Access Control Overview
Access control lets you give granular access to specific users and service accounts and resources and prevents unwanted access to other accounts and resources. Access represents the types of actions that users can perform, read, create, and delete, and the features that the actions can apply to. It also applies to resources detected by Lacework. By excluding resource group access for a particular user group, you prevent users in that group from being able to view or work with the resources in the group in any way.
Role-based access control (RBAC) is control over user groups and access to resources based on a defined role at either an account level or organization level.
Organization Roles
At organization level, Lacework supports two roles: Administrator and User.
The following tabs describe in detail each role and its permissions.
Administrator User
User type | Description |
---|---|
Org admin | Users with the organization administrator role have full access to all organization-level settings. They also have administrator role access to all underlying accounts within the organization. See Create Users for an Organization. |
User type | Description |
---|---|
Org user | Users with the organization user role have Read permission to all organization-level settings. They also have user role access to all underlying accounts within the organization. See Create Users for an Organization. |
Account Roles
At account level, Lacework supports three roles: Admin, Power user, and Read-only user.
The following tabs describe in detail each role and its permissions.
Admin Power user Read-only user
Pages | |||
Alerts | |||
Compliance | |||
Vulnerabilities | |||
Code security | |||
Resources | |||
Policies | |||
Reports | |||
Subscription | |||
Identities1 | |||
Attack path | |||
Settings | |||
Alert channels | |||
Alert rules | |||
Cloud accounts | |||
Container registries | |||
Resource groups2 | |||
API keys | |||
Agents | |||
Report rules | |||
Data export | |||
AI assistants | |||
General | |||
License | |||
Audit logs | |||
Access control |
Pages | |||
Alerts | |||
Compliance | |||
Vulnerabilities | |||
Code security | |||
Resources | |||
Policies | |||
Reports | |||
Subscription | |||
Identities1 | |||
Attack path | |||
Settings | |||
Alert channels | |||
Alert rules | |||
Cloud accounts | |||
Container registries | |||
Resource groups | |||
API keys | |||
Agents | |||
Report rules | |||
Data export | |||
AI assistants | |||
General | |||
License | |||
Audit logs | |||
Access control |
Pages | |||
Alerts | |||
Compliance | |||
Vulnerabilities | |||
Code security | |||
Resources | |||
Policies | |||
Reports | |||
Subscription | |||
Identities | |||
Attack path | |||
Settings | |||
Alert channels | |||
Alert rules | |||
Cloud accounts | |||
Container registries | |||
Resource groups | |||
API keys | |||
Agents | |||
Report rules | |||
Data export | |||
AI assistants | |||
General | |||
License | |||
Audit logs | |||
Access control |
1 The write and delete permissions for identities allow exception and Jira ticket creation.
2 For caveats and usage note related to permissions for resource groups, see Resource Groups.
Service Users
Lacework supports service users to provide programmatic access to the Lacework API without allowing logins to the Lacework Console. Service users have three roles: Admin, Power user, and Read-only user.
The following tabs describe in detail each role and its permissions.
Admin Power user Read-only user
User type | User group | Description |
---|---|---|
Service user | Account admin | Users with the account administrator role have full access to all Lacework API endpoints. |
User type | User group | Description |
---|---|---|
Service user | Account power user | Users with the power-user role have full access to the following API endpoints: |
User type | User group | Description |
---|---|---|
Service user | Account read-only user | Users with the read-only role have access to the following GET API endpoints: |