Roles and Permissions
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
Concept: organization
An organization is a top-level hierarchy of Shisho Cloud. It basically corresponds to a company, and it includes all the resources and users.
Roles
Roles | Description |
---|---|
organization/owner | An owner of the entire organization, able to perform all actions on the organization. |
organization/member | A member of the organization with least permissions on the organization. |
organization/auditor | An auditor of the organization, able to view all the resources and users in the organization but not able to make any changes. |
organization/browser | A browser of the organization, able to view all resources in the organization without risk statistics |
organization/user_browser | A user browser of the organization, able to view all users and teams in the organization |
organization/assessor | An assessor of the organization, able to view all resources in the organization for assessment |
Permissions
Permission | Description |
---|---|
bot.create_trust_conditions | Create a trust condition |
bot.delete | Delete the bot |
bot.delete_trust_conditions | Delete a trust condition |
bot.list_trust_conditions | List trust conditions of the bot |
bot.update_info | Update basic information of the bot |
bot.view_info | View basic information of the bot |
integration.delete | Delete the integration |
integration.edit | Update the integration |
integration.get_github_access_token | get a GitHub access token from resources |
integration.view | View basic information of the integration |
notification_group.delete | Delete the notification group |
notification_group.edit | Update configuration of the notification group |
notification_group.view | View configuration of the notification group |
organization.create_bot | Create a bot |
organization.create_integration | Create an integration |
organization.create_notification_group | Create a notification group |
organization.create_project | Create a Shisho Cloud project |
organization.create_sso | Add a SSO configuration |
organization.create_team | Create a team |
organization.create_workflow | Create a workflow |
organization.delete_address_from_email_allowlist | Delete an email address from the email allowlist |
organization.delete_custom_decision_specification | Delete a custom decision specification |
organization.delete_organization | Delete an organization |
organization.delete_sso | Delete a SSO configuration |
organization.delete_team | Delete a team |
organization.describe_decision_specification | Describe a decision specification |
organization.dispatch_workflow | List workflows |
organization.invite_user | Send a user invitation |
organization.kick_user | Create a user |
organization.list_bots | List bots |
organization.list_custom_decision_specification | List custom decision speficiations |
organization.list_integration | List integrations |
organization.list_invitation | List invitations |
organization.list_notification_group | List notification groups |
organization.list_project | List Shisho Cloud projects |
organization.list_sso | List SSO configurations |
organization.list_team | List teams |
organization.list_user | List users |
organization.list_workflow | Delete a user |
organization.list_workflow_run | List workflow runs |
organization.manage_custom_decision_specification | Create and update a custom decision specification |
organization.query_real_data | Query a GraphQL API to get real data integrated to Shisho Cloud |
organization.register_address_to_email_allowlist | Add an email address to the email allowlist |
organization.send_confirmation_to_mail_owner | Send a confirmation email to the email address owner |
organization.triage_decision | Triage a finding |
organization.update_iam | Grant/revole roles or permissions to/from organization members |
organization.update_settings | Update organization settings |
organization.use_datasource_playground | Use a datasource playground |
organization.verify_notification_channel | Verify a notification channel is working |
organization.view_basic_info | View organization basic information |
organization.view_dashboard | View a dashboard with risk statistics without any resource details |
organization.view_decision | View risk statistics and details of each finding with resource details |
organization.view_email_allowlist | View the email allowlist |
organization.view_resource | List and describe resources integrated to Shisho Cloud with risk statistics |
organization.view_resource_analysis | View resource risk analysis |
organization.view_settings | View organization settings |
trust_condition.delete | Delete the trust condition |
trust_condition.update | Update the trust condition |
trust_condition.view | View the trust condition |
workflow.delete | Delete the workflow |
workflow.dispatch | Run the workflow |
workflow.edit | Update the workflow |
workflow.view | View the workflow |
workflow_run.view | View the workflow run, including exit codes and the output of the run |
workflow_snapshot.view | View the workflow snapshot |
Roles and Permissions Matrix
Permission | organization/assessor | organization/auditor | organization/browser | organization/member | organization/owner | organization/user_browser |
---|---|---|---|---|---|---|
bot.create_trust_conditions | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
bot.delete | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
bot.delete_trust_conditions | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
bot.list_trust_conditions | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
bot.update_info | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
bot.view_info | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
integration.delete | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
integration.edit | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
integration.get_github_access_token | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
integration.view | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
notification_group.delete | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
notification_group.edit | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
notification_group.view | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.create_bot | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.create_integration | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.create_notification_group | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.create_project | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.create_sso | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.create_team | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.create_workflow | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.delete_address_from_email_allowlist | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.delete_custom_decision_specification | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.delete_organization | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.delete_sso | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.delete_team | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.describe_decision_specification | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
organization.dispatch_workflow | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.invite_user | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.kick_user | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.list_bots | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
organization.list_custom_decision_specification | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
organization.list_integration | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
organization.list_invitation | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.list_notification_group | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
organization.list_project | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
organization.list_sso | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
organization.list_team | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ |
organization.list_user | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ |
organization.list_workflow | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
organization.list_workflow_run | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
organization.manage_custom_decision_specification | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.query_real_data | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.register_address_to_email_allowlist | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.send_confirmation_to_mail_owner | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.triage_decision | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.update_iam | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.update_settings | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.use_datasource_playground | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.verify_notification_channel | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
organization.view_basic_info | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
organization.view_dashboard | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
organization.view_decision | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
organization.view_email_allowlist | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
organization.view_resource | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
organization.view_resource_analysis | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
organization.view_settings | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
trust_condition.delete | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
trust_condition.update | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
trust_condition.view | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
workflow.delete | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
workflow.dispatch | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
workflow.edit | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
workflow.view | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
workflow_run.view | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
workflow_snapshot.view | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
Concept: project
A project is the second level of hierarchy in Shisho Cloud, which is owned by an organization. It can aggregate resources, and it also defines some roles for Shisho Cloud principals to access the resources within the project.
An organization can have multiple projects, and the roles on the organization will be inherited to the projects. The role on a project will not affect other projects and the organization.
Roles
Roles | Description |
---|---|
project/owner | An owner of the project, able to perform all actions on the project |
project/triager | A triager, able to view risk statistics and details of each finding and triage these findings |
project/viewer | A viewer, able to view risk statistics and details of each finding |
Permissions
Permission | Description |
---|---|
bot.create_trust_conditions | Create a trust condition |
bot.delete | Delete the bot |
bot.delete_trust_conditions | Delete a trust condition |
bot.list_trust_conditions | List trust conditions of the bot |
bot.update_info | Update basic information of the bot |
bot.view_info | View basic information of the bot |
project.add_permission | Add principal(s) to the project permission table |
project.create_default_notification_channels | create a project default notification channel |
project.delete | Deleete the project |
project.delete_default_notification_channels | delete a project default notification channel |
project.delete_permission | Remove principal(s) from the project permission table |
project.dispatch_workflow | dispatch a workflow, allowing it to affect to the entire Shisho Cloud organization to cause new scan results |
project.link_resource | Add a resource to the project scope |
project.list_bots | List and describe bots within the project scope |
project.list_scopable_entities | List scopable entities |
project.triage_decision | Triage a finding |
project.unlink_resource | Remove a resource from the project scope |
project.update_default_notification_channels | update a project default notification channel |
project.update_iam | Grant/revole project-level permissions to/from principals |
project.update_info | Update project basic information |
project.view | View project basic information |
project.view_dashboard | View a dashboard with risk statistics without any resource details |
project.view_decision | View risk statistics and details of each finding with resource details |
project.view_default_notification_channels | view a project default notification channel |
project.view_permission | List and describe users within the project scope |
project.view_resource | List and describe resources within the project scope |
project.view_resource_analysis | View resource risk analysis. |
trust_condition.delete | Delete the trust condition |
trust_condition.update | Update the trust condition |
trust_condition.view | View the trust condition |
Roles and Permissions Matrix
Permission | organization/assessor | organization/auditor | organization/browser | organization/owner | project/owner | project/triager | project/viewer |
---|---|---|---|---|---|---|---|
bot.create_trust_conditions | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
bot.delete | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
bot.delete_trust_conditions | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
bot.list_trust_conditions | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
bot.update_info | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
bot.view_info | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
project.add_permission | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
project.create_default_notification_channels | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
project.delete | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ |
project.delete_default_notification_channels | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
project.delete_permission | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
project.dispatch_workflow | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
project.link_resource | ✅1 | ✅2 | ✅3 | ✅4 | ✅5 | ❌ | ❌ |
project.list_bots | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
project.list_scopable_entities | ✅6 | ✅7 | ✅8 | ✅9 | ✅10 | ❌ | ❌ |
project.triage_decision | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ |
project.unlink_resource | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
project.update_default_notification_channels | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
project.update_iam | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
project.update_info | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
project.view | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
project.view_dashboard | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
project.view_decision | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
project.view_default_notification_channels | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
project.view_permission | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
project.view_resource | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
project.view_resource_analysis | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
trust_condition.delete | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
trust_condition.update | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
trust_condition.view | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
Concept: team
A team is a Shisho Cloud principal that groups users. A team can be granted a role, and the role will be applied to all the users in the team.
Roles
Roles | Description |
---|---|
team/owner | An owner of the team, able to perform all actions on the team. Note that the owner of the team is not necessarily the owner of the organization. |
team/member | A member of the team, able to perform actions on the team. |
Permissions
Permission | Description |
---|---|
team.act_as_team | Act as a team, able to perform actions on the team if the team has a role on other entities (e.g. organization, Shisho Cloud project, etc.) |
team.delete | Delete the team |
team.kick_user | Remove a user from the team |
team.link_user | Add a user to the team |
team.update_iam | Grant/revoke the owner to/from members |
team.update_info | Update team basic information |
team.view | View team basic information |
Roles and Permissions Matrix
Permission | organization/auditor | organization/owner | organization/user_browser | team/member | team/owner |
---|---|---|---|---|---|
team.act_as_team | ❌ | ❌ | ❌ | ✅ | ✅ |
team.delete | ❌ | ✅ | ❌ | ❌ | ✅ |
team.kick_user | ❌ | ✅ | ❌ | ❌ | ✅ |
team.link_user | ✅11 | ✅12 | ✅13 | ❌ | ✅14 |
team.update_iam | ❌ | ✅ | ❌ | ❌ | ✅ |
team.update_info | ❌ | ✅ | ❌ | ❌ | ✅ |
team.view | ✅ | ✅ | ✅ | ✅ | ✅ |
Footnotes
-
To perform
project.link_resource
,organization/assessor
requiresproject/owner
as well. ↩ -
To perform
project.link_resource
,organization/auditor
requiresproject/owner
as well. ↩ -
To perform
project.link_resource
,organization/browser
requiresproject/owner
as well. ↩ -
To perform
project.link_resource
,organization/owner
requiresproject/owner
as well. ↩ -
To perform
project.link_resource
,project/owner
requiresorganization/assessor
as well. ↩ -
To perform
project.list_scopable_entities
,organization/assessor
requiresproject/owner
as well. ↩ -
To perform
project.list_scopable_entities
,organization/auditor
requiresproject/owner
as well. ↩ -
To perform
project.list_scopable_entities
,organization/browser
requiresproject/owner
as well. ↩ -
To perform
project.list_scopable_entities
,organization/owner
requiresproject/owner
as well. ↩ -
To perform
project.list_scopable_entities
,project/owner
requiresorganization/assessor
as well. ↩ -
To perform
team.link_user
,organization/auditor
requiresteam/owner
as well. ↩ -
To perform
team.link_user
,organization/owner
requiresteam/owner
as well. ↩ -
To perform
team.link_user
,organization/user_browser
requiresteam/owner
as well. ↩ -
To perform
team.link_user
,team/owner
requiresorganization/user_browser
as well. ↩