Role-Based Access Control (RBAC)

Comprehensive role and permission management for secure, granular access control across your organization.

Default Role Hierarchy

Overwatch provides five predefined roles with progressively increasing permissions:

Owner

Complete organizational control

User management and role assignment
Billing and subscription management
Integration configuration and management
All incident and procedure permissions
Organization settings and policies

Admin

Full administrative access (except billing)

User management within organization
Integration configuration
All incident and procedure permissions
Analytics and audit log access
Cannot modify billing settings

Manager

Team leadership and oversight

Team member management (view only)
Full incident and procedure management
Procedure creation and approval
Team analytics and reporting
User activity monitoring

Engineer

Standard operational access

Incident creation and management
Procedure execution and basic creation
Personal analytics and activity history
Team collaboration features
Limited administrative visibility

Viewer

Read-only access

Read-only access to incidents and procedures
Personal activity history
Basic analytics dashboard
No creation or modification permissions
Limited collaboration features

Permission Model

Permission Structure

Permissions are organized by resource, action, and scope:

{
  "incidents": {
    "actions": ["read", "create", "update", "delete", "assign"],
    "scopes": ["own", "team", "organization"]
  },
  "procedures": {
    "actions": ["read", "create", "update", "delete", "execute", "approve"],
    "scopes": ["own", "team", "organization"]
  },
  "analytics": {
    "actions": ["read", "export"],
    "scopes": ["personal", "team", "organization"]
  },
  "settings": {
    "actions": ["read", "update"],
    "scopes": ["personal", "organization"]
  },
  "users": {
    "actions": ["read", "create", "update", "delete", "manage"],
    "scopes": ["team", "organization"]
  }
}

Permission Scopes

Scope Levels:

Scope	Description	Example
Own	Only resources created by the user	User can view/edit own incidents only
Team	Resources for users in same team	Manager can view team incidents
Organization	All resources in organization	Admin can view all incidents
Personal	User’s own profile and settings	User can edit own profile

Default Role Permissions

Role	Read	Create	Update	Delete	Assign	Scope
Owner	✅	✅	✅	✅	✅	Org
Admin	✅	✅	✅	✅	✅	Org
Manager	✅	✅	✅	✅	✅	Team
Engineer	✅	✅	✅	❌	❌	Own
Viewer	✅	❌	❌	❌	❌	Org

Role	Read	Create	Update	Delete	Execute	Approve	Scope
Owner	✅	✅	✅	✅	✅	✅	Org
Admin	✅	✅	✅	✅	✅	✅	Org
Manager	✅	✅	✅	✅	✅	✅	Team
Engineer	✅	✅	✅	❌	✅	❌	Own
Viewer	✅	❌	❌	❌	❌	❌	Org

Role	Read	Create	Update	Delete	Manage	Scope
Owner	✅	✅	✅	✅	✅	Org
Admin	✅	✅	✅	✅	✅	Org
Manager	✅	❌	❌	❌	❌	Team
Engineer	✅	❌	❌	❌	❌	Team
Viewer	❌	❌	❌	❌	❌	-

Role	Read	Update	Billing	Integrations	API Keys
Owner	✅	✅	✅	✅	✅
Admin	✅	✅	❌	✅	✅
Manager	✅	❌	❌	❌	❌
Engineer	✅	❌	❌	❌	❌
Viewer	❌	❌	❌	❌	❌

Custom Role Configuration

Creating Custom Roles

Access role configuration:

Dashboard → Organization → Settings → Roles & Permissions

Define Role
- Enter role name and description
- Select base role for inheritance (optional)
- Set role priority and hierarchy level
Configure Permissions
- Select resource types (incidents, procedures, etc.)
- Choose allowed actions for each resource
- Define scope limitations (own, team, organization)
- Add conditional permissions (optional)
Test Role
- Assign role to test user
- Verify permissions work as expected
- Adjust permissions as needed
Deploy Role
- Activate custom role
- Assign to target users
- Monitor usage and access patterns

Custom Role Example

DevOps Lead Role (custom role between Manager and Admin):

{
  "role_name": "devops_lead",
  "display_name": "DevOps Lead",
  "description": "DevOps team lead with infrastructure permissions",
  "inherits_from": "manager",
  "permissions": {
    "incidents": {
      "actions": ["read", "create", "update", "delete", "assign"],
      "scope": "team"
    },
    "procedures": {
      "actions": ["read", "create", "update", "delete", "execute", "approve"],
      "scope": "organization"
    },
    "integrations": {
      "actions": ["read", "update"],
      "scope": "organization"
    },
    "analytics": {
      "actions": ["read", "export"],
      "scope": "organization"
    }
  },
  "conditions": {
    "time_based": false,
    "location_based": false,
    "approval_required": ["procedure.delete"]
  }
}

Permission Inheritance

Custom roles can inherit from base roles:

Owner (all permissions)
  ↓ inherits
Admin (all except billing)
  ↓ inherits
Manager (team management)
  ↓ inherits
DevOps Lead (custom)
  ↓ inherits
Engineer (standard operations)
  ↓ inherits
Viewer (read-only)

Inheritance Rules:

Child roles inherit all parent permissions
Child roles can add additional permissions
Child roles can restrict scope (not expand)
Permission overrides apply to inherited permissions

Advanced RBAC Features

Conditional Permissions

Apply permissions based on context:

Time-Based Access:

{
  "permission": "incidents.delete",
  "condition": {
    "type": "time_based",
    "allowed_hours": {
      "start": "09:00",
      "end": "17:00",
      "timezone": "America/New_York",
      "days": ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday"]
    }
  }
}

Location-Based Restrictions:

{
  "permission": "settings.update",
  "condition": {
    "type": "ip_whitelist",
    "allowed_ips": ["10.0.0.0/8", "172.16.0.0/12"]
  }
}

Device-Based Limitations:

{
  "permission": "api_keys.create",
  "condition": {
    "type": "device_based",
    "require_mfa": true,
    "allowed_devices": "registered_only"
  }
}

Approval Workflows

Configure multi-step approval for sensitive actions:

Dashboard → Organization → Settings → Approval Workflows

Workflow Configuration:

{
  "workflows": [
    {
      "name": "Procedure Approval",
      "trigger": "procedure.execute",
      "conditions": {
        "severity": ["critical", "high"],
        "production": true
      },
      "approvers": [
        {
          "role": "manager",
          "required": 1
        },
        {
          "role": "owner",
          "required": 1,
          "when": "severity == 'critical'"
        }
      ],
      "timeout_hours": 24,
      "escalation": {
        "enabled": true,
        "escalate_after_hours": 4,
        "escalate_to": "owner"
      }
    }
  ]
}

Approval Process:

User initiates action requiring approval
System identifies required approvers
Approval requests sent via email and dashboard notification
Approvers review and approve/reject
Action executed upon approval or rejected with reason
Audit log records complete approval chain

Temporary Permissions

Grant temporary elevated permissions:

Dashboard → Organization → Team → [User] → Temporary Access

Use Cases:

On-call engineer needs temporary admin access
Contractor needs limited access for project duration
Team member covering for manager on vacation

Configuration:

{
  "user_id": "uuid",
  "temporary_role": "admin",
  "start_time": "2025-10-15T00:00:00Z",
  "end_time": "2025-10-22T00:00:00Z",
  "reason": "On-call rotation coverage",
  "auto_revoke": true,
  "notification": {
    "on_grant": true,
    "on_revoke": true,
    "daily_reminder": true
  }
}

Audit and Compliance

Permission Change Logging

All permission changes are automatically logged:

Dashboard → Organization → Audit → Permission Changes

Logged Events:

Role assignments and removals
Custom role creation and modification
Permission grants and revocations
Temporary access grants
Approval workflow executions

Audit Log Format:

{
  "timestamp": "2025-10-15T10:30:00Z",
  "event_type": "role.assigned",
  "actor": {
    "user_id": "admin-uuid",
    "email": "admin@company.com"
  },
  "target": {
    "user_id": "user-uuid",
    "email": "user@company.com"
  },
  "details": {
    "previous_role": "engineer",
    "new_role": "manager",
    "reason": "Promotion to team lead"
  }
}

Access Attempt Monitoring

Monitor unauthorized access attempts:

Dashboard → Organization → Security → Access Attempts

Monitored Events:

Failed permission checks
Unauthorized API access attempts
Privilege escalation attempts
Suspicious activity patterns

Alert Configuration:

{
  "alerts": [
    {
      "name": "Multiple Failed Permission Checks",
      "threshold": 5,
      "window_minutes": 10,
      "severity": "high",
      "action": "notify_security_team"
    },
    {
      "name": "Privilege Escalation Attempt",
      "threshold": 1,
      "severity": "critical",
      "action": "suspend_account"
    }
  ]
}

Compliance Reporting

Generate compliance reports for audits:

Dashboard → Organization → Compliance → Generate Report

Available Reports:

User access summary (all users and their permissions)
Permission change history (date range)
Segregation of duties verification
Role assignment compliance
Access review certification

Report Formats: PDF, CSV, JSON

Best Practices

RBAC Guidelines

Principle of Least Privilege: Grant minimum necessary permissions
Regular Reviews: Conduct quarterly permission audits
Role Consolidation: Avoid role proliferation with too many custom roles
Clear Documentation: Document custom roles and their purpose
Testing: Test new roles thoroughly before production deployment

Security Recommendations

Enable approval workflows for sensitive actions
Monitor permission change logs regularly
Implement time-based access for temporary needs
Use team-level permissions over organization-wide when possible
Regular access reviews and recertification

Common Pitfalls to Avoid

Next Steps

User Management

Apply roles to users and manage access.

Manage Users →

Security Policies

Configure additional security controls.

Configure Security →

Audit Logging

Monitor and review access logs.

View Audit Logs →

Need Help?

If you have questions about RBAC configuration, contact support@overwatch-observability.com.

Related Documentation: