Policy Roles Overview

User Roles

Flexera provides many different roles for access control to the features in policies that should align well to the users in your organization:

  • Policy Manager (policy_manager) - This is one of the primary users of policy manager - a user who has control over which policies are applied to the scopes they have access to and how those policies behave. In many DevOps organization, many of the users in a team will be given this role in the accounts or projects that the team uses.
  • Policy Approver (policy_approver) - This user has the authority to approve remediation actions for policy incidents, but doesn't actually configure the policies themselves. In some teams there may be fewer policy managers that are configuring the policies, but more policy approvers who confirm that the proposed actions are valid in the given scope.
  • Policy Designer (policy_designer) - This user actually develops custom policies (or customizes pre-built policies) by writing Policy Template code. This user has the ability to design and develop their own templates and test them in the accounts they have access to. Once a template is deemed ready for the organization to use, this user works with the policy publisher to make the policy available in the Catalog.
  • Policy Publisher (policy_publisher) - This user has the ability to modify which policies are available in the Catalog, either by publishing policies built by policy designers, or by hiding policies that are pre-built from Flexera. This user role is only available at the organization level since the Catalog exists at that level.
  • Policy Viewer (policy_viewer) - This user is able to see all of the information about applied policies and related incidents, but has no ability to change anything in the system. This user can not apply, configure, or terminate policies, nor can they approve or deny incident actions.
  • Admin (admin) - This user has the ability to administer cloud accounts and access to external APIs. This user can add and edit credentials for use by the policy manager and designer roles.

Access Levels

For all policy roles except policy_publisher, the role can be granted to a user or group at either the organization or the account level. When a role is granted at the organization level, it effectively grants that role to every account that exists now and in the future in the organization. Another effect of organization-level roles is that those users will be able to use the Organization Summary view on many policy pages, which rolls up all information about policies and incidents into a single overview. For users with account-level access, they will only be able to see content on an account-by-account basis.

Granting Policy Roles

Role based access control is centrally managed by our Governance module. You can grant any roles to the desired user or group from that page. You will need enterprise_manager or admin roles to access Governance.


Detailed Feature to Role Mapping

RightScale policy management comes with granular access control to provide more flexibility based on the user type. You can grant users these roles using Governance.

The following table describes which roles are needed to use the various features of policy manager.

Page Features Roles that can use the feature
Catalog View Catalog policy_publisher, policy_designer, policy_manager
Publish a Policy Template policy_publisher
Un-publish a Policy Template policy_publisher
Delete custom Policy Template policy_publisher
Apply a Policy policy_manager, policy_designer
Dashboard View Dashboard policy_designer, policy_manager, policy_viewer
Organizational Summary Organization roles: enterprise_manager, policy_designer, policy_manager, policy_viewer
Applied Policies View Applied Policies policy_designer, policy_manager, policy_viewer
Update a policy policy_designer, policy_manager
Terminate a policy policy_designer, policy_manager
Apply a similar policy policy_designer, policy_manager
Incidents View Incidents policy_designer, policy_manager, policy_viewer
Approve or Deny an Action policy_approver
Templates View Templates policy_publisher, policy_designer
Upload a custom policy policy_designer
Apply a policy policy_designer
Delete a custom policy template policy_designer
Publish a Policy Template policy_publisher
Credentials Create/Edit/Delete Credentials admin
List/Use Credentials policy_designer, policy_manager

Policy-specific Permissions

The policy roles described above grant users access to the policy manager product and its features, but policies themselves have the ability to interact with any API which, in many cases, require permissions on that target API. The user that applies the policy must have the underlying privileges to access the resources needed by the policy. Each policy provided by Flexera documents its required permissions.