Role-Based Access Controls (RBAC)

User roles in FireHydrant

User roles in FireHydrant

FireHydrant offers user roles to help restrict and define access to parts of the platform, enabling you to create a secure and scalable incident management process.

Users, Roles, and Definitions

Licensed and Unlicensed users

  • Licensed users - Users with FireHydrant accounts and login access, split into 4 access roles (see next section)
  • Unlicensed users - Everyone else. Users who cannot log in and perform the vast majority of actions with one exception.

Any user in Slack, including unlicensed, can join an incident channel, keep tabs on an open incident, and participate in conversations. However, unlicensed users can't take any actions that change the incident state, such as running most commands, posting updates, assigning/completing tasks, being assigned roles, etc.

Predefined Access Roles

FireHydrant offers four access roles out-of-box.

  • Owner: Full access to the full platform, including user administration, integrations, API Keys, and other organization settings
  • Member: Full access to update incident management processes, Runbooks, Settings, Teams, and Alert configurations
  • Collaborator: Basic incident response access but cannot update settings or Runbooks. Same as Viewer for creating and responding to alerts if assigned
  • Viewer: Read-only access to incidents and analytics in the FireHydrant web app. Ability to create and respond to alerts if they're assigned

Alerting Permissions

ActionOwnerMemberCollaboratorViewer
Create Alerts and Send Pages
Read Alerts
Respond to Alerts
Read Alert Grouping
Read Alert Rules/Triggers
Read Call Routes
Read Escalation Policies
Read Event Sources
Read On-Call Schedules & Shifts
Request Coverage, Claim Shifts
Read Webhook Targets
Manage Personal Notification Preferences
Manage On-Call Shifts/Shift Overrides
Manage Alert Grouping
Manage Alert Rules/Triggers
Manage Call Routes
Manage Escalation Policies
Manage Event Sources
Manage On-Call Schedules
Manage Team Support Hours
Manage Webhook Targets

Analytics Permissions

ActionOwnerMemberCollaboratorViewer
Read Analytics

Incident Management Permissions

ActionOwnerMemberCollaboratorViewer
Create Incidents (manually or from Alerts)
Invited to Slack incident channels
Read Incidents
Read Incident Settings
Read Status Templates
Run General Slack Commands
View Internal and External Status Pages
Manage Incidents
↳ Assigned Incident Roles
↳ Assigned Tasks and Follow-Ups
↳ Attach/Execute Runbooks
↳ Manage Incidents in the Web App
↳ Participate in Retrospectives
↳ Post Incident Updates
↳ Run Slack or MS Teams Chatbot Commands
↳ Star Events or Other Incident Timeline Actions
Manage Incident Settings
Conduct and Access Private Incidents**
Manage Status Templates

📘

**Note

Users without private incident access (all-encompassing) can be added to individual private incidents on an ad-hoc basis by people who do have access. See Private Incidents for more information.

Integration Management Permissions

ActionOwnerMemberCollaboratorViewer
Read Integrations
Read Webhooks Integrations
Read Organization Secrets
Manage Integrations
Manage Organization Secrets
Manage Webhooks Integrations

Resource Management Permissions

ActionOwnerMemberCollaboratorViewer
Read Audiences
Read Change Events
Read Conversations
Read Organization Settings
Read Runbooks
Read Service Catalog
Read Teams
Manage Audiences
Manage Change Events
Manage Conversations
Manage Runbooks
Manage Service Catalog
Manage Teams
Manage Organization Settings
Read Audit Logs

User Access Control Permissions

ActionOwnerMemberCollaboratorViewer
Read Roles & Permissions
Read Users
Read API Keys
Manage API Keys
Manage Roles & Permissions
Manage Users

Commonly-asked questions

Can an unlicensed user access incident retrospectives?

FireHydrant's incidents and retrospectives are a part of the web application and require a license to access. Retrospectives can be exported as PDF or supported integrations like Confluence and Google Docs to be shared broadly.

For more information, visit Preview & Export Retrospectives.

Can a Viewer or non-licensed user “star” events to be included in the export timeline?

Starring events is considered a state-altering action, and subsequently is not available for the default Viewer role or anyone without Manage Incidents permission.

If a Viewer or unlicensed user posts chat messages into the incident Slack or Microsoft Teams channel, will those still be recorded by FireHydrant into the timeline

Yes, all messages in incident channels are recorded in the incident timeline regardless of who they're from.

Can a Viewer or non-licensed user be assigned action-items?

Users must at least have Manage Incidents permissions or be Collaborator+ (of the out-of-box roles).

Can a non-licensed user view the status page?

Yes. You do not need to be a licensed user on FireHydrant to view a status page.