Role Based Access Control

Overview

Purpose: Document how Role-Based Access Control (RBAC) governs permissions and access within AlertOps.

Audience: Account Owners, Administrators, and users responsible for managing users, roles, and permissions.

Prerequisites: Users managing RBAC must have SecurityAdministration_Global_Access.

Scope: This article serves as the canonical reference for RBAC entitlements available in AlertOps.

Outcome: Readers can confidently assign roles and entitlements without ambiguity or mismatch with the application.

Feature Explanation

Role-Based Access Control (RBAC) in AlertOps determines what actions a user can perform based on the roles assigned to them. Each role is composed of one or more entitlements, where each entitlement grants permission to perform a specific action or access a specific area of the platform.

RBAC enables organizations to:

Enforce least-privilege access

Delegate administration safely

Maintain auditability and security controls

Scale user management without over-permissioning

Configuration Guide

How RBAC Works

Entitlements define individual permissions (for example, viewing alerts or managing users).

Roles are collections of entitlements.

Users are assigned one or more roles.

A user’s effective permissions are the combined set of entitlements from all assigned roles.

Expected Result

Users can only view or perform actions explicitly allowed by their assigned entitlements.

How to Verify

Confirm that visible menus, actions, and modules align with the assigned entitlements.

Troubleshooting

If a user cannot access a feature, verify the required entitlement exists in at least one assigned role.

Ensure role changes were saved and the user has logged out and back in.

Use Cases

Use Case: Delegated Team Administration

Goal: Allow team leads to manage their own groups without global admin access.

Setup: Assign group-scoped entitlements such as Groups_Update_GroupAccess.

Result: Team leads can manage their groups without affecting others.

Use Case: Read-Only Oversight

Goal: Allow management stakeholders to monitor activity without making changes.

Setup: Assign view-only entitlements such as Messages_View_GlobalAccess and Reports_GlobalAccess.

Result: Visibility without risk of configuration changes.

Best Practices

Do treat the AlertOps Admin UI as the source of truth for RBAC enforcement.

Do use this article as the canonical reference for entitlement meaning and usage.

Do apply the principle of least privilege when designing roles.

Do Not broadly assign high-risk entitlements such as SecurityAdministration_Global_Access or BillingAdministrationn_Global_Access.

Do review roles and entitlements after product updates.

Do escalate any UI–documentation mismatch for correction.

User Types Overview

User Roles

Import and Export Users

Role Entitlements Reference

Note: The entitlements below are listed exactly as they exist in the AlertOps Admin UI. Spelling, casing, and naming (including known typos) are intentionally preserved.

Category	Entitlement	Definition	Practical Use
App Administration	Bridge_Maintenance	Permission to Add, Update, and Delete bridges configured within the system.	Required when managing bridges used for incident coordination.
App Administration	Message_Rule_Update	Permission to Add and Update existing Escalation Rules within your environment.	Used when modifying alert escalation logic.
App Administration	Message_Rule_View	Permission to View existing Escalation Rules within your environment.	Allows review of escalation logic without edit access.
App Administration	Subscription_Update	Permission to update users subscribed to a service in service status.	Used to manage recipients of service status notifications.
App Administration	Template_Maintenance	Permission to Update and Modify Message Templates within your environment.	Used specifically to manage Service Status message templates.
App Administration	Topics_Maintenance	Permission to Create, Update, and Modify Topic Message Templates along with their associated recipient groups.	Used for configuring topic-based notifications.
App Administration	UserAttribute_Maintenance	Permission to Create, Update, and Delete User Attributes available for users within your environment.	Required when managing custom user attributes.
App Administration	Workflows_Update	Permission to Create, Update, and Delete Workflows within your environment.	Used when building or modifying workflows.
App Administration	Workflows_View	Permission to View existing Workflows within your environment.	Allows inspection of workflows without modification rights.
Audit Trail	AuditTrail_View	Permission to View Audit Trail as far as changes made to the environment.	Required for audits and change tracking.
Billing Administration	BillingAdministrationn_Global_Access	Permission to Administer Billing for the Account and make any Billing Related modifications provided the account is billed via Credit Card and not Invoice.	Used by account owners or finance teams to manage billing.
Export Users and Groups	Export_GlobalAccess	Permission to Export bulk spreadsheets of Users and Groups from your environment.	Used for audits and access reviews.
Groups Administration	Groups_Add_GlobalAccess	Permission to Create Groups within the environment.	Used when onboarding new teams.
Groups Administration	Groups_Update_GlobalAccess	Permission to Update and Delete all Groups within the environment.	Full administrative group control.
Groups Administration	Groups_Update_GroupAccess	Permission to Update and Delete Groups of which individual user is already a member.	Enables delegated group management.
Groups Administration	Groups_View_GlobalAccess	Permission to View All Groups within the Environment.	Organization-wide group visibility.
Groups Administration	Groups_View_GroupAccess	Permission to View Groups and its members.	Visibility limited to owned groups.
Import Users and Groups	Import_GlobalAccess	Permission to Bulk Import Users and Groups via Spreadsheet in your environment.	Used during large-scale onboarding.
Integrations Administration	InboundIntegrations_GlobalAccess	Permission to Create, Update, and Delete Inbound E-mail, API, and Chat Integration templates in your environment.	Used to configure inbound integrations.
Integrations Administration	OutboundIntegrations_GlobalAccess	Permission to Create, Update, and Delete Outbound API Integrations and methods in your environment.	Used to configure outbound integrations.
Messages	Messages_Recieve	Permission to receive notifications.	Required for users who receive alerts.
Messages	Messages_Send_GlobalAccess	Permission to User "Create Alert" module to Create and Send Manual Alerts from your environment.	Used to manually trigger alerts.
Messages	Messages_View_GlobalAccess	Permission to View all existing Alerts in your environment.	Global alert visibility.
Messages	Messages_View_GroupAccess	Permission to View all Alerts created and routed to a group of which a user is a member.	Team-level alert visibility.
Messages	Messages_View_UserAccess	Permission to View just Alerts created and routed to that user themselves.	Individual alert visibility.
Postmortem	Postmortem_Add	Permission to Create Post-mortem Reports for an Alert once the alert has been closed.	Used to document incidents.
Postmortem	Postmortem_Edit	Permission to Edit any pre-existing Post-mortem Reports for an alert that has been closed.	Used to update postmortem records.
Postmortem	Postmortem_View	Permission to View Post-Mortem reports for an Alert.	Used for learning and review.
Postmortem	PostmortemFields_Maintenance	Permission to Create, Update, and Delete Post-mortem Fields and Template from an Administration perspective.	Used to manage postmortem templates.
Reports	Reports_GlobalAccess	Permission to View and Export any Reports within your environment.	Used for operational and executive reporting.
Security Administration	SecurityAdministration_Global_Access	Permission to Create, Update, and Delete any Roles configured within your environment with respect to RBAC (Role-Based Access Control).	Reserved for RBAC administrators.
Services	Services_Maintenance	Permission to Create, Update, and Delete Services, Incidents, or Maintenance with respect to the "Service Status" or Internal Status Page / Subscriber module.	Used to manage service status and maintenance.
Services	Services_Subscribe	Permission for a User to subscribe themselves to a particular service for "Service Status" notifications.	Allows users to opt into service updates.
UserAPIKey	UserAPIKey_Add	Permission for a User to add an API Key at the User level to access the AlertOps API for their environment.	Used for API access and integrations.
Users Administration	Users_Add_GlobalAccess	Global Permission to Add New Users to an AlertOps environment or to a particular Group.	Used during user onboarding.
Users Administration	Users_Add_Group_Access	Permission to Add Users to a Group of which a User is a member.	Delegated group management.
Users Administration	Users_Update_GroupAccess	Permission for a User to Update and Delete members of a Group of which the User is a member.	Manage group membership.
Users Administration	User_Update_UserAccess	Permission for a User to Update and Edit their own Profile attributes.	Self-service profile updates.
Users Administration	User_View_GlobalAccess	Permission for a User to View all Users within an environment.	Administrative visibility.
Users Administration	User_View_GroupAccess	Permission for a User to View all Users for Groups of which that User is a member.	Group-scoped visibility.
Users Administration	User_View_UserAccess	Permission for a User to View their own User Profile.	Personal profile access.