Role Assignment
Overview
ASCEND implements a comprehensive Role-Based Access Control (RBAC) system with five primary roles and a six-level access hierarchy. This dual-layer approach provides both familiar role names and granular permission control, enabling precise access management for enterprise security requirements.
Prerequisites
AdminorSuper_Adminrole to manage roles- Understanding of your organization's access requirements
- Knowledge of compliance requirements (SOC 2, HIPAA, PCI-DSS)
Role Definitions
Primary Roles
ASCEND provides five predefined roles, each with specific capabilities:
| Role | Value | Description | Access Level |
|---|---|---|---|
| Viewer | viewer | Read-only access to dashboards | 1 (Basic) |
| Analyst | analyst | Create rules and view alerts | 2 (Power) |
| Admin | admin | Full access except billing | 4 (Admin) |
| Super_Admin | super_admin | Executive-level privileges | 5 (Executive) |
| Org_Admin | org_admin | Full administrative access | 5 (Executive) |
Access Level Hierarchy
The RBAC system uses six access levels (0-5) for fine-grained control:
| Level | Name | Description |
|---|---|---|
| 0 | Restricted | Suspended/probationary users |
| 1 | Basic | Standard users - dashboard only |
| 2 | Power | Power users - analytics + alerts |
| 3 | Manager | Managers - authorization capabilities |
| 4 | Administrator | Full system access |
| 5 | Executive | All privileges + reporting |
Step-by-Step Guide
Changing a User's Role
- Navigate to Admin Console > Users tab
- Locate the user in the table
- Find the "Role" column with dropdown selector
- Select the new role from dropdown
- Confirm the change (automatic save)
- Success toast appears
Granting Organization Admin
- Open user's action menu (three-dot icon)
- Select "Edit Profile"
- Toggle "Organization Admin" checkbox
- Click "Save Changes"
- User gains
is_org_adminflag
Bulk Role Changes
- Select multiple users using checkboxes
- Click "Change Role" in bulk action bar
- Select new role from dropdown
- Provide reason for audit trail
- Click "Confirm Role Change"
Permission Matrix
Feature Access by Role
| Feature | Viewer | Analyst | Admin | Super_Admin | Org_Admin |
|---|---|---|---|---|---|
| Dashboard (View) | Yes | Yes | Yes | Yes | Yes |
| Analytics (View) | Yes | Yes | Yes | Yes | Yes |
| Analytics (Export) | No | Yes | Yes | Yes | Yes |
| Alerts (View) | Yes | Yes | Yes | Yes | Yes |
| Alerts (Acknowledge) | No | Yes | Yes | Yes | Yes |
| Alerts (Dismiss) | No | No | Yes | Yes | Yes |
| Rules (View) | No | Yes | Yes | Yes | Yes |
| Rules (Create) | No | Yes | Yes | Yes | Yes |
| Rules (Modify) | No | Yes | Yes | Yes | Yes |
| Rules (Delete) | No | No | Yes | Yes | Yes |
| Authorization Center | No | No | Yes | Yes | No |
| AI Rule Engine | No | No | Yes | Yes | No |
| Settings | No | No | Yes | Yes | No |
| Admin Console | No | No | No | Yes | Yes |
| User Management | No | No | No | Yes | Yes |
| Billing | No | No | No | Yes | Yes |
| API Key Management | No | No | Yes | Yes | No |
Authorization Approval by Level
| Approval Type | Level 1 | Level 2 | Level 3 | Level 4 | Level 5 |
|---|---|---|---|---|---|
| Low Risk | No | No | No | Yes | Yes |
| Medium Risk | No | No | Yes | Yes | Yes |
| High Risk | No | No | No | Yes | Yes |
| Critical Risk | No | No | No | No | Yes |
| Emergency Override | No | No | No | No | Yes |
Role Descriptions
Viewer (Level 1)
The Viewer role provides read-only access for stakeholders who need visibility without modification capabilities.
Typical Users:
- Executive sponsors
- Auditors
- Compliance officers
- External consultants
Capabilities:
- View dashboard metrics
- View analytics reports
- View alert summaries
- No modification permissions
Limitations:
- Cannot acknowledge or dismiss alerts
- Cannot create or modify rules
- Cannot approve actions
- Cannot access admin functions
Analyst (Level 2)
The Analyst role enables security team members to actively work with alerts and rules.
Typical Users:
- Security analysts
- SOC team members
- DevSecOps engineers
- Security researchers
Capabilities:
- All Viewer permissions
- Acknowledge alerts
- Create and modify rules
- Export analytics data
- View authorization queue
Limitations:
- Cannot dismiss alerts
- Cannot delete rules
- Cannot approve actions
- Cannot manage users
Admin (Level 4)
The Admin role provides full operational control for security managers and team leads.
Typical Users:
- Security managers
- Team leads
- Senior analysts
- Security architects
Capabilities:
- All Analyst permissions
- Dismiss alerts
- Delete rules
- Approve low/medium/high risk actions
- Manage API keys
- Configure settings
Limitations:
- Cannot approve critical actions
- Cannot use emergency override
- Cannot manage billing
- Cannot manage other admins
Super_Admin (Level 5)
The Super_Admin role provides executive-level access with complete platform control.
Typical Users:
- CISOs
- Security directors
- IT executives
- Platform owners
Capabilities:
- All Admin permissions
- Approve critical actions
- Emergency override capability
- Full user management
- Billing management
- All audit access
Special Powers:
- Can approve any action regardless of risk level
- Can override policies in emergencies
- Can delete audit logs (where permitted)
- Can manage all users including other admins
Org_Admin (Level 5)
The Org_Admin role focuses on organizational administration rather than security operations.
Typical Users:
- Organization owners
- Account managers
- Administrative staff
Capabilities:
- Admin Console access
- User management
- Organization settings
- Billing management
Note: Org_Admin does not automatically grant access to security operations features like the Authorization Center or AI Rule Engine.
Configuration Options
| Option | Description | Default |
|---|---|---|
| role | Primary role name | viewer |
| is_org_admin | Organization admin flag | false |
| approval_level | RBAC access level (0-5) | Derived from role |
| is_emergency_approver | Can use emergency override | false |
Best Practices
-
Follow Least Privilege
- Start users with Viewer role
- Upgrade only when business need is demonstrated
- Document justification for elevated roles
-
Separate Duties
- Use different roles for rule creation vs. approval
- Avoid combining Org_Admin with operational roles
- Require multiple approvers for critical actions
-
Regular Reviews
- Audit role assignments quarterly
- Review elevated privileges monthly
- Remove unnecessary admin access promptly
-
Document Role Decisions
- Record why each user has their role
- Track role change requests
- Maintain approval records
-
Emergency Access Management
- Limit emergency approvers to 2-3 users
- Review emergency override usage
- Require post-incident justification
API Reference
Update User Role
PATCH /api/admin/users/{user_id}/role
Authorization: Bearer <token>
X-CSRF-Token: <csrf_token>
Content-Type: application/json
{
"role": "admin",
"is_org_admin": false,
"access_level": 4
}
Response:
{
"success": true,
"message": "User role updated"
}
Update Access Level Only
PATCH /api/admin/users/{user_id}/access-level
Authorization: Bearer <token>
X-CSRF-Token: <csrf_token>
Content-Type: application/json
{
"access_level": 3,
"reason": "Promoted to team lead"
}
Compliance Mapping
| Requirement | Standard | Role Implementation |
|---|---|---|
| Access control | SOC 2 CC6.1 | Five distinct roles |
| Segregation of duties | SOC 2 CC6.3 | Role separation |
| Unique identification | HIPAA 164.312(a)(2)(i) | Per-user role assignment |
| Access authorization | PCI-DSS 7.1 | Role-based permissions |
| Least privilege | NIST AC-6 | Graduated access levels |
| Account management | NIST AC-2 | Role lifecycle management |
Troubleshooting
Cannot Change User Role
| Issue | Cause | Solution |
|---|---|---|
| Dropdown disabled | User is organization owner | Owner role cannot be changed |
| 403 Error | Insufficient privileges | Only admins can change roles |
| Cannot demote self | Self-demotion blocked | Another admin must change your role |
Access Not Working After Role Change
| Issue | Cause | Solution |
|---|---|---|
| Old permissions active | Browser cache | Clear cache and refresh |
| New permissions missing | Token not refreshed | User should log out and back in |
| Partial access | Role/level mismatch | Verify both role and access_level |
Related
- User Management Overview - User lifecycle
- Inviting Users - Role assignment during invite
- Admin Console - Role-restricted access