Permissions
Configure role-based permissions to control what administrators can do in your Containment.AI organization.
Permission Levels
View
Can view but not modify:
- See dashboard and reports
- View alerts (read-only)
- Browse policies
- View client list
Manage
Can view and modify:
- Create, edit, delete items
- Change settings
- Take actions
Admin
Full control:
- All manage permissions
- User management
- Settings access
- Integration configuration
Built-in Roles
Owner
- Full access to everything
- Cannot be removed
- Can transfer ownership
- One per organization
Administrator
- All permissions except:
- Billing management
- Owner transfer
- Organization deletion
Analyst
- Alert management
- Report generation
- View policies
- View clients
Viewer
- Read-only access
- View dashboard
- View alerts
- View reports
Custom Roles
EnterpriseCreate roles tailored to your organization:
Creating a Custom Role
- Go to Settings > Permissions
- Click Create Role
- Enter role name and description
- Select permissions
- Save
Permission Categories
| Category | Permissions |
|---|---|
| Dashboard | View overview, metrics |
| Alerts | View, acknowledge, resolve |
| Policies | View, create, edit, delete |
| Clients | View, invite, manage |
| Activity | View logs, export |
| Integrations | View, configure |
| Settings | View, edit various settings |
| Admins | View, invite, manage |
| Billing | View, manage |
Granular Permissions
Each category has specific permissions:
Alerts Permissions
alerts.view- See alert listalerts.acknowledge- Mark as seenalerts.resolve- Close alertsalerts.dismiss- Mark as non-issuealerts.export- Download data
Policies Permissions
policies.view- See policy listpolicies.create- Create new policiespolicies.edit- Modify policiespolicies.delete- Remove policiespolicies.enable- Toggle on/off
Example Custom Roles
Security Analyst
Name: Security Analyst
Permissions:
- alerts.view
- alerts.acknowledge
- alerts.resolve
- activity.view
- activity.export
- policies.view
- clients.view
Policy Admin
Name: Policy Admin
Permissions:
- policies.* # All policy permissions
- alerts.view
- clients.view
- integrations.view
Assigning Roles
When Inviting
- Click Invite Admin
- Enter email
- Select role from dropdown
- Send invitation
Changing Roles
- Go to Settings > Admins
- Click admin to edit
- Change role assignment
- Save changes
Team-Based Permissions
EnterpriseScope permissions to specific teams:
Team Scoping
- View only their team's data
- Manage only their team's users
- See only team-related alerts
Configuration
- Create team in Clients > Teams
- Assign admin to team
- Enable team scoping on role
- Admin sees only team data
Permission Inheritance
Role Hierarchy
Owner
└── Administrator
└── Analyst
└── Viewer
Higher roles include all permissions of lower roles.
Override Permissions
Custom roles can override inheritance:
- Grant specific permissions
- Deny inherited permissions
- Create unique combinations
Auditing Permissions
View Permission Changes
- Go to Activity
- Filter:
event_type:permission - See all permission changes
Audit Information
Each change records:
- Who made the change
- What changed
- When it changed
- Previous state
Best Practices
Least Privilege
- Grant minimum necessary permissions
- Review permissions regularly
- Remove unused access
Role Design
- Create roles for job functions
- Avoid too many custom roles
- Document role purposes
Regular Review
- Quarterly access reviews
- Check for permission creep
- Remove stale access
Troubleshooting
Permission Denied
- Check assigned role
- Verify required permission
- Check team scoping
- Contact admin for access
Can't Assign Role
- Verify you have admin permissions
- Check role exists
- Confirm user is active
- Try refreshing page
Custom Role Issues
- Review permission list
- Check for conflicts
- Verify role is saved
- Test with test user
Related Topics
- Admin Management - Manage admins
- Audit Logs - Track permission changes
- SCIM - Automated user management