RBAC roles in ColorTokens Spectrum
Role-based Access Control (RBAC) is used to control access to the users who access the organizations and the instances of the ColorTokens apps from the ColorTokens Spectrum portal. A Spectrum user account is linked to the email address of the user. Users are invited to the organizations and the app instances through emails.
RBAC roles
You can assign one of the following roles to a Spectrum user account. See RBAC role privileges for more details about the privileges assigned to these roles.
| Role name |
Description |
| SaaS Admin |
a ColorTokens representative with the 'super admin' privileges to all or selected organizations and their instances, and the user management and authentication features in Spectrum |
| a user with administrative privileges to an organization and all its instances, and the user management and authentication features in Spectrum |
|
| Admin |
a user with administrative privileges to all the instances, and to create all types of users |
| an instance-specific user with administrative, scoped, or read-only privileges to the instances (across One or more organizations) to which they are added |
|
| an instance-specific user with privileges to only the user management features |
|
| a ColorTokens or ColorTokens-certified, third-party Technical Support representative with administrative privileges to the instances (across One or more organizations) to which they are added |
|
| Read Only |
a user with Read-only privileges for all the instances (across One or more organizations) to which they are added |
Types of roles
Broadly, the roles in Spectrum can be categorized into App management roles and User management roles.
App management roles
Org Admin, Admin, Instance Manager, Read Only users, and Tech Support User are App management roles. By design, Org Admins and Admins are the administrators for all the instances in an Organization. Instance Managers and Tech Support Users are added at the level of an Xshield or Xprotect instance in the organization. See RBAC role privileges for more details.
The Instance Manager role can be further customized to the following 4 sub-roles - Instance Admin (Full Access), Instance Observer (Read Only), Policy Manager, and Asset Manager. For the complete list of app-specific privileges assigned to the Instance Manager sub-roles in Xshield and Xprotect, see RBAC roles in Xshield and RBAC roles in Xprotect.
User management roles
User Manager is a User management role. User Managers are added at the level of an instance, and they can add all types of users to the instance to which they are added.
Roles and users
You can add users with the following RBAC roles - Org Admin, Admin, Instance Manager, User Manager, Read Only, and Tech Support User. SaaS Admins are added and managed by ColorTokens.
RBAC role privileges
See the following table for the privileges assigned to the RBAC roles in Spectrum.
| SaaS Admin |
Org Admin |
Admin |
Instance Manager |
User Manager |
Read Only |
Tech Support User |
|
| Organizations |
Add Edit Delete Switch |
Switch |
Switch |
Switch |
Switch |
Switch |
Switch |
| Org Admins |
Add Remove |
Add |
X |
X |
X |
X |
X |
| Admins |
X |
Add Remove |
Add Remove |
X |
Add Remove |
X |
Add Remove |
| Instances |
Add |
Launch |
Launch |
Launch |
X |
Launch |
Launch |
| Licenses |
X |
See |
See |
See |
X |
See |
See |
| Instance Managers |
X |
Add Remove |
Add Remove |
X |
Add Remove |
X |
Add Remove |
| Read Only Users |
X |
Add Remove |
Add Remove |
X |
Add Remove |
X |
Add Remove |
| Tech Support Users |
Add/remove |
Add Remove |
Add Remove |
X |
Add Remove |
X |
Add Remove |
| User Managers |
X |
Add Remove |
Add Remove |
X |
Add Remove |
X |
X |
| SAML |
Enable Disable |
Enable Disable |
X |
X |
X |
X |
X |
| MFA |
Enable Disable |
Enable Disable |
X |
X |
X |
X |
X |
| Activity log |
See |
See |
See |
See |
See |
See |
See |
| Cloud status |
Monitor |
Monitor |
Monitor |
Monitor |
X |
Monitor |
Monitor |
| Cluster |
Add Edit Delete |
X |
X |
X |
X |
X |
X |
| Agent status |
Monitor |
X |
X |
X |
X |
X |
Monitor |