role
You can assign a custom role to a team or user the same way you would assign a default role. See Assign role to a user for instructions.
It is possible to assign multiple roles to an individual user or team. When multiple roles are assigned, the resulting permissions will be the maximum permissions associated with their assigned role(s). For example, if an individual is assigned two roles with distinct set of permissions, all of those permissions will be applied to that user.
Set a custom role as default for new users
For information on creating or deleting users and setting a default role for new users, see Adding and removing Cortex users.
Delete a custom role
To delete a custom role:
- On the Roles and permissions settings page, click the Custom Roles tab.
- Click a custom role name.
- In the modal, scroll to the bottom and click Delete.
Note that you cannot delete a custom role if it is associated with a plugin.
Available permissions for custom roles
The table below describes the permission options you can add to a custom role.
| Category | Permission | Description |
|---|---|---|
| Catalogs | Catalogs view | View catalogs and entities |
| Catalogs | Entity types edit | Create, edit, and delete entity types |
| Catalogs | Catalogs edit | Create, edit, and delete catalogs |
| Catalogs | Entities edit | Create, edit, and delete entities |
| Catalogs | Entities archive | Archive entities |
| Catalogs | Entities delete | Delete entities |
| Catalogs | Entity dependency discovery enable | Sync dependencies directly when on the dependency graph feature |
| Catalogs | Entity verification period configure | Create and edit periods for verifying Cortex entities |
| Scorecards & Initiatives | Scorecards view | View scorecards |
| Scorecards & Initiatives | Scorecards edit | Create, edit, and delete scorecards |
| Scorecards & Initiatives | Scorecards re-evaluation execute | Manually trigger a scorecard's evaluation via the UI |
| Scorecards & Initiatives | Scorecard exemptions view | View scorecard exemptions |
| Scorecards & Initiatives | Scorecard exemptions configure | Approve or revoke scorecard exemptions |
| Scorecards & Initiatives | Initiatives view | View initiatives |
| Scorecards & Initiatives | Initiatives edit | Create, edit, and delete initiatives |
| Reporting | Scorecard report view | View scorecard reports |
| Reporting | CQL report view | Ability to view CQL reports |
| Reporting | CQL report edit | Create, edit, and delete CQL reports |
| Eng Intelligence | Eng Intelligence view | View the Eng Intelligence metrics across all teams, users, groups, and entities |
| Eng Intelligence | Eng Intelligence configure | Configure Eng Intelligence settings |
| Eng Intelligence | Custom Metrics configure | Create, edit, and delete Eng Intelligence custom metrics |
| Eng Intelligence | Custom Metric data edit | Create, edit, and delete Eng Intelligence custom metrics data points via API |
| Workflows & Actions | Workflows edit | Create, edit, and delete workflows |
| Workflows & Actions | Workflows view | View workflows |
| Workflows & Actions | Workflow runs view | View workflow runs |
| Workflows & Actions | Workflow runs execute | Ability to run workflow |
| Workflows & Actions | Actions configure | Configure CRUD library of actions |
| Plugins | Plugins edit | Create, edit, and delete plugins |
| Plugins | Plugin proxies edit | Create, edit, and delete plugin proxies |
| Plugins | Plugin appearance configure | Manage appearance of plugins |
| Tools | Relationship graph enable | View onboarding management |
| Tools | Onboarding management view | View onboarding management |
| Tools | Onboarding management enable | Trigger onboarding management notifications |
| Tools | Discovery audit events configure | Ignore or import entities found in the discovery audit tool |
| Tools | Scaffolder templates configure | Create, edit, and delete Scaffolder templates |
| Tools | Scaffolder execute | Run the Scaffolder |
| Tools | Query builder (basic) enable | Access to query builder tool that allows CQL queries to be created and run adhoc |
| Tools | Query builder (with 3rd party integrations) enable | Access to query builder tool that allows CQL queries to be created and run adhoc, including queries of 3rd party integration data |
| Notifications | Workspace notification settings configure | Enable or disable workspace notification settings |
| Notifications | Notification logs view | View notification logs |
| Notifications | Notification logs execute | Resend a notification |
| Settings | Settings configure | Edit workspace settings, identity mappings, and integration configurations |
| Settings | Appearance settings configure | Edit workspace appearance settings, including logo upload, plugin placement throughout the app, entity overview tabs and navigation order, and catalog sort order |
| Settings | IP allowlist configure | Configure restriction for Cortex app and public API access to specified IPs |
| Settings | GitOps logs view | View GitOps logs |
| Settings | OpenID Connector & SCIM configure | Manage OpenID application details and SCIM for Auth0, Azure, Google, and Okta |
| Settings | Roles view | View workspace role definitions and user role assignments |
| Settings | Roles configure | Manage workspace role definitions and user role assignments |
| Settings | Breaking API changes view | View breaking API changes |
| Settings | Create API keys edit | Create, edit, and delete Cortex API keys |
| Settings | Identity mappings configure | Review how team members defined in the team catalog are matched to external accounts (e.g. GitHub, Jira, PagerDuty, ClickUp, or Slack). |
| Settings | Integrations configure | Install, uninstall, and configure integrations |
| Access Management | Create secrets edit | Create, edit, and delete secret keys used in plugin proxies, secure access to 3rd party APIs, etc |
| Access Management | Audit logs view | View audit logs |