Roles & Permissions¶
Core Concepts
NOB.center uses module-scoped roles. Each user is assigned a predefined role independently for each module they have access to. A user might be a Viewer in CT-Log and an Editor in DNS Monitoring.
How permissions work¶
Permissions have two parts:
| Part | Example | Meaning |
|---|---|---|
| Module scope | ct-log |
The module where the permission applies |
| Resource permission | update_alert_rules |
The operation allowed inside that module |
API token scopes combine both parts, for example ct-log:update_alert_rules or dns-watcher:view_monitoring. In application code, the same rule is enforced as user.has_permission(module_name, permission_name).
Note
The signup user of an organization automatically receives Administrator access and Editor access to all monitoring modules. This cannot be revoked.
Monitoring module roles¶
Each monitoring module has two roles:
| Role | Included permissions |
|---|---|
| Viewer | view_monitoring, view_alerts, view_alert_rules, view_alert_templates |
| Editor | All Viewer permissions + create_monitoring, update_monitoring, delete_monitoring, create_alert_rules, update_alert_rules, delete_alert_rules, create_alert_templates, update_alert_templates, delete_alert_templates |
This role model applies to:
| Module scope | Module |
|---|---|
ct-log |
Certificate Transparency monitoring |
dns-watcher |
DNS Monitoring |
rdap |
RDAP / WHOIS monitoring |
cert-watcher |
Certificate Deployment monitoring |
Alert rules and templates are shared infrastructure, but their permissions are still checked against the owning module. For example, ct-log:update_alert_rules cannot edit DNS alert rules; DNS rules require dns-watcher:update_alert_rules.
Administration roles¶
| Role | Included permissions |
|---|---|
| Member | view_users |
| Billing Manager | view_subscription, manage_subscription |
| Administrator | view_users, manage_users, manage_permissions, view_audit_logs, view_subscription, manage_subscription |
Administration scopes use the admin module prefix, such as admin:view_users or admin:manage_subscription.
API Token roles¶
| Role | Included permissions |
|---|---|
| Token Manager | view_own_tokens, create_tokens, delete_tokens |
| Token Admin | All Token Manager permissions + view_all_tokens, revoke_all_tokens |
API token management scopes use the api-tokens module prefix, such as api-tokens:create_tokens.
Permission reference¶
Monitoring permissions¶
| Permission | What it allows |
|---|---|
view_monitoring |
View monitored resources, details, history, and snapshots for the module |
create_monitoring |
Add monitored resources for the module |
update_monitoring |
Edit, enable, or disable monitored resources for the module |
delete_monitoring |
Remove monitored resources from the module |
For CT-Log, monitored resources are filters and certificate matches. For DNS, monitored resources include domains and records. For RDAP, monitored resources are domain monitors. For Certificate Watcher, monitored resources include certificate monitors and targets.
Alert permissions¶
| Permission | What it allows |
|---|---|
view_alerts |
View alert history for the module |
view_alert_rules |
View alert rules for the module |
create_alert_rules |
Create alert rules for the module |
update_alert_rules |
Edit, enable, or disable alert rules for the module |
delete_alert_rules |
Delete alert rules for the module |
view_alert_templates |
View alert templates for the module |
create_alert_templates |
Create alert templates for the module |
update_alert_templates |
Edit, enable, or disable alert templates for the module |
delete_alert_templates |
Delete alert templates for the module |
Administration permissions¶
| Permission | What it allows |
|---|---|
view_users |
See the list of users in the organization |
manage_users |
Invite, edit, and remove users |
view_audit_logs |
Access the audit log |
manage_permissions |
Change user role assignments |
Billing permissions¶
| Permission | What it allows |
|---|---|
view_subscription |
View current subscription status and tier |
manage_subscription |
Upgrade, downgrade, or cancel subscription |
API Token permissions¶
| Permission | What it allows |
|---|---|
view_own_tokens |
List your own API tokens |
create_tokens |
Generate new API tokens |
delete_tokens |
Revoke your own tokens |
view_all_tokens |
View all tokens in the organization |
revoke_all_tokens |
Revoke any token in the organization |
Module access¶
A user must be assigned at least one role in a module to see that module's navigation entry. If no role is granted for a module, it is hidden entirely in the sidebar.
Roles are assigned at invite time and can be changed by an Administrator from Administration → Users.