Role-Based Access Controls (RBAC)

User roles in FireHydrant

User roles in FireHydrant

FireHydrant offers user roles to help restrict and define access to parts of the platform, enabling you to create a secure and scalable incident management process.

Users, Roles, and Definitions

Licensed and Unlicensed users

  • Licensed users - Users with FireHydrant accounts and login access, split into 4 access roles (see next section)
  • Unlicensed users - Everyone else. Users who cannot log in and perform the vast majority of actions with one exception.

Because we believe in helping teams build cultures with open Incident Management processes, any users, including unlicensed users** can declare a new incident within your Slack workspace:

/fh new     # Command aliases include /firehydrant and /incident

Additionally, any user in Slack, including unlicensed, can join an incident channel, keep tabs on an open incident, and participate in conversations. However, unlicensed users can't take any actions that change the incident state, such as running most commands, posting updates, assigning/completing tasks, etc.

📘

**Note:

You can disable allowing non-licensed users from opening incidents in your Slack integration settings.

Licensed user roles

For any users who need to respond to alerts and incidents or generally access the FireHydrant platform, you will want to create a licensed user account and assign them a role. We offer four access roles:

  • Viewer: Read-only access to incidents and analytics in the FireHydrant web app. Ability to create and respond to alerts they're assigned to
  • Collaborator: Basic incident response access but cannot update settings or Runbooks. Same as Viewer for creating and responding to alerts
  • Member: Full access to update incident management processes, Runbooks, Settings, Teams, and Alert configurations
  • Owner: Full access to the full platform, including user administration, integrations, API Keys, and other organization settings

Permissions for Alerting

ActionOwnerMemberCollaboratorViewer
Send Alerts/Page Others
Respond to Alerts
Request Coverage and Claim Shifts
Manage Personal Notification Preferences
Mange Override Shifts
Configure Event Sources
Manage On-Call Schedules
Manage Escalation Policies
Manage Alert Rules/Triggers

Permissions for IM and Platform

Below is a table denoting the complete list of actions and whether each role/user type can perform it.

ActionOwnerMemberCollaboratorViewer
Declare Incidents or Escalate Incidents from Alerts
Invited to Slack incident channels
Access UI & view Analytics
Slack General Commands
Respond to Incidents
↳ Slack Incident Commands
↳ Manage Incident in the UI
↳ Assigned Incident Roles
↳ Assigned Tasks and Follow-Ups
↳ Participate in Retrospectives
Manage Incident Settings
Manage Runbooks
Manage Service Catalog
Manage Teams
Manage API Keys
Manage Integrations, including Webhooks
Manage Status Templates
Manage Users

Configuring Roles

Any Owner can navigate to the User settings page in FireHydrant and update another user's role.

Additionally, you can update user roles using our SCIM API and your IDP (Okta, Active Directory, etc.). Read our SSO with SCIM docs to learn about provisioning users and roles.

Commonly-asked questions

  • Can a non-licensed user access the retrospective?
    A non-responding user can only access a retrospective after the PDF is published and exported. The options to access a retrospective before completion also requires being a FireHydrant user with at least Viewer permissions.

  • Can a Viewer or non-licensed user “star” events to be included in the starred incident timeline?
    This option is only currently available for users with at least Collaborator level permissions.

  • Can a Viewer or non-licensed user’s chat messages on Slack still be recorded within the incident timeline?
    Yes. Any Slack users are still able to join the channel and have their messages recorded within the incident timeline.

  • Can a Viewer or non-licensed user be assigned action-items?
    No. You must be a user with at least Collaborator level permissions in order to be assigned an action item.

  • Can a non-licensed user view the status page?
    Yes. You do not need to be a licensed user on FireHydrant in order to view a status page. However, if you have an authenticated status page, a Viewer license will be required.