From ead25b892a2a12c36a9dc19dfefb5eac739825fc Mon Sep 17 00:00:00 2001 From: damians-filigran Date: Tue, 3 Mar 2026 13:45:19 +1100 Subject: [PATCH] Expand capabilities section in users and RBAC documentation Added a detailed list of capabilities in OpenAEV with hierarchical organization and examples of roles. --- docs/administration/users-and-rbac.md | 64 ++++++++++++++++++++++++--- 1 file changed, 58 insertions(+), 6 deletions(-) diff --git a/docs/administration/users-and-rbac.md b/docs/administration/users-and-rbac.md index 6ae47e2d..b78366a6 100644 --- a/docs/administration/users-and-rbac.md +++ b/docs/administration/users-and-rbac.md @@ -55,13 +55,63 @@ To create a new role in OpenAEV: 1. Go to **Settings → Security → Roles**. 2. Click on **Create role**. Enter a **name** and an optional **description** for the role -3. Select the **capabilities** that should be included in this role, such as: - - Access assets - - Manage dashboards - - Delete documents - - ... +3. Select the **capabilities** that should be included in this role. 4. Save the role. +### Capabilities + +Capabilities in OpenAEV are organized hierarchically. A parent capability (e.g. `Access assessment`) must be granted before its children (e.g. `Manage assessment`, `Delete assessment`) can be assigned. Indentation below reflects this hierarchy. + +Below is a full list of capabilities in OpenAEV + +| Capability | Description | +|:-----------|:------------| +| `Bypass (user has all rights)` | Grants unconditional access to all platform features, bypassing every individual capability check and any data segregation enforcement. | +| **Assessments: Scenarios, simulations and atomic testings** | | +| `Access assessment` | Read-only access to assessments, including scenarios, simulations and atomic tests. | +|   `Manage assessment` | Create and update assessments (scenarios, simulations, atomic tests). Requires *Access assessment*. | +|     `Delete assessment` | Permanently delete assessments. Requires *Manage assessment*. | +|   `Launch assessment` | Execute / run an assessment against defined targets. Requires *Access assessment*. | +| **Targets** | | +| `Access teams & players` | Read-only access to teams and player definitions used as assessment targets. | +|   `Manage teams & players` | Create and update teams and players. Requires *Access teams & players*. | +|     `Delete teams & players` | Permanently delete teams and players. Requires *Manage teams & players*. | +| `Access assets` | Read-only access to asset inventory (hosts, endpoints, and other infrastructure targets). | +|   `Manage assets` | Create and update assets in the inventory. Requires *Access assets*. | +|     `Delete assets` | Permanently delete assets from the inventory. Requires *Manage assets*. | +| `Access security platforms` | Read-only access to integrated security platform configurations (e.g. SIEM, EDR, firewall connectors). | +|   `Manage security platforms` | Create and update security platform integrations. Requires *Access security platforms*. | +|     `Delete security platforms` | Permanently delete security platform integrations. Requires *Manage security platforms*. | +| **Payloads** | | +| `Access payloads` | Read-only access to the payload library (attack scripts, tools, and techniques used in simulations). | +|   `Manage payloads` | Create and update payloads in the library. Requires *Access payloads*. | +|     `Delete payloads` | Permanently delete payloads from the library. Requires *Manage payloads*. | +| **Dashboards** | | +| `Access dashboards` | Read-only access to platform dashboards and their visualizations. | +|   `Manage dashboards` | Create, update, and configure dashboards. Requires *Access dashboards*. | +|     `Delete dashboards` | Permanently delete dashboards. Requires *Manage dashboards*. | +| **Findings** | | +| `Access findings` | Read-only access to assessment findings and results generated from simulations and atomic tests. | +| **Content** | | +| `Access documents` | Read-only access to documents stored in the platform (reports, attachments, playbooks). | +|   `Manage documents` | Upload, create, and update documents. Requires *Access documents*. | +|     `Delete documents` | Permanently delete documents. Requires *Manage documents*. | +| `Access channels` | Read-only access to communication channels used to deliver exercise injects to players. | +|   `Manage channels` | Create and update channels. Requires *Access channels*. | +|     `Delete channels` | Permanently delete channels. Requires *Manage channels*. | +| `Access challenges` | Read-only access to challenges (CTF-style tasks or objectives assigned to players during exercises). | +|   `Manage challenges` | Create and update challenges. Requires *Access challenges*. | +|     `Delete challenges` | Permanently delete challenges. Requires *Manage challenges*. | +| `Access lessons learned` | Read-only access to lessons learned records captured after assessments or exercises. | +|   `Manage lessons learned` | Create and update lessons learned entries. Requires *Access lessons learned*. | +|     `Delete lessons learned` | Permanently delete lessons learned entries. Requires *Manage lessons learned*. | +| **Platform Settings** | | +| `Access Platform Settings` | Read-only access to platform-wide configuration and administration settings. | +|   `Manage platform settings` | Modify platform-wide settings including security configuration, integrations, and system parameters. Requires *Access Platform Settings*. | + + + + !!! info "Hierarchical permissions" Permissions are organized hierarchically by indentation: selecting a permission further to the right (e.g., Delete) will automatically enable the less-indented ones that precede it (e.g., Manage and Access). @@ -78,7 +128,9 @@ To create a new role in OpenAEV: Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions. -### Example : Crisis content creator + + +## Example : Creating a Crisis content creator role > Role : Crisis content creator