Roles and Permissions

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

Concept: organization

An organization is a top-level hierarchy of Shisho Cloud. It basically corresponds to a company, and it includes all the resources and users.

Roles

Roles	Description
organization/owner	An owner of the entire organization, able to perform all actions on the organization.
organization/member	A member of the organization with least permissions on the organization.
organization/auditor	An auditor of the organization, able to view all the resources and users in the organization but not able to make any changes.
organization/triager	A triager, able to view risk statistics and details of each finding and triage these findings.
organization/browser	A browser of the organization, able to view all resources in the organization without risk statistics
organization/user_browser	A user browser of the organization, able to view all users and teams in the organization
organization/assessor	An assessor of the organization, able to view all resources in the organization for assessment
organization/integration_manager	An integration manager of the organization, able to manage integrations
organization/takumi_manager	A takumi manager of the organization, able to manage takumi-related features
organization/takumi_user	A takumi user of the organization, able to use Takumi chat features but not manage settings or billing
organization/takumi_runner_user	A takumi runner user of the organization, able to use Takumi Runner features but not manage settings or billing
organization/takumi_guard_user	A Takumi Guard user of the organization, able to use Guard features
(download logs) but not manage tokens or billing.
organization/takumi_guard_token_issuer	A Takumi Guard token issuer, able to issue org user tokens for developer machines via MDM.
This is a least-privilege role for bots that only need to mint tgorg* tokens.
organization/sso_manager	An SSO manager of the organization, able to manage SSO configurations

Permissions

Permission	Description
bot.create_api_key	Create an API key for the bot
bot.create_trust_conditions	Create a trust condition
bot.delete	Delete the bot
bot.delete_trust_conditions	Delete a trust condition
bot.list_api_keys	List API keys of the bot
bot.list_trust_conditions	List trust conditions of the bot
bot.revoke_api_key	Revoke an API key
bot.update_api_key	Update an API key metadata (name, description)
bot.update_info	Update basic information of the bot
bot.view_info	View basic information of the bot
integration.delete	Delete the integration
integration.edit	Update the integration
integration.get_github_access_token	get a GitHub access token from resources
integration.view	View basic information of the integration
notification_group.delete	Delete the notification group
notification_group.edit	Update configuration of the notification group
notification_group.view	View configuration of the notification group
organization.add_scheduled_task	Add a scheduled task for Takumi to perform periodic security reviews or automated actions
organization.check_takumi_guard_token_status	Check the status of a single Takumi Guard org user token (active /

revoked, lastused_at). Granted to takumi_guard_token_issuer so the bot that minted a token can verify its current state without being able to enumerate or revoke other tokens. | | organization.correlate_resource | Correlate a resource with another resource in the security graph | | organization.create_bot | Create a bot | | organization.create_chat | Create a new chat session with Takumi AI assistant | | organization.create_integration | Create an integration | | organization.create_notification_group | Create a notification group | | organization.create_project | Create a Shisho Cloud project | | organization.create_sso | Add a SSO configuration | | organization.create_team | Create a team | | organization.create_webhooks | Create a webhook | | organization.create_workflow | Create a workflow | | organization.delete_address_from_email_allowlist | Delete an email address from the email allowlist | | organization.delete_assessments | Delete a Takumi assessment | | organization.delete_custom_decision_specification | Delete a custom decision specification | | organization.delete_organization | Delete an organization | | organization.delete_project | Delete a Shisho Cloud project | | organization.delete_scheduled_task | Delete a scheduled task from Takumi's task queue | | organization.delete_source_code_archive | Delete source code archives | | organization.delete_sso | Delete a SSO configuration | | organization.delete_team | Delete a team | | organization.delete_webhooks | Delete a webhook | | organization.describe_assessment | Describe Takumi assessment's info | | organization.describe_assessment_artifacts | List & Describe artifacts generated by Takumi assessment (report, etc.) | | organization.describe_decision_specification | Describe a decision specification | | organization.dispatch_assessment | Dispatch a new Takumi assessment | | organization.dispatch_workflow | List workflows | | organization.get_chat_history | Retrieve chat history from previous conversations with Takumi AI assistant | | organization.get_takumi_scope | View Takumi's access scope including allowed GitHub repositories and Slack channels | | organization.invite_user | Send a user invitation | | organization.invite_user_with_team | Send a user invitation with a specific team | | organization.issue_takumi_guard_token | Issue Takumi Guard org user tokens for developer machines via MDM. This permission allows a bot to mint per-user tg_org* tokens on behalf of the organization. | | organization.kick_user | Kick a user | | organization.list_assessments | List Takumi assessments | | organization.list_bots | List bots | | organization.list_chat_metadata | List metadata of all chat sessions with Takumi AI assistant | | organization.list_custom_decision_specification | List custom decision speficiations | | organization.list_events | List audit events in the organization | | organization.list_integration | List integrations | | organization.list_invitation | List invitations | | organization.list_latest_source_code_references | List latest source code references of the organization | | organization.list_notification_group | List notification groups | | organization.list_project | List Shisho Cloud projects | | organization.list_readable_repo | List readable GitHub repositories via integration content | | organization.list_scheduled_tasks | List all scheduled tasks configured for Takumi | | organization.list_source_code_archives | List source code archives of the organization | | organization.list_sso | List SSO configurations | | organization.list_team | List teams | | organization.list_user | List users, including the permissions | | organization.list_web_application | List web applications in the organization | | organization.list_workflow | Delete a user | | organization.list_workflow_run | List workflow runs | | organization.list_writable_repo | List writable GitHub repositories via integration content | | organization.manage_custom_decision_specification | Create and update a custom decision specification | | organization.manage_guard_notification_settings | Manage Guard breach notification settings (webhook, email) | | organization.manage_metered_subscription | Manage metered subscriptions including enabling and disabling Runner | | organization.manage_takumi_billing | Manage Takumi billing including purchasing credits, subscribing to plans, and updating payment methods | | organization.manage_takumi_settings | Manage Takumi settings including Active Takumi configuration, Slack integration, and feature preferences | | organization.query_real_data | Query a GraphQL API to get real data integrated to Shisho Cloud | | organization.register_address_to_email_allowlist | Add an email address to the email allowlist | | organization.register_web_application | Register a new web application in the organization | | organization.revoke_invitation | Revoke a user invitation | | organization.revoke_takumi_guard_token | Revoke a Takumi Guard org user token (single or all-by-issuer). Admins only — the takumi_guard_token_issuer bot role intentionally does NOT receive this permission; revocation belongs to humans on the admin side, not to the minting bot. | | organization.rotate_webhook_secrets | Rotate the signing secret of a webhook | | organization.scan_ports | Initiate port scanning to detect network exposures | | organization.send_chat_message | Send chat messages to Takumi AI assistant | | organization.send_confirmation_to_mail_owner | Send a confirmation email to the email address owner | | organization.stream_chat_message | Stream chat messages from Takumi AI assistant in real-time | | organization.triage_decision | Triage a finding | | organization.uncorrelate_resource | Uncorrelate a resource from another resource in the security graph | | organization.update_assessment_notifications | Update the notification target of a Takumi assessment | | organization.update_attack_surface_status | Update attack surface status (ignore, restore, etc.) | | organization.update_iam | Grant/revole roles or permissions to/from organization members | | organization.update_settings | Update organization settings | | organization.update_takumi_scope | Update Takumi's access scope to control which GitHub repositories and Slack channels Takumi can access | | organization.upload_source_code_archive | Upload source code archives | | organization.use_datasource_playground | Use a datasource playground | | organization.verify_notification_channel | Verify a notification channel is working | | organization.view_attack_surfaces | View attack surfaces detected by scanning | | organization.view_basic_info | View organization basic information | | organization.view_ciem_settings | View CIEM settings | | organization.view_dashboard | View a dashboard with risk statistics without any resource details | | organization.view_decision | View risk statistics and details of each finding with resource details | | organization.view_email_allowlist | View the email allowlist | | organization.view_exposure | View network exposures detected by port scanning | | organization.view_integrated_slack_channels | View slack channel details. This permission is isolated from the list_integration permission, for allowing users to view slack channel details without having the permission to get the details of source integrations. | | organization.view_metered_subscription | View metered subscription status including Runner subscription details | | organization.view_permission | List, describe and edit users in the organization | | organization.view_resource | List and describe resources integrated to Shisho Cloud with risk statistics | | organization.view_resource_analysis | View resource risk analysis | | organization.view_runner_job_execution_usage | View Runner job execution usage including job history and repository usage | | organization.view_runner_metrics | View Runner metrics including overview statistics and historical data | | organization.view_runner_trace | View Runner execution traces including timeline, network, and file details | | organization.view_settings | View organization settings | | organization.view_takumi_billing_info | View Takumi billing information including subscription status, credit balance, and usage history | | organization.view_takumi_guard_download_logs | View Takumi Guard download logs for packages installed via the Guard proxy. Used by the console download-log query feature (paid plan). | | organization.view_takumi_guard_token | View (list) Takumi Guard org user tokens for an organization. Admins only — the takumi_guard_token_issuer bot role intentionally does NOT receive this permission; it should be able to mint and check the status of its own tokens but not enumerate or revoke arbitrary tokens. | | organization.view_webhooks | View webhooks | | organization.view_workflow_run | View a workflow run | | takumi_workplace.delete | Delete the workplace | | takumi_workplace.edit | Update the workplace and its configuration | | takumi_workplace.view | View the workplace and its configuration | | trust_condition.delete | Delete the trust condition | | trust_condition.update | Update the trust condition | | trust_condition.view | View the trust condition | | web_application.delete | Delete the web application | | web_application.delete_endpoint | Delete an endpoint | | web_application.delete_precondition | Delete a precondition | | web_application.delete_scenario | Delete a scenario | | web_application.describe_authorization_policy | View the authorization policy configuration | | web_application.find_endpoints | Discover endpoints of the web application | | web_application.list_endpoint | List endpoints of the web application | | web_application.list_precondition | List preconditions of the web application | | web_application.list_scenario | List scenarios of the web application | | web_application.register_precondition | Register a new precondition for the application | | web_application.register_scenario | Register a new scenario | | web_application.scan | Execute security scans on the web application | | web_application.update | Update the web application's configuration and settings | | web_application.update_authorization_policy | Update the authorization policy configuration | | web_application.update_endpoint | Update an existing endpoint definition | | web_application.update_precondition | Update an existing precondition | | web_application.update_scenario | Update an existing scenario | | web_application.view | View the web application and its basic information | | web_application.view_find_job | View find job history | | workflow.delete | Delete the workflow | | workflow.dispatch | Run the workflow | | workflow.edit | Update the workflow | | workflow.view | View the workflow | | workflow_run.view | View the workflow run, including exit codes and the output of the run | | workflow_snapshot.view | View the workflow snapshot |

Roles and Permissions Matrix

Permission	organization/assessor	organization/auditor	organization/browser	organization/integration_manager	organization/member	organization/owner	organization/sso_manager	organization/takumi_guard_token_issuer	organization/takumi_guard_user	organization/takumi_manager	organization/takumi_runner_user	organization/takumi_user	organization/triager	organization/user_browser
bot.create_api_key	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
bot.create_trust_conditions	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
bot.delete	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
bot.delete_trust_conditions	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
bot.list_api_keys	❌	✅	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
bot.list_trust_conditions	❌	✅	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
bot.revoke_api_key	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
bot.update_api_key	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
bot.update_info	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
bot.view_info	❌	✅	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
integration.delete	❌	❌	❌	✅	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
integration.edit	❌	❌	❌	✅	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
integration.get_github_access_token	✅	❌	❌	❌	❌	❌	❌	❌	❌	❌	❌	❌	❌	❌
integration.view	❌	✅	❌	✅	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
notification_group.delete	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
notification_group.edit	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
notification_group.view	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.add_scheduled_task	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.check_takumi_guard_token_status	❌	❌	❌	❌	❌	✅	❌	✅	❌	✅	❌	❌	❌	❌
organization.correlate_resource	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.create_bot	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.create_chat	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.create_integration	❌	❌	❌	✅	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.create_notification_group	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.create_project	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.create_sso	❌	❌	❌	❌	❌	✅	✅	❌	❌	❌	❌	❌	❌	❌
organization.create_team	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.create_webhooks	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.create_workflow	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.delete_address_from_email_allowlist	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.delete_assessments	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.delete_custom_decision_specification	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.delete_organization	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.delete_project	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.delete_scheduled_task	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.delete_source_code_archive	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.delete_sso	❌	❌	❌	❌	❌	✅	✅	❌	❌	❌	❌	❌	❌	❌
organization.delete_team	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.delete_webhooks	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.describe_assessment	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.describe_assessment_artifacts	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.describe_decision_specification	❌	✅	✅	❌	✅	✅	❌	❌	❌	❌	❌	❌	✅	❌
organization.dispatch_assessment	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.dispatch_workflow	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.get_chat_history	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.get_takumi_scope	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.invite_user	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.invite_user_with_team	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.issue_takumi_guard_token	❌	❌	❌	❌	❌	✅	❌	✅	❌	✅	❌	❌	❌	❌
organization.kick_user	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.list_assessments	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.list_bots	❌	✅	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.list_chat_metadata	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.list_custom_decision_specification	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
organization.list_events	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
organization.list_integration	❌	✅	❌	✅	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.list_invitation	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.list_latest_source_code_references	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.list_notification_group	❌	✅	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	✅	❌
organization.list_project	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.list_readable_repo	❌	✅	❌	✅	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.list_scheduled_tasks	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.list_source_code_archives	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
organization.list_sso	❌	✅	❌	❌	❌	✅	✅	❌	❌	❌	❌	❌	❌	❌
organization.list_team	❌	✅	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	✅
organization.list_user	❌	✅	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	✅	✅
organization.list_web_application	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
organization.list_workflow	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.list_workflow_run	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
organization.list_writable_repo	❌	✅	❌	✅	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.manage_custom_decision_specification	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.manage_guard_notification_settings	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.manage_metered_subscription	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.manage_takumi_billing	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.manage_takumi_settings	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.query_real_data	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.register_address_to_email_allowlist	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.register_web_application	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.revoke_invitation	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.revoke_takumi_guard_token	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.rotate_webhook_secrets	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.scan_ports	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.send_chat_message	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.send_confirmation_to_mail_owner	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.stream_chat_message	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.triage_decision	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
organization.uncorrelate_resource	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.update_assessment_notifications	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.update_attack_surface_status	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.update_iam	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.update_settings	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.update_takumi_scope	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.upload_source_code_archive	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.use_datasource_playground	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.verify_notification_channel	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.view_attack_surfaces	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
organization.view_basic_info	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅
organization.view_ciem_settings	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.view_dashboard	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
organization.view_decision	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
organization.view_email_allowlist	❌	✅	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.view_exposure	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
organization.view_integrated_slack_channels	❌	✅	❌	✅	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.view_metered_subscription	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	✅	❌	❌	❌
organization.view_permission	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.view_resource	✅	✅	✅	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
organization.view_resource_analysis	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
organization.view_runner_job_execution_usage	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	✅	❌	❌	❌
organization.view_runner_metrics	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	✅	❌	❌	❌
organization.view_runner_trace	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	✅	❌	❌	❌
organization.view_settings	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
organization.view_takumi_billing_info	❌	❌	❌	❌	❌	✅	❌	❌	✅	✅	✅	✅	❌	❌
organization.view_takumi_guard_download_logs	❌	❌	❌	❌	❌	✅	❌	❌	✅	✅	❌	❌	❌	❌
organization.view_takumi_guard_token	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
organization.view_webhooks	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
organization.view_workflow_run	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
takumi_workplace.delete	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
takumi_workplace.edit	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
takumi_workplace.view	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	✅	❌	❌
trust_condition.delete	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
trust_condition.update	❌	❌	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
trust_condition.view	❌	✅	❌	❌	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌
web_application.delete	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.delete_endpoint	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.delete_precondition	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.delete_scenario	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.describe_authorization_policy	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.find_endpoints	✅	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.list_endpoint	✅	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.list_precondition	✅	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.list_scenario	✅	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.register_precondition	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.register_scenario	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.scan	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.update	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.update_authorization_policy	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.update_endpoint	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.update_precondition	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.update_scenario	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
web_application.view	✅	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	✅	❌
web_application.view_find_job	✅	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
workflow.delete	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
workflow.dispatch	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
workflow.edit	❌	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
workflow.view	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
workflow_run.view	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌
workflow_snapshot.view	❌	✅	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌

Concept: project

A project is the second level of hierarchy in Shisho Cloud, which is owned by an organization. It can aggregate resources, and it also defines some roles for Shisho Cloud principals to access the resources within the project.

An organization can have multiple projects, and the roles on the organization will be inherited to the projects. The role on a project will not affect other projects and the organization.

Roles

Roles	Description
project/owner	An owner of the project, able to perform all actions on the project
project/triager	A triager, able to view risk statistics and details of each finding and triage these findings
project/viewer	A viewer, able to view risk statistics and details of each finding

Permissions

Permission	Description
bot.create_api_key	Create an API key for the bot
bot.create_trust_conditions	Create a trust condition
bot.delete	Delete the bot
bot.delete_trust_conditions	Delete a trust condition
bot.list_api_keys	List API keys of the bot
bot.list_trust_conditions	List trust conditions of the bot
bot.revoke_api_key	Revoke an API key
bot.update_api_key	Update an API key metadata (name, description)
bot.update_info	Update basic information of the bot
bot.view_info	View basic information of the bot
project.add_permission	Add principal(s) to the project permission table
project.create_default_notification_channels	Create a project default notification channel
project.create_notification_configurations	Create a project notification configuration
project.delete	Deleete the project
project.delete_default_notification_channels	Delete a project default notification channel
project.delete_notification_configurations	Delete a project notification configuration
project.delete_permission	Remove principal(s) from the project permission table
project.describe_organization_email_allowlist_item	View the email allowlist entries that are registered to the project. Note that this is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide email allowlist.
project.describe_organization_integrated_slack_channel	View the details of slack channels that are integrated to the organization and tied to the project. Note that this is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide slack channel details.
project.describe_organization_notification_group	View the details of notification groups that are tied to the project. Note that this is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide slack channel details.
project.dispatch_workflow	Dispatch a workflow, allowing it to affect to the entire Shisho Cloud organization to cause new scan results. Note that a workflow is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide workflow dispatch.
project.link_resource	Add a resource to the project scope
project.list_bots	List and describe bots within the project scope
project.list_notification_configurations	List project notification configurations
project.list_scopable_entities	List scopable entities
project.triage_decision	Triage a finding. Note that the decision data is a shared resource with organization, and granting this permission may allow a principal to modify that shared data.
project.unlink_resource	Remove a resource from the project scope
project.update_default_notification_channels	Update a project default notification channel
project.update_iam	Grant/revole project-level permissions to/from principals
project.update_info	Update project basic information
project.update_notification_configurations	Update a project notification configuration
project.upsert_organization_email_allowlist	Upsert an email address to the email allowlist for project default notification. Note that this is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide email allowlist.
project.view	View project basic information
project.view_dashboard	View a dashboard with risk statistics without any resource details
project.view_decision	View risk statistics and details of each finding with resource details. Note that the decision data is a shared resource with organization, and granting this permission may allow a principal to read that shared data.
project.view_default_notification_channels	View a project default notification channel
project.view_notification_configurations	View a project notification configuration
project.view_permission	List and describe users within the project scope
project.view_resource	List and describe resources within the project scope. Note that the resource itself is a shared resource with organization, and granting this permission may allow a principal to read that shared data.
project.view_resource_analysis	View resource risk analysis.
trust_condition.delete	Delete the trust condition
trust_condition.update	Update the trust condition
trust_condition.view	View the trust condition

Roles and Permissions Matrix

Permission	organization/assessor	organization/auditor	organization/browser	organization/integration_manager	organization/owner	organization/takumi_manager	organization/triager	project/owner	project/triager	project/viewer
bot.create_api_key	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
bot.create_trust_conditions	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
bot.delete	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
bot.delete_trust_conditions	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
bot.list_api_keys	❌	✅	❌	❌	✅	❌	❌	✅	✅	✅
bot.list_trust_conditions	❌	✅	❌	❌	✅	❌	❌	✅	✅	✅
bot.revoke_api_key	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
bot.update_api_key	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
bot.update_info	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
bot.view_info	❌	✅	❌	❌	✅	❌	❌	✅	✅	✅
project.add_permission	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
project.create_default_notification_channels	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
project.create_notification_configurations	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
project.delete	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌
project.delete_default_notification_channels	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
project.delete_notification_configurations	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
project.delete_permission	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
project.describe_organization_email_allowlist_item	❌	✅	❌	❌	✅	✅	❌	✅	❌	❌
project.describe_organization_integrated_slack_channel	❌	✅	❌	✅	✅	❌	❌	✅	❌	❌
project.describe_organization_notification_group	❌	✅	❌	❌	✅	✅	✅	✅	❌	❌
project.dispatch_workflow	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
project.link_resource	✅1	✅2	✅3	❌	✅4	❌	✅5	✅6	❌	❌
project.list_bots	❌	✅	❌	❌	✅	❌	❌	✅	✅	✅
project.list_notification_configurations	❌	❌	❌	❌	✅	❌	❌	✅	✅	✅
project.list_scopable_entities	✅7	✅8	✅9	❌	✅10	❌	✅11	✅12	❌	❌
project.triage_decision	❌	❌	❌	❌	✅	❌	✅	✅	✅	❌
project.unlink_resource	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
project.update_default_notification_channels	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
project.update_iam	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
project.update_info	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
project.update_notification_configurations	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
project.upsert_organization_email_allowlist	❌	❌	❌	❌	✅	✅	❌	✅	❌	❌
project.view	❌	✅	❌	❌	✅	❌	❌	✅	✅	✅
project.view_dashboard	❌	✅	❌	❌	✅	❌	✅	✅	✅	✅
project.view_decision	❌	✅	❌	❌	✅	❌	✅	✅	✅	✅
project.view_default_notification_channels	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
project.view_notification_configurations	❌	❌	❌	❌	✅	❌	❌	✅	✅	✅
project.view_permission	❌	✅	❌	❌	✅	❌	❌	✅	✅	✅
project.view_resource	✅	✅	✅	❌	✅	❌	✅	✅	✅	✅
project.view_resource_analysis	❌	✅	❌	❌	✅	❌	✅	✅	✅	✅
trust_condition.delete	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
trust_condition.update	❌	❌	❌	❌	✅	❌	❌	✅	❌	❌
trust_condition.view	❌	✅	❌	❌	✅	❌	❌	✅	✅	✅

Concept: team

A team is a Shisho Cloud principal that groups users. A team can be granted a role, and the role will be applied to all the users in the team.

Roles

Roles	Description
team/owner	An owner of the team, able to perform all actions on the team. Note that the owner of the team is not necessarily the owner of the organization.
team/member	A member of the team, able to perform actions on the team.

Permissions

Permission	Description
team.act_as_team	Act as a team, able to perform actions on the team if the team has a role on other entities (e.g. organization, Shisho Cloud project, etc.)
team.delete	Delete the team
team.kick_user	Remove a user from the team
team.link_user	Add a user to the team
team.update_iam	Grant/revoke the owner to/from members
team.update_info	Update team basic information
team.view	View team basic information

Roles and Permissions Matrix

Permission	organization/auditor	organization/owner	organization/takumi_manager	organization/triager	organization/user_browser	team/member	team/owner
team.act_as_team	❌	❌	❌	❌	❌	✅	✅
team.delete	❌	✅	❌	❌	❌	❌	✅
team.kick_user	❌	✅	❌	❌	❌	❌	✅
team.link_user	✅13	✅14	✅15	✅16	✅17	❌	✅18
team.update_iam	❌	✅	❌	❌	❌	❌	✅
team.update_info	❌	✅	❌	❌	❌	❌	✅
team.view	✅	✅	✅	❌	✅	✅	✅

Footnotes

1. To perform project.link_resource, organization/assessor requires project/owner as well. ↩

2. To perform project.link_resource, organization/auditor requires project/owner as well. ↩

3. To perform project.link_resource, organization/browser requires project/owner as well. ↩

4. To perform project.link_resource, organization/owner requires project/owner as well. ↩

5. To perform project.link_resource, organization/triager requires project/owner as well. ↩

6. To perform project.link_resource, project/owner requires organization/assessor as well. ↩

7. To perform project.list_scopable_entities, organization/assessor requires project/owner as well. ↩

8. To perform project.list_scopable_entities, organization/auditor requires project/owner as well. ↩

9. To perform project.list_scopable_entities, organization/browser requires project/owner as well. ↩

10. To perform project.list_scopable_entities, organization/owner requires project/owner as well. ↩

11. To perform project.list_scopable_entities, organization/triager requires project/owner as well. ↩

12. To perform project.list_scopable_entities, project/owner requires organization/assessor as well. ↩

13. To perform team.link_user, organization/auditor requires team/owner as well. ↩

14. To perform team.link_user, organization/owner requires team/owner as well. ↩

15. To perform team.link_user, organization/takumi_manager requires team/owner as well. ↩

16. To perform team.link_user, organization/triager requires team/owner as well. ↩

17. To perform team.link_user, organization/user_browser requires team/owner as well. ↩

18. To perform team.link_user, team/owner requires organization/takumi_manager as well. ↩