Role-Based Access Controls (RBAC)
User roles in FireHydrant
FireHydrant offers user roles to help restrict and define access to parts of the platform, enabling you to create a secure and scalable incident management process.
Users, Roles, and Definitions
Licensed and Unlicensed users
- Licensed users - Users with FireHydrant accounts and login access, split into 4 access roles (see next section)
- Unlicensed users - Everyone else. Users who cannot log in and perform the vast majority of actions with one exception.
Any user in Slack, including unlicensed, can join an incident channel, keep tabs on an open incident, and participate in conversations. However, unlicensed users can't take any actions that change the incident state, such as running most commands, posting updates, assigning/completing tasks, being assigned roles, etc.
Predefined Access Roles
FireHydrant offers four access roles out-of-box.
- Owner: Full access to the full platform, including user administration, integrations, API Keys, and other organization settings
- Member: Full access to update incident management processes, Runbooks, Settings, Teams, and Alert configurations
- Collaborator: Basic incident response access but cannot update settings or Runbooks. Same as Viewer for creating and responding to alerts if assigned
- Viewer: Read-only access to incidents and analytics in the FireHydrant web app. Ability to create and respond to alerts if they're assigned
Alerting Permissions
| Action | Owner | Member | Collaborator | Viewer |
|---|---|---|---|---|
| Create Alerts and Send Pages | ✅ | ✅ | ✅ | ✅ |
| Read Alerts | ✅ | ✅ | ✅ | ✅ |
| Respond to Alerts | ✅ | ✅ | ✅ | ✅ |
| Read Alert Grouping | ✅ | ✅ | ✅ | ✅ |
| Read Alert Rules/Triggers | ✅ | ✅ | ✅ | ✅ |
| Read Call Routes | ✅ | ✅ | ✅ | ✅ |
| Read Escalation Policies | ✅ | ✅ | ✅ | ✅ |
| Read Event Sources | ✅ | ✅ | ✅ | ✅ |
| Read On-Call Schedules & Shifts | ✅ | ✅ | ✅ | ✅ |
| Request Coverage, Claim Shifts | ✅ | ✅ | ✅ | ✅ |
| Read Webhook Targets | ✅ | ✅ | ✅ | ✅ |
| Manage Personal Notification Preferences | ✅ | ✅ | ✅ | ✅ |
| Manage On-Call Shifts/Shift Overrides | ✅ | ✅ | ✅ | |
| Manage Alert Grouping | ✅ | ✅ | ||
| Manage Alert Rules/Triggers | ✅ | ✅ | ||
| Manage Call Routes | ✅ | ✅ | ||
| Manage Escalation Policies | ✅ | ✅ | ||
| Manage Event Sources | ✅ | ✅ | ||
| Manage On-Call Schedules | ✅ | ✅ | ||
| Manage Team Support Hours | ✅ | ✅ | ||
| Manage Webhook Targets | ✅ | ✅ |
Analytics Permissions
| Action | Owner | Member | Collaborator | Viewer |
|---|---|---|---|---|
| Read Analytics | ✅ | ✅ | ✅ | ✅ |
Incident Management Permissions
| Action | Owner | Member | Collaborator | Viewer |
|---|---|---|---|---|
| Create Incidents (manually or from Alerts) | ✅ | ✅ | ✅ | ✅ |
| Invited to Slack incident channels | ✅ | ✅ | ✅ | ✅ |
| Read Incidents | ✅ | ✅ | ✅ | ✅ |
| Read Incident Settings | ✅ | ✅ | ✅ | ✅ |
| Read Status Templates | ✅ | ✅ | ✅ | ✅ |
| Run General Slack Commands | ✅ | ✅ | ✅ | ✅ |
| View Internal and External Status Pages | ✅ | ✅ | ✅ | ✅ |
| Manage Incidents | ✅ | ✅ | ✅ | |
| ↳ Assigned Incident Roles | ✅ | ✅ | ✅ | |
| ↳ Assigned Tasks and Follow-Ups | ✅ | ✅ | ✅ | |
| ↳ Attach/Execute Runbooks | ✅ | ✅ | ✅ | |
| ↳ Manage Incidents in the Web App | ✅ | ✅ | ✅ | |
| ↳ Participate in Retrospectives | ✅ | ✅ | ✅ | |
| ↳ Post Incident Updates | ✅ | ✅ | ✅ | |
| ↳ Run Slack or MS Teams Chatbot Commands | ✅ | ✅ | ✅ | |
| ↳ Star Events or Other Incident Timeline Actions | ✅ | ✅ | ✅ | |
| Manage Incident Settings | ✅ | ✅ | ||
| Conduct and Access Private Incidents** | ✅ | |||
| Manage Status Templates | ✅ |
**Note
Users without private incident access (all-encompassing) can be added to individual private incidents on an ad-hoc basis by people who do have access. See Private Incidents for more information.
Integration Management Permissions
| Action | Owner | Member | Collaborator | Viewer |
|---|---|---|---|---|
| Read Integrations | ✅ | ✅ | ✅ | ✅ |
| Read Webhooks Integrations | ✅ | ✅ | ✅ | ✅ |
| Read Organization Secrets | ✅ | |||
| Manage Integrations | ✅ | |||
| Manage Organization Secrets | ✅ | |||
| Manage Webhooks Integrations | ✅ |
Resource Management Permissions
| Action | Owner | Member | Collaborator | Viewer |
|---|---|---|---|---|
| Read Audiences | ✅ | ✅ | ✅ | ✅ |
| Read Change Events | ✅ | ✅ | ✅ | ✅ |
| Read Conversations | ✅ | ✅ | ✅ | ✅ |
| Read Organization Settings | ✅ | ✅ | ✅ | ✅ |
| Read Runbooks | ✅ | ✅ | ✅ | ✅ |
| Read Service Catalog | ✅ | ✅ | ✅ | ✅ |
| Read Teams | ✅ | ✅ | ✅ | ✅ |
| Manage Audiences | ✅ | ✅ | ||
| Manage Change Events | ✅ | ✅ | ||
| Manage Conversations | ✅ | ✅ | ||
| Manage Runbooks | ✅ | ✅ | ||
| Manage Service Catalog | ✅ | ✅ | ||
| Manage Teams | ✅ | ✅ | ||
| Manage Organization Settings | ✅ | |||
| Read Audit Logs | ✅ |
User Access Control Permissions
Commonly-asked questions
Can an unlicensed user access incident retrospectives?
FireHydrant's incidents and retrospectives are a part of the web application and require a license to access. Retrospectives can be exported as PDF or supported integrations like Confluence and Google Docs to be shared broadly.
For more information, visit Preview & Export Retrospectives.
Can a Viewer or non-licensed user “star” events to be included in the export timeline?
Starring events is considered a state-altering action, and subsequently is not available for the default Viewer role or anyone without Manage Incidents permission.
If a Viewer or unlicensed user posts chat messages into the incident Slack or Microsoft Teams channel, will those still be recorded by FireHydrant into the timeline
Yes, all messages in incident channels are recorded in the incident timeline regardless of who they're from.
Can a Viewer or non-licensed user be assigned action-items?
Users must at least have Manage Incidents permissions or be Collaborator+ (of the out-of-box roles).
Can a non-licensed user view the status page?
Yes. You do not need to be a licensed user on FireHydrant to view a status page.
Updated 8 days ago