TABLE OF CONTENTS
- Permission set components: access selector and permissions
- Defining and managing permission sets
Each role is associated with a single permission set. A permission set specifies a set of Aqua operations that can be performed on the resources by users with the associated role(s).
- The resources are grouped into 4 categories: policies, assets, compliance, and system.
- Approximately 25 types of resources are predefined in Aqua, to provide system administrators with highly granular control. The resources are grouped into categories: Policies, Assets, Compliance, and System.
- The permission set specifies, for each of the resources, one of the following: Edit permission, View Only permission, or no permission at all. Editing includes the creation, modification, and deletion of the item in question.
Permission set components: access selector and permissions
A permission set consists of an access selector and a detailed set of permissions.
The access selector defines whether the permission set includes access to functionality in:
- Both the UI and the API
- Only the API
Checking the option Full Permission grants the permission set Edit permission on all Aqua Enterprise functionality, in both the UI and the API.
If Full Permission is not granted, permissions are granted to individual items arranged in these categories: Policies, Assets, Compliance, and System. Each item is assigned any of these permissions:
- Edit: Generally includes the viewing, listing, creation, modification, and deletion of the item in question (either in the UI or via relevant APIs). The meaning of "Edit" is slightly different in some cases, and "Edit" does not apply to every item.
- View Only: Includes viewing only of the item in question
- Not Set: No permissions; the item will not even appear in the UI (default)
|Assurance Policies||Create, modify, and delete Assurance Policies (e.g., Image Assurance Policies)||View existing Assurance Policies|
Create, modify, and delete Image Profiles
|View existing Image Profiles|
|Firewall Policies||Create, modify, and delete Firewall Policies||View existing Firewall Policies|
|Runtime Policies||Create, modify, and delete Runtime Policies (e.g., Container Runtime Policies)||View existing Runtime Policies|
|User Access Control Policies||Create, modify, and delete User Access Control Policies||View existing User Access Control Policies|
|Dashboard||Configure the dashboard||View the dashboard|
|Risk Explorer||N/A||View the Risk Explorer|
|Images||Add (register) images to Aqua; remove images; profile containers||View images already registered to Aqua|
|Host images||Add (register) host images to Aqua; remove host images||View unregistered host images in the Images screen (Host Images tab); view host images under Compliance / Host Images|
|Functions||Add (register) functions to Aqua||View functions|
|Enforcers||Add, modify, and remove Enforcer groups and Enforcers||View existing Enforcer groups and Enforcers|
|Containers||N/A||View containers and running workloads|
|Services||Add, modify, and remove Aqua services||View existing Aqua services|
|Infrastructure||View Infrastructure and run discovery of clusters and hosts||View Infrastructure (clusters and hosts)|
|Vulnerabilities||View and acknowledge vulnerabilities discovered during scanning||View vulnerabilities discovered during scanning|
|CIS Benchmarks||View and trigger CIS benchmark scans||View CIS benchmark scans in the UI|
|Audit Events||N/A||View audit events|
|Secrets||Create, modify, and delete secrets||View existing secrets|
|Settings||View and modify settings, as well as Gateway, Access Management, and Application Scopes|
View the Settings UI screen
|Integrations||View and modify Integrations||View the Administration > Integrations UI screen|
|Scanner CLI||N/A||The permissions required by the Aqua Scanner on the Aqua Server|
|Gateways||Edit Gateway parameters; delete (clean up) disconnected gateways||View the Aqua Gateways UI screen|
|Consoles||N/A||View the Aqua Consoles UI screen|
|Webhook authorization API||N/A||Permission to use the Webhook authorization API|