Role-based Access Control

Control who can see, modify and export data in EntraGuard with granular role-based access control.

Built-in roles

Admin

Full access to all features: tenant management, user management, settings, audit scans, findings, reports, API keys, LDAP config, webhooks, risk acceptance, exports. Can manage RBAC roles and assignments.

Auditor

Can run scans, view findings, generate reports, accept risks and export data. Cannot modify system settings, manage users or tenants, or create API keys.

Viewer

Read-only access to dashboards, findings and reports. Cannot run scans, modify settings or export data. Suitable for stakeholders who need visibility without action capability.

Custom roles Enterprise

Define custom roles with granular permissions. Mix and match capabilities: allow report generation but deny scan execution, allow findings view but deny risk acceptance.

Permissions

scan:run — Start audit scans
scan:view — View scan history
findings:view — View findings
findings:accept — Accept risk
reports:generate — Generate reports
reports:export — Export data
settings:manage — Modify settings
users:manage — Manage users/roles
tenants:manage — Manage tenants
apikeys:manage — Create API keys

Multi-tenant scoping

In multi-tenant deployments (Enterprise), roles can be scoped to specific tenants. An auditor may have full access to Tenant A but only viewer access to Tenant B. Scoping is configured in Settings → Users → Role Assignments.

Configuration

  1. Navigate to Settings → Users — View all users and their current role assignments.
  2. Assign roles — Click a user and select their role. For Enterprise, also select the tenant scope.
  3. Create custom roles (Enterprise) — Navigate to Settings → Roles, create a new role and select the permissions to include.
  4. IdP group mapping (Enterprise) — Map Entra ID security groups to EntraGuard roles for automatic role assignment on login.

Audit

  • All role assignments and changes are logged in the WORM audit trail
  • Permission denied events are logged with the user, action and timestamp
  • Admin actions (user management, role changes) require MFA confirmation

Need help with RBAC? Contact [email protected]. For Enterprise features, reach out to [email protected].