# Roles and Permissions ## Concept: organization {#organization} An organization is a top-level hierarchy of Shisho Cloud. It basically corresponds to a company, and it includes all the resources and users. ### Roles {#organization-roles} | Roles | Description | | -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | | organization/owner | An owner of the entire organization, able to perform all actions on the organization. | | organization/member | A member of the organization with least permissions on the organization. | | organization/auditor | An auditor of the organization, able to view all the resources and users in the organization but not able to make any changes. | | organization/triager | A triager, able to view risk statistics and details of each finding and triage these findings. | | organization/browser | A browser of the organization, able to view all resources in the organization without risk statistics | | organization/user_browser | A user browser of the organization, able to view all users and teams in the organization | | organization/assessor | An assessor of the organization, able to view all resources in the organization for assessment | | organization/integration_manager | An integration manager of the organization, able to manage integrations | | organization/takumi_manager | A takumi manager of the organization, able to manage takumi-related features | | organization/takumi_user | A takumi user of the organization, able to use Takumi chat features but not manage settings or billing | | organization/takumi_runner_user | A takumi runner user of the organization, able to use Takumi Runner features but not manage settings or billing | | organization/takumi_guard_user | A Takumi Guard user of the organization, able to use Guard features | | (download logs) but not manage tokens or billing. | | organization/takumi_guard_token_issuer | A Takumi Guard token issuer, able to issue org user tokens for developer machines via MDM. | | This is a least-privilege role for bots that only need to mint tg*org*\* tokens. | | organization/sso_manager | An SSO manager of the organization, able to manage SSO configurations | ### Permissions {#organization-permissions} | Permission | Description | | -------------------------------------------- | ----------------------------------------------------------------------------------------- | | bot.create_api_key | Create an API key for the bot | | bot.create_trust_conditions | Create a trust condition | | bot.delete | Delete the bot | | bot.delete_trust_conditions | Delete a trust condition | | bot.list_api_keys | List API keys of the bot | | bot.list_trust_conditions | List trust conditions of the bot | | bot.revoke_api_key | Revoke an API key | | bot.update_api_key | Update an API key metadata (name, description) | | bot.update_info | Update basic information of the bot | | bot.view_info | View basic information of the bot | | integration.delete | Delete the integration | | integration.edit | Update the integration | | integration.get_github_access_token | get a GitHub access token from resources | | integration.view | View basic information of the integration | | notification_group.delete | Delete the notification group | | notification_group.edit | Update configuration of the notification group | | notification_group.view | View configuration of the notification group | | organization.add_scheduled_task | Add a scheduled task for Takumi to perform periodic security reviews or automated actions | | organization.check_takumi_guard_token_status | Check the status of a single Takumi Guard org user token (active / | revoked, last*used_at). Granted to takumi_guard_token_issuer so the bot that minted a token can verify its current state without being able to enumerate or revoke other tokens. | | organization.correlate_resource | Correlate a resource with another resource in the security graph | | organization.create_bot | Create a bot | | organization.create_chat | Create a new chat session with Takumi AI assistant | | organization.create_integration | Create an integration | | organization.create_notification_group | Create a notification group | | organization.create_project | Create a Shisho Cloud project | | organization.create_sso | Add a SSO configuration | | organization.create_team | Create a team | | organization.create_webhooks | Create a webhook | | organization.create_workflow | Create a workflow | | organization.delete_address_from_email_allowlist | Delete an email address from the email allowlist | | organization.delete_assessments | Delete a Takumi assessment | | organization.delete_custom_decision_specification | Delete a custom decision specification | | organization.delete_organization | Delete an organization | | organization.delete_project | Delete a Shisho Cloud project | | organization.delete_scheduled_task | Delete a scheduled task from Takumi's task queue | | organization.delete_source_code_archive | Delete source code archives | | organization.delete_sso | Delete a SSO configuration | | organization.delete_team | Delete a team | | organization.delete_webhooks | Delete a webhook | | organization.describe_assessment | Describe Takumi assessment's info | | organization.describe_assessment_artifacts | List & Describe artifacts generated by Takumi assessment (report, etc.) | | organization.describe_decision_specification | Describe a decision specification | | organization.dispatch_assessment | Dispatch a new Takumi assessment | | organization.dispatch_workflow | List workflows | | organization.get_chat_history | Retrieve chat history from previous conversations with Takumi AI assistant | | organization.get_takumi_scope | View Takumi's access scope including allowed GitHub repositories and Slack channels | | organization.invite_user | Send a user invitation | | organization.invite_user_with_team | Send a user invitation with a specific team | | organization.issue_takumi_guard_token | Issue Takumi Guard org user tokens for developer machines via MDM. This permission allows a bot to mint per-user tg_org*\* tokens on behalf of the organization. | | organization.kick_user | Kick a user | | organization.list_assessments | List Takumi assessments | | organization.list_bots | List bots | | organization.list_chat_metadata | List metadata of all chat sessions with Takumi AI assistant | | organization.list_custom_decision_specification | List custom decision speficiations | | organization.list_events | List audit events in the organization | | organization.list_integration | List integrations | | organization.list_invitation | List invitations | | organization.list_latest_source_code_references | List latest source code references of the organization | | organization.list_notification_group | List notification groups | | organization.list_project | List Shisho Cloud projects | | organization.list_readable_repo | List readable GitHub repositories via integration content | | organization.list_scheduled_tasks | List all scheduled tasks configured for Takumi | | organization.list_source_code_archives | List source code archives of the organization | | organization.list_sso | List SSO configurations | | organization.list_team | List teams | | organization.list_user | List users, including the permissions | | organization.list_web_application | List web applications in the organization | | organization.list_workflow | Delete a user | | organization.list_workflow_run | List workflow runs | | organization.list_writable_repo | List writable GitHub repositories via integration content | | organization.manage_custom_decision_specification | Create and update a custom decision specification | | organization.manage_guard_notification_settings | Manage Guard breach notification settings (webhook, email) | | organization.manage_metered_subscription | Manage metered subscriptions including enabling and disabling Runner | | organization.manage_takumi_billing | Manage Takumi billing including purchasing credits, subscribing to plans, and updating payment methods | | organization.manage_takumi_settings | Manage Takumi settings including Active Takumi configuration, Slack integration, and feature preferences | | organization.query_real_data | Query a GraphQL API to get real data integrated to Shisho Cloud | | organization.register_address_to_email_allowlist | Add an email address to the email allowlist | | organization.register_web_application | Register a new web application in the organization | | organization.revoke_invitation | Revoke a user invitation | | organization.revoke_takumi_guard_token | Revoke a Takumi Guard org user token (single or all-by-issuer). Admins only — the takumi_guard_token_issuer bot role intentionally does NOT receive this permission; revocation belongs to humans on the admin side, not to the minting bot. | | organization.rotate_webhook_secrets | Rotate the signing secret of a webhook | | organization.scan_ports | Initiate port scanning to detect network exposures | | organization.send_chat_message | Send chat messages to Takumi AI assistant | | organization.send_confirmation_to_mail_owner | Send a confirmation email to the email address owner | | organization.stream_chat_message | Stream chat messages from Takumi AI assistant in real-time | | organization.triage_decision | Triage a finding | | organization.uncorrelate_resource | Uncorrelate a resource from another resource in the security graph | | organization.update_assessment_notifications | Update the notification target of a Takumi assessment | | organization.update_attack_surface_status | Update attack surface status (ignore, restore, etc.) | | organization.update_iam | Grant/revole roles or permissions to/from organization members | | organization.update_settings | Update organization settings | | organization.update_takumi_scope | Update Takumi's access scope to control which GitHub repositories and Slack channels Takumi can access | | organization.upload_source_code_archive | Upload source code archives | | organization.use_datasource_playground | Use a datasource playground | | organization.verify_notification_channel | Verify a notification channel is working | | organization.view_attack_surfaces | View attack surfaces detected by scanning | | organization.view_basic_info | View organization basic information | | organization.view_ciem_settings | View CIEM settings | | organization.view_dashboard | View a dashboard with risk statistics without any resource details | | organization.view_decision | View risk statistics and details of each finding with resource details | | organization.view_email_allowlist | View the email allowlist | | organization.view_exposure | View network exposures detected by port scanning | | organization.view_integrated_slack_channels | View slack channel details. This permission is isolated from the list_integration permission, for allowing users to view slack channel details without having the permission to get the details of source integrations. | | organization.view_metered_subscription | View metered subscription status including Runner subscription details | | organization.view_permission | List, describe and edit users in the organization | | organization.view_resource | List and describe resources integrated to Shisho Cloud with risk statistics | | organization.view_resource_analysis | View resource risk analysis | | organization.view_runner_job_execution_usage | View Runner job execution usage including job history and repository usage | | organization.view_runner_metrics | View Runner metrics including overview statistics and historical data | | organization.view_runner_trace | View Runner execution traces including timeline, network, and file details | | organization.view_settings | View organization settings | | organization.view_takumi_billing_info | View Takumi billing information including subscription status, credit balance, and usage history | | organization.view_takumi_guard_download_logs | View Takumi Guard download logs for packages installed via the Guard proxy. Used by the console download-log query feature (paid plan). | | organization.view_takumi_guard_token | View (list) Takumi Guard org user tokens for an organization. Admins only — the takumi_guard_token_issuer bot role intentionally does NOT receive this permission; it should be able to mint and check the status of its own tokens but not enumerate or revoke arbitrary tokens. | | organization.view_webhooks | View webhooks | | organization.view_workflow_run | View a workflow run | | takumi_workplace.delete | Delete the workplace | | takumi_workplace.edit | Update the workplace and its configuration | | takumi_workplace.view | View the workplace and its configuration | | trust_condition.delete | Delete the trust condition | | trust_condition.update | Update the trust condition | | trust_condition.view | View the trust condition | | web_application.delete | Delete the web application | | web_application.delete_endpoint | Delete an endpoint | | web_application.delete_precondition | Delete a precondition | | web_application.delete_scenario | Delete a scenario | | web_application.describe_authorization_policy | View the authorization policy configuration | | web_application.find_endpoints | Discover endpoints of the web application | | web_application.list_endpoint | List endpoints of the web application | | web_application.list_precondition | List preconditions of the web application | | web_application.list_scenario | List scenarios of the web application | | web_application.register_precondition | Register a new precondition for the application | | web_application.register_scenario | Register a new scenario | | web_application.scan | Execute security scans on the web application | | web_application.update | Update the web application's configuration and settings | | web_application.update_authorization_policy | Update the authorization policy configuration | | web_application.update_endpoint | Update an existing endpoint definition | | web_application.update_precondition | Update an existing precondition | | web_application.update_scenario | Update an existing scenario | | web_application.view | View the web application and its basic information | | web_application.view_find_job | View find job history | | workflow.delete | Delete the workflow | | workflow.dispatch | Run the workflow | | workflow.edit | Update the workflow | | workflow.view | View the workflow | | workflow_run.view | View the workflow run, including exit codes and the output of the run | | workflow_snapshot.view | View the workflow snapshot | ### Roles and Permissions Matrix {#organization-matrix} | Permission | organization/assessor | organization/auditor | organization/browser | organization/integration_manager | organization/member | organization/owner | organization/sso_manager | organization/takumi_guard_token_issuer | organization/takumi_guard_user | organization/takumi_manager | organization/takumi_runner_user | organization/takumi_user | organization/triager | organization/user_browser | | ------------------------------------------------- | --------------------- | -------------------- | -------------------- | -------------------------------- | ------------------- | ------------------ | ------------------------ | -------------------------------------- | ------------------------------ | --------------------------- | ------------------------------- | ------------------------ | -------------------- | ------------------------- | | bot.create_api_key | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | bot.create_trust_conditions | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | bot.delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | bot.delete_trust_conditions | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | bot.list_api_keys | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | bot.list_trust_conditions | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | bot.revoke_api_key | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | bot.update_api_key | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | bot.update_info | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | bot.view_info | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | integration.delete | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | integration.edit | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | integration.get_github_access_token | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | integration.view | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | notification_group.delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | notification_group.edit | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | notification_group.view | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.add_scheduled_task | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.check_takumi_guard_token_status | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.correlate_resource | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.create_bot | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.create_chat | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.create_integration | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.create_notification_group | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.create_project | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.create_sso | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.create_team | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.create_webhooks | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.create_workflow | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.delete_address_from_email_allowlist | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.delete_assessments | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.delete_custom_decision_specification | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.delete_organization | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.delete_project | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.delete_scheduled_task | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.delete_source_code_archive | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.delete_sso | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.delete_team | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.delete_webhooks | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.describe_assessment | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.describe_assessment_artifacts | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.describe_decision_specification | ❌ | ✅ | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | organization.dispatch_assessment | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.dispatch_workflow | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.get_chat_history | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.get_takumi_scope | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.invite_user | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.invite_user_with_team | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.issue_takumi_guard_token | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.kick_user | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.list_assessments | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.list_bots | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.list_chat_metadata | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.list_custom_decision_specification | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | organization.list_events | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | organization.list_integration | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.list_invitation | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.list_latest_source_code_references | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.list_notification_group | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | | organization.list_project | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.list_readable_repo | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.list_scheduled_tasks | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.list_source_code_archives | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | organization.list_sso | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.list_team | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | | organization.list_user | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | | organization.list_web_application | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | organization.list_workflow | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.list_workflow_run | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | organization.list_writable_repo | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.manage_custom_decision_specification | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.manage_guard_notification_settings | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.manage_metered_subscription | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.manage_takumi_billing | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.manage_takumi_settings | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.query_real_data | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.register_address_to_email_allowlist | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.register_web_application | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.revoke_invitation | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.revoke_takumi_guard_token | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.rotate_webhook_secrets | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.scan_ports | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.send_chat_message | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.send_confirmation_to_mail_owner | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.stream_chat_message | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.triage_decision | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | organization.uncorrelate_resource | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.update_assessment_notifications | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.update_attack_surface_status | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.update_iam | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.update_settings | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.update_takumi_scope | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.upload_source_code_archive | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.use_datasource_playground | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.verify_notification_channel | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.view_attack_surfaces | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | organization.view_basic_info | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | organization.view_ciem_settings | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.view_dashboard | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | organization.view_decision | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | organization.view_email_allowlist | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.view_exposure | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | organization.view_integrated_slack_channels | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.view_metered_subscription | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | | organization.view_permission | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.view_resource | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | organization.view_resource_analysis | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | organization.view_runner_job_execution_usage | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | | organization.view_runner_metrics | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | | organization.view_runner_trace | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | | organization.view_settings | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | organization.view_takumi_billing_info | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | | organization.view_takumi_guard_download_logs | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.view_takumi_guard_token | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | organization.view_webhooks | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | organization.view_workflow_run | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | takumi_workplace.delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | takumi_workplace.edit | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | takumi_workplace.view | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | | trust_condition.delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | trust_condition.update | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | trust_condition.view | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | web_application.delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.delete_endpoint | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.delete_precondition | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.delete_scenario | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.describe_authorization_policy | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.find_endpoints | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.list_endpoint | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.list_precondition | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.list_scenario | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.register_precondition | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.register_scenario | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.scan | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.update | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.update_authorization_policy | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.update_endpoint | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.update_precondition | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.update_scenario | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | web_application.view | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | web_application.view_find_job | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | workflow.delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | workflow.dispatch | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | workflow.edit | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | workflow.view | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | workflow_run.view | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | workflow_snapshot.view | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ## Concept: project {#project} A project is the second level of hierarchy in Shisho Cloud, which is owned by an organization. It can aggregate resources, and it also defines some roles for Shisho Cloud principals to access the resources within the project. An organization can have multiple projects, and the roles on the organization will be inherited to the projects. The role on a project will not affect other projects and the organization. ### Roles {#project-roles} | Roles | Description | | --------------- | --------------------------------------------------------------------------------------------- | | project/owner | An owner of the project, able to perform all actions on the project | | project/triager | A triager, able to view risk statistics and details of each finding and triage these findings | | project/viewer | A viewer, able to view risk statistics and details of each finding | ### Permissions {#project-permissions} | Permission | Description | | ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | bot.create_api_key | Create an API key for the bot | | bot.create_trust_conditions | Create a trust condition | | bot.delete | Delete the bot | | bot.delete_trust_conditions | Delete a trust condition | | bot.list_api_keys | List API keys of the bot | | bot.list_trust_conditions | List trust conditions of the bot | | bot.revoke_api_key | Revoke an API key | | bot.update_api_key | Update an API key metadata (name, description) | | bot.update_info | Update basic information of the bot | | bot.view_info | View basic information of the bot | | project.add_permission | Add principal(s) to the project permission table | | project.create_default_notification_channels | Create a project default notification channel | | project.create_notification_configurations | Create a project notification configuration | | project.delete | Deleete the project | | project.delete_default_notification_channels | Delete a project default notification channel | | project.delete_notification_configurations | Delete a project notification configuration | | project.delete_permission | Remove principal(s) from the project permission table | | project.describe_organization_email_allowlist_item | View the email allowlist entries that are registered to the project. Note that this is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide email allowlist. | | project.describe_organization_integrated_slack_channel | View the details of slack channels that are integrated to the organization and tied to the project. Note that this is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide slack channel details. | | project.describe_organization_notification_group | View the details of notification groups that are tied to the project. Note that this is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide slack channel details. | | project.dispatch_workflow | Dispatch a workflow, allowing it to affect to the entire Shisho Cloud organization to cause new scan results. Note that a workflow is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide workflow dispatch. | | project.link_resource | Add a resource to the project scope | | project.list_bots | List and describe bots within the project scope | | project.list_notification_configurations | List project notification configurations | | project.list_scopable_entities | List scopable entities | | project.triage_decision | Triage a finding. Note that the decision data is a shared resource with organization, and granting this permission may allow a principal to modify that shared data. | | project.unlink_resource | Remove a resource from the project scope | | project.update_default_notification_channels | Update a project default notification channel | | project.update_iam | Grant/revole project-level permissions to/from principals | | project.update_info | Update project basic information | | project.update_notification_configurations | Update a project notification configuration | | project.upsert_organization_email_allowlist | Upsert an email address to the email allowlist for project default notification. Note that this is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide email allowlist. | | project.view | View project basic information | | project.view_dashboard | View a dashboard with risk statistics without any resource details | | project.view_decision | View risk statistics and details of each finding with resource details. Note that the decision data is a shared resource with organization, and granting this permission may allow a principal to read that shared data. | | project.view_default_notification_channels | View a project default notification channel | | project.view_notification_configurations | View a project notification configuration | | project.view_permission | List and describe users within the project scope | | project.view_resource | List and describe resources within the project scope. Note that the resource itself is a shared resource with organization, and granting this permission may allow a principal to read that shared data. | | project.view_resource_analysis | View resource risk analysis. | | trust_condition.delete | Delete the trust condition | | trust_condition.update | Update the trust condition | | trust_condition.view | View the trust condition | ### Roles and Permissions Matrix {#project-matrix} | Permission | organization/assessor | organization/auditor | organization/browser | organization/integration_manager | organization/owner | organization/takumi_manager | organization/triager | project/owner | project/triager | project/viewer | | ------------------------------------------------------ | --------------------- | -------------------- | -------------------- | -------------------------------- | ------------------ | --------------------------- | -------------------- | ------------- | --------------- | -------------- | | bot.create_api_key | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | bot.create_trust_conditions | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | bot.delete | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | bot.delete_trust_conditions | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | bot.list_api_keys | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | | bot.list_trust_conditions | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | | bot.revoke_api_key | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | bot.update_api_key | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | bot.update_info | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | bot.view_info | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | | project.add_permission | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.create_default_notification_channels | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.create_notification_configurations | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.delete | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | | project.delete_default_notification_channels | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.delete_notification_configurations | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.delete_permission | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.describe_organization_email_allowlist_item | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | | project.describe_organization_integrated_slack_channel | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.describe_organization_notification_group | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | | project.dispatch_workflow | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.link_resource | ✅[^1-21-0] | ✅[^1-21-1] | ✅[^1-21-2] | ❌ | ✅[^1-21-4] | ❌ | ✅[^1-21-6] | ✅[^1-21-7] | ❌ | ❌ | | project.list_bots | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | | project.list_notification_configurations | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | | project.list_scopable_entities | ✅[^1-24-0] | ✅[^1-24-1] | ✅[^1-24-2] | ❌ | ✅[^1-24-4] | ❌ | ✅[^1-24-6] | ✅[^1-24-7] | ❌ | ❌ | | project.triage_decision | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ❌ | | project.unlink_resource | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.update_default_notification_channels | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.update_iam | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.update_info | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.update_notification_configurations | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.upsert_organization_email_allowlist | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | | project.view | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | | project.view_dashboard | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | | project.view_decision | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | | project.view_default_notification_channels | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | project.view_notification_configurations | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | | project.view_permission | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | | project.view_resource | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | | project.view_resource_analysis | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | | trust_condition.delete | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | trust_condition.update | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | | trust_condition.view | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | [^1-21-0]: To perform `project.link_resource`, `organization/assessor` requires `project/owner` as well. [^1-21-1]: To perform `project.link_resource`, `organization/auditor` requires `project/owner` as well. [^1-21-2]: To perform `project.link_resource`, `organization/browser` requires `project/owner` as well. [^1-21-4]: To perform `project.link_resource`, `organization/owner` requires `project/owner` as well. [^1-21-6]: To perform `project.link_resource`, `organization/triager` requires `project/owner` as well. [^1-21-7]: To perform `project.link_resource`, `project/owner` requires `organization/assessor` as well. [^1-24-0]: To perform `project.list_scopable_entities`, `organization/assessor` requires `project/owner` as well. [^1-24-1]: To perform `project.list_scopable_entities`, `organization/auditor` requires `project/owner` as well. [^1-24-2]: To perform `project.list_scopable_entities`, `organization/browser` requires `project/owner` as well. [^1-24-4]: To perform `project.list_scopable_entities`, `organization/owner` requires `project/owner` as well. [^1-24-6]: To perform `project.list_scopable_entities`, `organization/triager` requires `project/owner` as well. [^1-24-7]: To perform `project.list_scopable_entities`, `project/owner` requires `organization/assessor` as well. ## Concept: team {#team} A team is a Shisho Cloud principal that groups users. A team can be granted a role, and the role will be applied to all the users in the team. ### Roles {#team-roles} | Roles | Description | | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | team/owner | An owner of the team, able to perform all actions on the team. Note that the owner of the team is not necessarily the owner of the organization. | | team/member | A member of the team, able to perform actions on the team. | ### Permissions {#team-permissions} | Permission | Description | | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | team.act_as_team | Act as a team, able to perform actions on the team if the team has a role on other entities (e.g. organization, Shisho Cloud project, etc.) | | team.delete | Delete the team | | team.kick_user | Remove a user from the team | | team.link_user | Add a user to the team | | team.update_iam | Grant/revoke the owner to/from members | | team.update_info | Update team basic information | | team.view | View team basic information | ### Roles and Permissions Matrix {#team-matrix} | Permission | organization/auditor | organization/owner | organization/takumi_manager | organization/triager | organization/user_browser | team/member | team/owner | | ---------------- | -------------------- | ------------------ | --------------------------- | -------------------- | ------------------------- | ----------- | ---------- | | team.act_as_team | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | | team.delete | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | | team.kick_user | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | | team.link_user | ✅[^2-3-0] | ✅[^2-3-1] | ✅[^2-3-2] | ✅[^2-3-3] | ✅[^2-3-4] | ❌ | ✅[^2-3-6] | | team.update_iam | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | | team.update_info | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | | team.view | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | [^2-3-0]: To perform `team.link_user`, `organization/auditor` requires `team/owner` as well. [^2-3-1]: To perform `team.link_user`, `organization/owner` requires `team/owner` as well. [^2-3-2]: To perform `team.link_user`, `organization/takumi_manager` requires `team/owner` as well. [^2-3-3]: To perform `team.link_user`, `organization/triager` requires `team/owner` as well. [^2-3-4]: To perform `team.link_user`, `organization/user_browser` requires `team/owner` as well. [^2-3-6]: To perform `team.link_user`, `team/owner` requires `organization/takumi_manager` as well.