Admin roles

Admin roles let you define exactly what each administrator can do in Strivacity. By combining global permissions and tag-based permissions, you can implement a least-privilege model that fits your organization's security and operational needs.

Strivacity offers two complementary ways to manage access rights:

  • Global permissions: Grant rights that apply across the entire instance.
  • Tag-based permissions: Apply only to resources with specific tags.

For each permission category, you can configure four permission types:

  • Use: allows selecting or referencing resources without viewing details or making changes.
  • Read: allows viewing detailed configuration and data.
  • Write: allows creating and updating resources.
  • Delete: allows removing resources.

Roles can combine any of these permissions to create precisely scoped access that supports least-privilege administration.

Default roles

Strivacity provides preconfigured roles you can use out of the box:

RoleDescriptionAccess rights
AdminFull administrative access to all features and resources.All permissions (use, read, write, delete).
AuditorRead-only access to all dashboards and settings.All permissions (read only).
HelpdeskManage customer accounts and groups.A combination of permissions focused on account management.

📘

The permissions in the pre-configured Admin role can’t be changed or extended with tag-based access. However, you can modify the Auditor and Helpdesk roles or create additional custom roles as needed.

Creating a role

To create a custom admin role:

  1. In the Admin Console, go to Instance configuration > Admin roles.
  2. Select Create.
  3. Enter a Role name and Description.

Assign permissions

Roles can include both global and tag-based permissions. Use the tabs to configure each:

Global permissions

Global permissions apply to all resources in the instance.

The interface organizes them into categories, such as:

  • Account management
  • Administration
  • Policy configuration

For each category, you can set Use, Read, Write, and Delete permissions.

📘

The Grant all checkbox applies full permissions to all permission scope categories at once.

📘

When you hover over a Suggested permissions warning, a helper popover appears showing recommended permissions you may want to add. For example, it can highlight that related access (such as Use or Read) is required for complete functionality. You can quickly grant all recommended permissions directly from the popover.

🚧

If new permission scopes are introduced in Strivacity later, they will be unselected by default in existing roles to avoid unintended access.

Tag-based permissions

Tag-based permissions give you flexibility to control access to resources marked with specific tags. This is useful when you need to segment access by business unit, environment, or purpose.

To configure tag-based permissions:

  1. Open the role you want to configure (either a pre-configured role—except for Admin—or a custom role), then in the Access rights tab, select Extend.
  2. In the dialog, choose one or more tags you want to include (for example, support or quality_assurance).
  3. For each tag, select the desired Use, Read, Write, and Delete permissions across the available categories.

Admin users with this role will only be able to exercise these permissions on resources assigned the corresponding tag(s).

📘

Example usage

A role with Use, Read, and Write access to the tag "contractors" can modify resources like policies or applications that carry the "contractors" tag, while having no access to untagged resources or those with other tags.

Viewing all permissions

While editing a role, you can quickly review all granted permissions by selecting the arrow icon next to a permission group. This opens a popover that displays:

  • All global or tag-based permissions included in that section.
  • Which Use, Read, Write, and Delete permissions are granted.
  • A clear overview of the permissions assigned to that role.

This view helps confirm that the role aligns with your intended access model.

Assigning a role to admins

After you create or edit a role, assign it to admin accounts:

  1. From Admin roles, select the role you want to assign.
  2. Open the Assignees tab.
  3. Select Assign accounts.
  4. Choose the admin users to assign the role by checking the box next to their names.
  5. Select + Assign and confirm the assignment in the dialog that pops up.

Admins immediately receive access as defined by the role.

👍

Tips for managing roles

  • Keep it least-privilege: Assign only the minimum permissions needed.
  • Use "Use" permissions strategically: Use this permission when an admin needs to select or assign resources but should not see or edit their configuration.
  • Review regularly: Periodically audit role assignments to ensure compliance and security.
  • Be aware of defaults: Newly added permission scopes are unassigned by default, so review your roles when new features are introduced.