Role-Based Access Controls (RBAC)
User roles in FireHydrant
FireHydrant offers user roles to help restrict and define access to parts of the platform, enabling you to create a secure and scalable incident management process.
Users, Roles, and Definitions
Licensed and Unlicensed users
- Licensed users - Users with FireHydrant accounts and login access, split into 4 access roles (see next section)
- Unlicensed users - Everyone else. Users who cannot log in and perform the vast majority of actions with one exception.
Because we believe in helping teams build cultures with open Incident Management processes, any users, including unlicensed users** can declare a new incident within your Slack workspace:
/fh new # Command aliases include /firehydrant and /incident
Additionally, any user in Slack, including unlicensed, can join an incident channel, keep tabs on an open incident, and participate in conversations. However, unlicensed users can't take any actions that change the incident state, such as running most commands, posting updates, assigning/completing tasks, etc.
**Note:
You can disable allowing non-licensed users from opening incidents in your Slack integration settings.
Licensed user roles
For any users who need to respond to alerts and incidents or generally access the FireHydrant platform, you will want to create a licensed user account and assign them a role. We offer four access roles:
- Viewer: Read-only access to incidents and analytics in the FireHydrant web app. Ability to create and respond to alerts they're assigned to
- Collaborator: Basic incident response access but cannot update settings or Runbooks. Same as Viewer for creating and responding to alerts
- Member: Full access to update incident management processes, Runbooks, Settings, Teams, and Alert configurations
- Owner: Full access to the full platform, including user administration, integrations, API Keys, and other organization settings
Permissions for Alerting
| Action | Owner | Member | Collaborator | Viewer |
|---|---|---|---|---|
| Send Alerts/Page Others | ✅ | ✅ | ✅ | ✅ |
| Respond to Alerts | ✅ | ✅ | ✅ | ✅ |
| Request Coverage and Claim Shifts | ✅ | ✅ | ✅ | ✅ |
| Manage Personal Notification Preferences | ✅ | ✅ | ✅ | ✅ |
| Override Shifts | ✅ | ✅ | ||
| Configure Event Sources | ✅ | ✅ | ||
| Manage On-Call Schedules | ✅ | ✅ | ||
| Manage Escalation Policies | ✅ | ✅ | ||
| Manage Alert Rules/Triggers | ✅ | ✅ |
Permissions for IM and Platform
Below is a table denoting the complete list of actions and whether each role/user type can perform it.
| Action | Owner | Member | Collaborator | Viewer |
|---|---|---|---|---|
| Declare Incidents or Escalate Incidents from Alerts | ✅ | ✅ | ✅ | ✅ |
| Invited to Slack incident channels | ✅ | ✅ | ✅ | ✅ |
| Access UI & view Analytics | ✅ | ✅ | ✅ | ✅ |
| Slack General Commands | ✅ | ✅ | ✅ | ✅ |
| Respond to Incidents | ✅ | ✅ | ✅ | |
| ↳ Slack Incident Commands | ✅ | ✅ | ✅ | |
| ↳ Manage Incident in the UI | ✅ | ✅ | ✅ | |
| ↳ Assigned Incident Roles | ✅ | ✅ | ✅ | |
| ↳ Assigned Tasks and Follow-Ups | ✅ | ✅ | ✅ | |
| ↳ Participate in Retrospectives | ✅ | ✅ | ✅ | |
| Manage Incident Settings | ✅ | ✅ | ||
| Manage Runbooks | ✅ | ✅ | ||
| Manage Service Catalog | ✅ | ✅ | ||
| Manage Teams | ✅ | ✅ | ||
| Manage API Keys | ✅ | |||
| Manage Integrations, including Webhooks | ✅ | |||
| Manage Status Templates | ✅ | |||
| Manage Users | ✅ |
Configuring Roles
Any Owner can navigate to the User settings page in FireHydrant and update another user's role.
Additionally, you can update user roles using our SCIM API and your IDP (Okta, Active Directory, etc.). Read our SSO with SCIM docs to learn about provisioning users and roles.
Commonly-asked questions
-
Can a non-licensed user access the retrospective?
A non-responding user can only access a retrospective after the PDF is published and exported. The options to access a retrospective before completion also requires being a FireHydrant user with at least Viewer permissions. -
Can a Viewer or non-licensed user “star” events to be included in the starred incident timeline?
This option is only currently available for users with at least Collaborator level permissions. -
Can a Viewer or non-licensed user’s chat messages on Slack still be recorded within the incident timeline?
Yes. Any Slack users are still able to join the channel and have their messages recorded within the incident timeline. -
Can a Viewer or non-licensed user be assigned action-items?
No. You must be a user with at least Collaborator level permissions in order to be assigned an action item. -
Can a non-licensed user view the status page?
Yes. You do not need to be a licensed user on FireHydrant in order to view a status page. However, if you have an authenticated status page, a Viewer license will be required.
Updated 2 months ago