Roles and permissions

Overview

Users and teams in Cortex can be assigned to a role which permits or limits the ability to perform specific actions within Cortex. These actions range from creating API keys and adding integrations to editing Scorecards and creating entities. Roles allow you to ensure that only authorized individuals can make high-level changes to your workspace. You can use the default roles or you can create custom roles.

If a user is assigned to more than one role, they will retain the permissions of the least restricted assigned role. For example, if a user is assigned a Manager role and they are a member of a team assigned the Admin role, then they will have admin permissions throughout Cortex. Using custom roles may introduce other permissions that supersede default roles.

If a user does not have permission to perform an action, the option will not appear for them.

Roles in Cortex

Default roles

When you first access your Cortex account, the following roles are available by default:

  • Admins: Admins are the owners of the workspace. They have global access to everything within Cortex: settings, Scorecards, and entities.

  • Managers: Managers have most of the same abilities as admins, but cannot modify permissions or other settings. Managers can create and edit Scorecards, entities, and teams.

  • Users: Users cannot modify settings, nor can they edit or create Scorecards. Users can edit and create entities and teams.

  • Viewers: Viewers cannot create or edit anything within the workspace. This is a read-only role.

Permission
Viewer
User
Manager
Admin

View CQL reports

View initiatives

View onboarding management

View Scorecards

View catalogs

Edit and create entities

Archive and delete entities

Edit and create entity types

Edit CQL reports

Edit initiatives

Configure Scaffolder templates

Run the Scaffolder

Run query builder

View GitOps logs

View Workflows

View Workflow runs

Execute Workflow runs

View Scorecard exemptions

View Eng Intelligence

Configure Eng Intelligence custom metrics

Configure Eng Intelligence

Configure identity mappings

Edit and create Scorecards

Edit, create, and delete catalogs

Edit Eng Intelligence custom metric data

Edit Workflows

Run re-evaluation of Scorecards

View audit logs

View breaking API changes

View notification logs

View roles

Configure appearance

Configure catalog

Configure custom metrics

Configure discovery audit events

Configure entity verification periods

Configure integrations

Configure notifications

Configure plugin appearance

Configure Scorecard exemptions

Edit, create, and delete API keys

Edit CQL reports

Edit custom metric data

Edit initiatives

Edit plugins

Edit plugin proxies

Edit, create, and delete secrets

Enable entity dependency discovery

Enable onboarding management

Execute notification logs

Configure IP allowlist

Configure OpenID Connector and SCIM

Configure roles

Configure settings

Run query builder with third-party integrations

Custom roles

Cortex gives you the ability to create custom roles with granular permissions so users have the access they need. Learn more in the Custom Roles documentation.

Permissioning in Workflows

In addition to the granular permissions listed on this page that apply to Workflows, it is also possible to:

  • Configure specific users, teams, or roles who are allowed to run a Workflow

  • Require a user to be an Owner or Editor of an entity in order to run a workflow

These configurations are described in more detail in the Workflow documentation under "Step 2: Configure your Workflow settings."

Viewing and assigning roles

View roles

In Settings > Roles and permissions in Cortex, users with the Admin role can view a list of all users in the workspace and their assigned roles. On this page, you can also assign roles and create custom roles.

Filter the list

  • To filter the list by role, click Filter in the upper right corner of the user list, then select and apply filters.

  • To filter the list by user, click the magnifying glass icon in the upper right corner of the list, then type in a name.

Assign role to a user

To change an existing role or add a role to a user:

  1. On the Roles and permissions page, locate the user in the Users list.

  2. Click into the Roles column that user.

  3. Search for and select the desired role from the dropdown list.

  4. To remove a role, click the X within the role name for that user.

Assign role to a team

Team roles allow you to assign the team permissions to a set of users all at once. When you add a new member to a team, Cortex will automatically assign the team role to them.

To set team roles:

  1. Navigate to Settings > Roles and permissions, then click the Teams tab.

  2. Click Add team with custom roles.

  3. In the side panel, select a team and a team role.

    • The teams listed here are populated from your team source (e.g., Okta, GitHub teams, Slack)

  4. At the bottom of the side panel, click Set roles.

Adding and removing Cortex users

Review users

At the top of the Roles and permissions settings page, you can see the total number of seats, the number of users who have logged in to your instance, the number of users who have only received notifications but have not logged in, and the number of available seats remaining. You can also view this information in the About page under Workspace settings.

Set a default role for new users

To set a default role for all new users provisioned for your workspace:

  1. At the top of the Roles and permissions settings page, click into the field under "Default roles."

  2. Select the desired role.

Add a user

To add a new user to the platform, first direct the user to attempt to log in to your organization's Cortex account. If the user has the appropriate email domain, they will be added automatically upon login.

If the user sees an "access denied" error, this indicates that the user is not authorized to access the app via your SSO tool.

Add a secondary domain

Cloud customers who need to add a secondary email domain should contact [email protected] for assistance. This restriction does not apply to self-hosted customers.

Remove a user

To delete a user:

  1. In the list of User permissions, locate the user you need to delete.

  2. Click the trash icon for the user.

  3. In the confirmation modal, click Delete.

When a user is deleted, all data created by the user (such as Scorecards) will remain in Cortex. However, any personal access tokens created by the user will be removed.

If you worked with Cortex to configure domain restriction and users retain access to their identity provider account, such as Okta or Google, these deleted individuals will be able to regain access to Cortex by logging back in to Cortex via SSO. If an individual leaves your organization and is no longer a user in your identity provider, they will not be able to regain access your organization's Cortex account.

Last updated

Was this helpful?