Gremlin Docs Logo
Go to app
Quick Start Guides
AWS Quick Start Guide
Reliability Management (RM) Quick Start Guide
Getting Started
Compatibility
Installing the Gremlin Agent
Authenticating the Gremlin Agent
Configuring the Gremlin Agent
Enabling DNS collection
Platform
Managing the Gremlin Agent
Updating Gremlin
Managing Users and Teams
Configuring Role Based Access Control (RBAC)
User Authentication via SAML and Okta
Integrations
Health Checks
Notifications
Restricting Testing Times
Command Line Interface
Reports
Reliability Management
Services and Dependencies
Detected Risks
Test Suites
Reliability Tests
Reliability Score
Fault Injection
Targets
Experiments
Scenarios
GameDays
Failure Flags
Deploying Failure Flags on AWS Lambda
Deploying Failure Flags on AWS ECS
Deploying Failure Flags on Kubernetes
Deploying Failure Flags on the Istio service mesh via Envoy
Installing the Failure Flags SDK
Running Failure Flags experiments
API Reference
Classes, methods, & attributes
API Keys
Examples
Security
Container security
Release Notes
General
Linux
Integration Agent for Linux
Windows
Chao
Helm
Failure Flags: Lambda Extension
Failure Flags: Sidecar
Resources
Gremlin User Community SlackBlogTutorialsGlossary
Start your 30 day free trial.
START FOR FREE
Docs Home
Platform
Configuring Role Based Access Control (RBAC)

Configuring Role Based Access Control (RBAC)

No items found.
Privilege Description
COMPANY_USERS_READAllows reading all user information within the company
COMPANY_USERS_WRITEAllows adding or removing of users to Company
ROLES_WRITEAllows editing roles within a company
TEAMS_READAllows viewing of all Teams
TEAMS_WRITEAllows modification of a given Team
USERS_READAllows reading all user information within the team
USERS_WRITEAllows for adding and editing of users on team
Note
Throughout the Gremlin docs, you'll see tables similar to the one shown above. This lists the relevant role-based access control (RBAC) privileges for the feature(s) described on the page. Clicking on any of the tables will return you to this page.

Gremlin provides role-based access control (RBAC) functionality that grants specific privileges to a role. These roles can then be assigned to users to apply the privileges to them. Any action taken in the Gremlin UI or API requires a specific privilege granted by a role. These privileges cannot be assigned independently of roles, although individual users can be assigned to more than one role at a time.

To view or edit users and roles, go to your company settings.

Roles

Roles are split into two categories: company roles, and team roles.

  • Team roles grant privileges for actions performed within a Gremlin team, such as starting an experiment, adding a client, or revoking a team API key.
  • Company roles grant privileges for actions performed outside the team, such as changing single sign-on (SSO) settings, creating new teams, or removing users from the company.

Though it is possible to create a role from scratch, we suggest that you instead pick an appropriate out-of-the-box role and clone that into new Team and Company Roles in order to add or remove privileges as desired.

Default roles

Gremlin provides the ability to set a Default Role for Companies and Teams. These provide privileges to a user automatically, based on their presence on the company or team.

Default Roles are pointers to out-of-the-box or custom roles which all users of that scope will receive automatically. A Default Team Role can be set at the company level, impacting all teams, and can be overridden on a per-team basis using the Initial Team Role.

The Initial Team Role will be granted to all users of a team, regardless of when they joined, but will override the Default Team Role set at the company level.

Note
Privilege assignment is always additive. Providing the user with a privilege in one role they hold, and not providing it for them in another they hold, will result in them receiving that privilege.

Company roles

The following table describes the privileges that are available for company roles, including the default roles.

Privilege Description Company Owner Company Sec Admin Company Manager Company Coordinator Company User
API_KEYS_READ Allows viewing users API keys ✔️ ✔️ ✔️ ✔️ ✔️
API_KEYS_WRITE Allows creating and managing users API keys ✔️ ✔️ ✔️ ✔️ ✔️
ALL_API_KEYS_READ Allows viewing all users API keys ✔️ ✔️
COMPANIES_READ Allows reading company properties and clients ✔️ ✔️ ✔️ ✔️ ✔️
COMPANIES_WRITE Allows creating and deleting teams ✔️ ✔️ ✔️
COMPANY_PREFERENCES_WRITE Allows modification of Company preferences ✔️ ✔️
COMPANY_SECURITY_WRITE Allows modification of Company security preferences ✔️ ✔️
COMPANY_USERS_READ Allows reading all user information within the company ✔️ ✔️
COMPANY_USERS_WRITE Allows adding or removing of users to Company ✔️ ✔️ ✔️
COMPANY_INTEGRATIONS_READ Allows reading all company integrations ✔️ ✔️ ✔️ ✔️ ✔️
COMPANY_INTEGRATIONS_WRITE Allows updating all company integrations ✔️ ✔️ ✔️ ✔️
RELIABILITY_REPORTS_READ Allows reading of Reliability Management (scores and risks) for Company ✔️ ✔️ ✔️ ✔️ ✔️
REPORTS_READ Allows reading all reports within the team ✔️ ✔️ ✔️ ✔️
ROLES_WRITE Allows editing roles within a company ✔️ ✔️
SECURITY_REPORTS_READ Allows read access to security logs ✔️ ✔️
TEAMS_READ Allows viewing of all Teams ✔️ ✔️ ✔️ ✔️ ✔️
TEST_SUITES_READ Allows reading of all test suits for a company ✔️ ✔️ ✔️ ✔️ ✔️
TEST_SUITES_WRITE Allows editing of all test suits for a company ✔️ ✔️ ✔️

Team roles

The following table describes the privileges that are available for team roles, including the default roles.

Privilege Description Company Owner Team Manager Team Credential Manager Team User Team Viewer
CLIENTS_READ Allows reading all client information within the team ✔️ ✔️ ✔️ ✔️
CLIENTS_WRITE Allows editing all client information within the team ✔️ ✔️ ✔️
EXPERIMENTS_READ Allows reading all experiment information within a team ✔️ ✔️ ✔️ ✔️
EXPERIMENTS_RUN Allows running an experiment within a team ✔️ ✔️ ✔️
EXPERIMENTS_WRITE Allows creating or updating an experiment for a team ✔️ ✔️ ✔️
FAULT_BLACKHOLE Allows performing blackhole experiments ✔️ ✔️ ✔️
FAULT_COLLECT_CERTS Allows performing certificate experiments ✔️ ✔️ ✔️
FAULT_CPU Allows performing CPU experiments ✔️ ✔️ ✔️
FAULT_DISK Allows performing disk experiments ✔️ ✔️ ✔️
FAULT_DNS Allows performing DNS experiments ✔️ ✔️ ✔️
FAULT_IO Allows performing I/O experiments ✔️ ✔️ ✔️
FAULT_LATENCY Allows performing latency experiments ✔️ ✔️ ✔️
FAULT_MEMORY Allows performing memory experiments ✔️ ✔️ ✔️
FAULT_PACKET_LOSS Allows performing packet loss experiments ✔️ ✔️ ✔️
FAULT_PROCESS_EXHAUSTION Allows performing process exhaustion experiments ✔️ ✔️ ✔️
FAULT_PROCESS_KILLER Allows performing process killer experiments ✔️ ✔️ ✔️
FAULT_SHUTDOWN Allows performing shutdown experiments ✔️ ✔️ ✔️
FAULT_TIME_TRAVEL Allows performing time travel experiments ✔️ ✔️ ✔️
HALT_WRITE Allows halting a specific experiment ✔️ ✔️ ✔️
IMAGES_READ Allows reading of images ✔️ ✔️ ✔️
IMAGES_WRITE Allows writing of images ✔️ ✔️ ✔️
INTEGRATIONS_READ Allows reading all team integrations ✔️ ✔️ ✔️ ✔️
INTEGRATIONS_WRITE Allows updating all team integrations ✔️ ✔️ ✔️
MINIMUM_TEAM_PRIVILEGES Allows access to Gremlin attacks, templates, schedules, API keys ✔️ ✔️ ✔️
REPORTS_READ Allows reading all reports for a Team ✔️ ✔️ ✔️
RELIABILITY_MANAGEMENT_READ Allows reading all RM services ✔️ ✔️ ✔️
RELIABILITY_MANAGEMENT_RUN Allows running of an RM test for a Team ✔️ ✔️ ✔️
SCHEDULES_READ Allows viewing a Schedule for a Team ✔️ ✔️ ✔️
SCHEDULES_WRITE Allows adding and updating a Schedule for a Team ✔️ ✔️ ✔️
SCENARIO_SHARE_WRITE Allows sharing scenarios with other teams within the company ✔️ ✔️ ✔️
SCENARIOS_READ Allows reading all scenario information within a team ✔️ ✔️ ✔️ ✔️
SCENARIOS_RUN Allows running scenarios within a team ✔️ ✔️ ✔️
SCENARIOS_WRITE Allows creating new scenarios within a team ✔️ ✔️ ✔️
SERVICES_READ Allows reading information about services and reliability management ✔️ ✔️ ✔️
SERVICES_WRITE Allows writing to manage services and reliability management ✔️ ✔️ ✔️
TEAM_SECURITY_READ Allows reading of team related credential information ✔️ ✔️ ✔️
TEAM_SECURITY_WRITE Allows writing of tream related credential information ✔️ ✔️ ✔️
TEAMS_WRITE Allows modification of a given Team ✔️ ✔️
USERS_READ Allows reading all user information within the team ✔️ ✔️ ✔️ ✔️
USERS_WRITE Allows for adding and editing of users on team ✔️ ✔️
WEBHOOKS_READ Allows reading of Team webhooks ✔️ ✔️ ✔️
WEBHOOKS_WRITE Allows editing of Team webhooks ✔️ ✔️ ✔️

Note
An asterisk(*) next to the role name means the role is hidden in the UI. It can only be set via an API call.

FAQs

Is a user required to have both team and company roles?

No. All roles are granted independently of each other.

Do I have to have a team role to run experiments?

Yes. To run experiments for a team, you need user privileges or higher for that team.

User Authentication via SAML and Okta
Previous
Previous
Integrations
Next
Next
On this page
Back to top