Roles and Permissions
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
Concept: organization
An organization is a top-level hierarchy of Shisho Cloud. It basically corresponds to a company, and it includes all the resources and users.
Roles
| Roles | Description |
|---|---|
| organization/owner | An owner of the entire organization, able to perform all actions on the organization. |
| organization/member | A member of the organization with least permissions on the organization. |
| organization/auditor | An auditor of the organization, able to view all the resources and users in the organization but not able to make any changes. |
| organization/triager | A triager, able to view risk statistics and details of each finding and triage these findings. |
| organization/browser | A browser of the organization, able to view all resources in the organization without risk statistics |
| organization/user_browser | A user browser of the organization, able to view all users and teams in the organization |
| organization/assessor | An assessor of the organization, able to view all resources in the organization for assessment |
| organization/integration_manager | An integration manager of the organization, able to manage integrations |
| organization/takumi_manager | A takumi manager of the organization, able to manage takumi-related features |
| organization/takumi_user | A takumi user of the organization, able to use Takumi chat features but not manage settings or billing |
Permissions
| Permission | Description |
|---|---|
| bot.create_api_key | Create an API key for the bot |
| bot.create_trust_conditions | Create a trust condition |
| bot.delete | Delete the bot |
| bot.delete_trust_conditions | Delete a trust condition |
| bot.list_api_keys | List API keys of the bot |
| bot.list_trust_conditions | List trust conditions of the bot |
| bot.revoke_api_key | Revoke an API key |
| bot.update_api_key | Update an API key metadata (name, description) |
| bot.update_info | Update basic information of the bot |
| bot.view_info | View basic information of the bot |
| integration.delete | Delete the integration |
| integration.edit | Update the integration |
| integration.get_github_access_token | get a GitHub access token from resources |
| integration.view | View basic information of the integration |
| notification_group.delete | Delete the notification group |
| notification_group.edit | Update configuration of the notification group |
| notification_group.view | View configuration of the notification group |
| organization.add_scheduled_task | Add a scheduled task for Takumi to perform periodic security reviews or automated actions |
| organization.correlate_resource | Correlate a resource with another resource in the security graph |
| organization.create_bot | Create a bot |
| organization.create_chat | Create a new chat session with Takumi AI assistant |
| organization.create_integration | Create an integration |
| organization.create_notification_group | Create a notification group |
| organization.create_project | Create a Shisho Cloud project |
| organization.create_sso | Add a SSO configuration |
| organization.create_team | Create a team |
| organization.create_workflow | Create a workflow |
| organization.delete_address_from_email_allowlist | Delete an email address from the email allowlist |
| organization.delete_assessments | Delete a Takumi assessment |
| organization.delete_custom_decision_specification | Delete a custom decision specification |
| organization.delete_organization | Delete an organization |
| organization.delete_project | Delete a Shisho Cloud project |
| organization.delete_scheduled_task | Delete a scheduled task from Takumi's task queue |
| organization.delete_source_code_archive | Delete source code archives |
| organization.delete_sso | Delete a SSO configuration |
| organization.delete_team | Delete a team |
| organization.describe_assessment | Describe Takumi assessment's info |
| organization.describe_assessment_artifacts | List & Describe artifacts generated by Takumi assessment (report, etc.) |
| organization.describe_decision_specification | Describe a decision specification |
| organization.dispatch_assessment | Dispatch a new Takumi assessment |
| organization.dispatch_workflow | List workflows |
| organization.get_chat_history | Retrieve chat history from previous conversations with Takumi AI assistant |
| organization.get_takumi_scope | View Takumi's access scope including allowed GitHub repositories and Slack channels |
| organization.invite_user | Send a user invitation |
| organization.invite_user_with_team | Send a user invitation with a specific team |
| organization.kick_user | Kick a user |
| organization.list_assessments | List Takumi assessments |
| organization.list_bots | List bots |
| organization.list_chat_metadata | List metadata of all chat sessions with Takumi AI assistant |
| organization.list_custom_decision_specification | List custom decision speficiations |
| organization.list_events | List audit events in the organization |
| organization.list_integration | List integrations |
| organization.list_invitation | List invitations |
| organization.list_latest_source_code_references | List latest source code references of the organization |
| organization.list_notification_group | List notification groups |
| organization.list_project | List Shisho Cloud projects |
| organization.list_readable_repo | List readable GitHub repositories via integration content |
| organization.list_scheduled_tasks | List all scheduled tasks configured for Takumi |
| organization.list_source_code_archives | List source code archives of the organization |
| organization.list_sso | List SSO configurations |
| organization.list_team | List teams |
| organization.list_user | List users, including the permissions |
| organization.list_web_application | List web applications in the organization |
| organization.list_workflow | Delete a user |
| organization.list_workflow_run | List workflow runs |
| organization.list_writable_repo | List writable GitHub repositories via integration content |
| organization.manage_custom_decision_specification | Create and update a custom decision specification |
| organization.manage_takumi_billing | Manage Takumi billing including purchasing credits, subscribing to plans, and updating payment methods |
| organization.manage_takumi_settings | Manage Takumi settings including Active Takumi configuration, Slack integration, and feature preferences |
| organization.query_real_data | Query a GraphQL API to get real data integrated to Shisho Cloud |
| organization.register_address_to_email_allowlist | Add an email address to the email allowlist |
| organization.register_web_application | Register a new web application in the organization |
| organization.revoke_invitation | Revoke a user invitation |
| organization.scan_ports | Initiate port scanning to detect network exposures |
| organization.send_chat_message | Send chat messages to Takumi AI assistant |
| organization.send_confirmation_to_mail_owner | Send a confirmation email to the email address owner |
| organization.stream_chat_message | Stream chat messages from Takumi AI assistant in real-time |
| organization.triage_decision | Triage a finding |
| organization.uncorrelate_resource | Uncorrelate a resource from another resource in the security graph |
| organization.update_assessment_notifications | Update the notification target of a Takumi assessment |
| organization.update_attack_surface_status | Update attack surface status (ignore, restore, etc.) |
| organization.update_iam | Grant/revole roles or permissions to/from organization members |
| organization.update_settings | Update organization settings |
| organization.update_takumi_scope | Update Takumi's access scope to control which GitHub repositories and Slack channels Takumi can access |
| organization.upload_source_code_archive | Upload source code archives |
| organization.use_datasource_playground | Use a datasource playground |
| organization.verify_notification_channel | Verify a notification channel is working |
| organization.view_attack_surfaces | View attack surfaces detected by scanning |
| organization.view_basic_info | View organization basic information |
| organization.view_ciem_settings | View CIEM settings |
| organization.view_dashboard | View a dashboard with risk statistics without any resource details |
| organization.view_decision | View risk statistics and details of each finding with resource details |
| organization.view_email_allowlist | View the email allowlist |
| organization.view_exposure | View network exposures detected by port scanning |
| organization.view_integrated_slack_channels | View slack channel details. This permission is isolated from the list_integration permission, for allowing users to view slack channel details without having the permission to get the details of source integrations. |
| organization.view_permission | List, describe and edit users in the organization |
| organization.view_resource | List and describe resources integrated to Shisho Cloud with risk statistics |
| organization.view_resource_analysis | View resource risk analysis |
| organization.view_settings | View organization settings |
| organization.view_takumi_billing_info | View Takumi billing information including subscription status, credit balance, and usage history |
| organization.view_workflow_run | View a workflow run |
| takumi_workplace.delete | Delete the workplace |
| takumi_workplace.edit | Update the workplace and its configuration |
| takumi_workplace.view | View the workplace and its configuration |
| trust_condition.delete | Delete the trust condition |
| trust_condition.update | Update the trust condition |
| trust_condition.view | View the trust condition |
| web_application.delete | Delete the web application |
| web_application.describe_authorization_policy | View the authorization policy configuration |
| web_application.find_endpoints | Discover endpoints of the web application |
| web_application.list_endpoint | List endpoints of the web application |
| web_application.list_precondition | List preconditions of the web application |
| web_application.list_scenario | List scenarios of the web application |
| web_application.register_precondition | Register a new precondition for the application |
| web_application.register_scenario | Register a new scenario |
| web_application.scan | Execute security scans on the web application |
| web_application.update | Update the web application's configuration and settings |
| web_application.update_authorization_policy | Update the authorization policy configuration |
| web_application.update_endpoint | Update an existing endpoint definition |
| web_application.update_precondition | Update an existing precondition |
| web_application.update_scenario | Update an existing scenario |
| web_application.view | View the web application and its basic information |
| web_application.view_find_job | View find job history |
| workflow.delete | Delete the workflow |
| workflow.dispatch | Run the workflow |
| workflow.edit | Update the workflow |
| workflow.view | View the workflow |
| workflow_run.view | View the workflow run, including exit codes and the output of the run |
| workflow_snapshot.view | View the workflow snapshot |
Roles and Permissions Matrix
| Permission | organization/assessor | organization/auditor | organization/browser | organization/integration_manager | organization/member | organization/owner | organization/takumi_manager | organization/takumi_user | organization/triager | organization/user_browser |
|---|---|---|---|---|---|---|---|---|---|---|
| bot.create_api_key | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| bot.create_trust_conditions | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| bot.delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| bot.delete_trust_conditions | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| bot.list_api_keys | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| bot.list_trust_conditions | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| bot.revoke_api_key | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| bot.update_api_key | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| bot.update_info | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| bot.view_info | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| integration.delete | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| integration.edit | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| integration.get_github_access_token | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| integration.view | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| notification_group.delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| notification_group.edit | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| notification_group.view | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.add_scheduled_task | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.correlate_resource | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.create_bot | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.create_chat | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.create_integration | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.create_notification_group | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.create_project | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.create_sso | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.create_team | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.create_workflow | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.delete_address_from_email_allowlist | ❌ | ❌ | ❌ | ��❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.delete_assessments | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.delete_custom_decision_specification | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.delete_organization | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.delete_project | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.delete_scheduled_task | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.delete_source_code_archive | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.delete_sso | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.delete_team | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.describe_assessment | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.describe_assessment_artifacts | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.describe_decision_specification | ❌ | ✅ | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.dispatch_assessment | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.dispatch_workflow | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.get_chat_history | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.get_takumi_scope | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.invite_user | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.invite_user_with_team | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.kick_user | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.list_assessments | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.list_bots | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.list_chat_metadata | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.list_custom_decision_specification | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.list_events | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.list_integration | ❌ | ✅ | ❌ | ✅ | ❌ | �✅ | ❌ | ❌ | ❌ | ❌ |
| organization.list_invitation | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.list_latest_source_code_references | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.list_notification_group | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
| organization.list_project | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.list_readable_repo | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.list_scheduled_tasks | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.list_source_code_archives | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.list_sso | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.list_team | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ✅ |
| organization.list_user | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ✅ |
| organization.list_web_application | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.list_workflow | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.list_workflow_run | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.list_writable_repo | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.manage_custom_decision_specification | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.manage_takumi_billing | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.manage_takumi_settings | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.query_real_data | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.register_address_to_email_allowlist | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.register_web_application | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.revoke_invitation | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.scan_ports | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.send_chat_message | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.send_confirmation_to_mail_owner | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.stream_chat_message | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.triage_decision | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.uncorrelate_resource | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.update_assessment_notifications | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.update_attack_surface_status | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.update_iam | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.update_settings | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.update_takumi_scope | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.upload_source_code_archive | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.use_datasource_playground | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.verify_notification_channel | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.view_attack_surfaces | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.view_basic_info | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| organization.view_ciem_settings | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.view_dashboard | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.view_decision | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.view_email_allowlist | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.view_exposure | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.view_integrated_slack_channels | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.view_permission | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| organization.view_resource | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.view_resource_analysis | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.view_settings | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| organization.view_takumi_billing_info | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| organization.view_workflow_run | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| takumi_workplace.delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| takumi_workplace.edit | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| takumi_workplace.view | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| trust_condition.delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| trust_condition.update | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| trust_condition.view | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.describe_authorization_policy | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.find_endpoints | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.list_endpoint | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.list_precondition | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.list_scenario | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.register_precondition | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.register_scenario | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.scan | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.update | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.update_authorization_policy | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.update_endpoint | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.update_precondition | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.update_scenario | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| web_application.view | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| web_application.view_find_job | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| workflow.delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| workflow.dispatch | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| workflow.edit | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| workflow.view | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| workflow_run.view | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| workflow_snapshot.view | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
Concept: project
A project is the second level of hierarchy in Shisho Cloud, which is owned by an organization. It can aggregate resources, and it also defines some roles for Shisho Cloud principals to access the resources within the project.
An organization can have multiple projects, and the roles on the organization will be inherited to the projects. The role on a project will not affect other projects and the organization.
Roles
| Roles | Description |
|---|---|
| project/owner | An owner of the project, able to perform all actions on the project |
| project/triager | A triager, able to view risk statistics and details of each finding and triage these findings |
| project/viewer | A viewer, able to view risk statistics and details of each finding |
Permissions
| Permission | Description |
|---|---|
| bot.create_api_key | Create an API key for the bot |
| bot.create_trust_conditions | Create a trust condition |
| bot.delete | Delete the bot |
| bot.delete_trust_conditions | Delete a trust condition |
| bot.list_api_keys | List API keys of the bot |
| bot.list_trust_conditions | List trust conditions of the bot |
| bot.revoke_api_key | Revoke an API key |
| bot.update_api_key | Update an API key metadata (name, description) |
| bot.update_info | Update basic information of the bot |
| bot.view_info | View basic information of the bot |
| project.add_permission | Add principal(s) to the project permission table |
| project.create_default_notification_channels | Create a project default notification channel |
| project.create_notification_configurations | Create a project notification configuration |
| project.delete | Deleete the project |
| project.delete_default_notification_channels | Delete a project default notification channel |
| project.delete_notification_configurations | Delete a project notification configuration |
| project.delete_permission | Remove principal(s) from the project permission table |
| project.describe_organization_email_allowlist_item | View the email allowlist entries that are registered to the project. Note that this is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide email allowlist. |
| project.describe_organization_integrated_slack_channel | View the details of slack channels that are integrated to the organization and tied to the project. Note that this is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide slack channel details. |
| project.describe_organization_notification_group | View the details of notification groups that are tied to the project. Note that this is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide slack channel details. |
| project.dispatch_workflow | Dispatch a workflow, allowing it to affect to the entire Shisho Cloud organization to cause new scan results. Note that a workflow is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide workflow dispatch. |
| project.link_resource | Add a resource to the project scope |
| project.list_bots | List and describe bots within the project scope |
| project.list_notification_configurations | List project notification configurations |
| project.list_scopable_entities | List scopable entities |
| project.triage_decision | Triage a finding. Note that the decision data is a shared resource with organization, and granting this permission may allow a principal to modify that shared data. |
| project.unlink_resource | Remove a resource from the project scope |
| project.update_default_notification_channels | Update a project default notification channel |
| project.update_iam | Grant/revole project-level permissions to/from principals |
| project.update_info | Update project basic information |
| project.update_notification_configurations | Update a project notification configuration |
| project.upsert_organization_email_allowlist | Upsert an email address to the email allowlist for project default notification. Note that this is a shared resource with organization, and allowing a principal to have this permission may affect the organization-wide email allowlist. |
| project.view | View project basic information |
| project.view_dashboard | View a dashboard with risk statistics without any resource details |
| project.view_decision | View risk statistics and details of each finding with resource details. Note that the decision data is a shared resource with organization, and granting this permission may allow a principal to read that shared data. |
| project.view_default_notification_channels | View a project default notification channel |
| project.view_notification_configurations | View a project notification configuration |
| project.view_permission | List and describe users within the project scope |
| project.view_resource | List and describe resources within the project scope. Note that the resource itself is a shared resource with organization, and granting this permission may allow a principal to read that shared data. |
| project.view_resource_analysis | View resource risk analysis. |
| trust_condition.delete | Delete the trust condition |
| trust_condition.update | Update the trust condition |
| trust_condition.view | View the trust condition |
Roles and Permissions Matrix
| Permission | organization/assessor | organization/auditor | organization/browser | organization/integration_manager | organization/owner | organization/takumi_manager | organization/triager | project/owner | project/triager | project/viewer |
|---|---|---|---|---|---|---|---|---|---|---|
| bot.create_api_key | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| bot.create_trust_conditions | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| bot.delete | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| bot.delete_trust_conditions | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| bot.list_api_keys | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| bot.list_trust_conditions | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| bot.revoke_api_key | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| bot.update_api_key | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| bot.update_info | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| bot.view_info | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| project.add_permission | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.create_default_notification_channels | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.create_notification_configurations | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.delete | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| project.delete_default_notification_channels | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.delete_notification_configurations | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.delete_permission | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.describe_organization_email_allowlist_item | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ |
| project.describe_organization_integrated_slack_channel | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.describe_organization_notification_group | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| project.dispatch_workflow | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.link_resource | ✅1 | ✅2 | ✅3 | ❌ | ✅4 | ❌ | ✅5 | ✅6 | ❌ | ❌ |
| project.list_bots | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| project.list_notification_configurations | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| project.list_scopable_entities | ✅7 | ✅8 | ✅9 | ❌ | ✅10 | ❌ | ✅11 | ✅12 | ❌ | ❌ |
| project.triage_decision | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ❌ |
| project.unlink_resource | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.update_default_notification_channels | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.update_iam | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.update_info | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.update_notification_configurations | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.upsert_organization_email_allowlist | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ |
| project.view | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| project.view_dashboard | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| project.view_decision | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| project.view_default_notification_channels | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| project.view_notification_configurations | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| project.view_permission | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| project.view_resource | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| project.view_resource_analysis | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| trust_condition.delete | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| trust_condition.update | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| trust_condition.view | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
Concept: team
A team is a Shisho Cloud principal that groups users. A team can be granted a role, and the role will be applied to all the users in the team.
Roles
| Roles | Description |
|---|---|
| team/owner | An owner of the team, able to perform all actions on the team. Note that the owner of the team is not necessarily the owner of the organization. |
| team/member | A member of the team, able to perform actions on the team. |
Permissions
| Permission | Description |
|---|---|
| team.act_as_team | Act as a team, able to perform actions on the team if the team has a role on other entities (e.g. organization, Shisho Cloud project, etc.) |
| team.delete | Delete the team |
| team.kick_user | Remove a user from the team |
| team.link_user | Add a user to the team |
| team.update_iam | Grant/revoke the owner to/from members |
| team.update_info | Update team basic information |
| team.view | View team basic information |
Roles and Permissions Matrix
| Permission | organization/auditor | organization/owner | organization/takumi_manager | organization/triager | organization/user_browser | team/member | team/owner |
|---|---|---|---|---|---|---|---|
| team.act_as_team | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
| team.delete | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |
| team.kick_user | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |
| team.link_user | ✅13 | ✅14 | ✅15 | ✅16 | ✅17 | ❌ | ✅18 |
| team.update_iam | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |
| team.update_info | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |
| team.view | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ |
Footnotes
-
To perform
project.link_resource,organization/assessorrequiresproject/owneras well. ↩ -
To perform
project.link_resource,organization/auditorrequiresproject/owneras well. ↩ -
To perform
project.link_resource,organization/browserrequiresproject/owneras well. ↩ -
To perform
project.link_resource,organization/ownerrequiresproject/owneras well. ↩ -
To perform
project.link_resource,organization/triagerrequiresproject/owneras well. ↩ -
To perform
project.link_resource,project/ownerrequiresorganization/assessoras well. ↩ -
To perform
project.list_scopable_entities,organization/assessorrequiresproject/owneras well. ↩ -
To perform
project.list_scopable_entities,organization/auditorrequiresproject/owneras well. ↩ -
To perform
project.list_scopable_entities,organization/browserrequiresproject/owneras well. ↩ -
To perform
project.list_scopable_entities,organization/ownerrequiresproject/owneras well. ↩ -
To perform
project.list_scopable_entities,organization/triagerrequiresproject/owneras well. ↩ -
To perform
project.list_scopable_entities,project/ownerrequiresorganization/assessoras well. ↩ -
To perform
team.link_user,organization/auditorrequiresteam/owneras well. ↩ -
To perform
team.link_user,organization/ownerrequiresteam/owneras well. ↩ -
To perform
team.link_user,organization/takumi_managerrequiresteam/owneras well. ↩ -
To perform
team.link_user,organization/triagerrequiresteam/owneras well. ↩ -
To perform
team.link_user,organization/user_browserrequiresteam/owneras well. ↩ -
To perform
team.link_user,team/ownerrequiresorganization/takumi_manageras well. ↩