権限とロール
organization レベルの権限とロール
An organization is a top-level hierarchy of Shisho Cloud. It basically corresponds to a company, and it includes all the resources and users.
ロールの一覧
| Roles | Description |
|---|---|
| organization/owner | An owner of the entire organization, able to perform all actions on the organization. |
| organization/member | A member of the organization with least permissions on the organization. |
| organization/auditor | An auditor of the organization, able to view all the resources and users in the organization but not able to make any changes. |
| organization/browser | A browser of the organization, able to view all resources in the organization with without risk statistics |
| organization/user_browser | A user browser of the organization, able to view all users and teams in the organization |
権限の一覧
| Permission | Description |
|---|---|
| bot.create_trust_conditions | Create a trust condition |
| bot.delete | Delete the bot |
| bot.delete_trust_conditions | Delete a trust condition |
| bot.list_trust_conditions | List trust conditions of the bot |
| bot.update_info | Update basic information of the bot |
| bot.view_info | View basic information of the bot |
| integration.delete | Delete the integration |
| integration.edit | Update the integration |
| integration.view | View basic information of the integration |
| notification_group.delete | Delete the notification group |
| notification_group.edit | Update configuration of the notification group |
| notification_group.view | View configuration of the notification group |
| organization.create_bot | Create a bot |
| organization.create_integration | Create an integration |
| organization.create_notification_group | Create a notification group |
| organization.create_project | Create a Shisho Cloud project |
| organization.create_team | Create a team |
| organization.create_workflow | Create a workflow |
| organization.delete_address_from_email_allowlist | Delete an email address from the email allowlist |
| organization.delete_custom_decision_specification | Delete a custom decision specification |
| organization.delete_organization | Delete an organization |
| organization.describe_decision_specification | Describe a decision specification |
| organization.dispatch_workflow | List workflows |
| organization.invite_user | Send a user invitation |
| organization.kick_user | Create a user |
| organization.list_bots | List bots |
| organization.list_custom_decision_specification | List custom decision speficiations |
| organization.list_integration | List integrations |
| organization.list_invitation | List invitations |
| organization.list_notification_group | List notification groups |
| organization.list_project | List Shisho Cloud projects |
| organization.list_team | List teams |
| organization.list_user | List users |
| organization.list_workflow | Delete a user |
| organization.list_workflow_run | List workflow runs |
| organization.manage_custom_decision_specification | Create and update a custom decision specification |
| organization.query_real_data | Query a GraphQL API to get real data integrated to Shisho Cloud |
| organization.register_address_to_email_allowlist | Add an email address to the email allowlist |
| organization.send_confirmation_to_mail_owner | Send a confirmation email to the email address owner |
| organization.triage_decision | Triage a finding |
| organization.update_settings | Update organization settings |
| organization.update_user_role | Update a user |
| organization.use_datasource_playground | Use a datasource playground |
| organization.verify_notification_channel | Verify a notification channel is working |
| organization.view_basic_info | View organization basic information |
| organization.view_dashboard | View a dashboard with risk statistics without any resource details |
| organization.view_decision | View risk statistics and details of each finding with resource details |
| organization.view_email_allowlist | View the email allowlist |
| organization.view_resource | List and describe resources integrated to Shisho Cloud with risk statistics |
| organization.view_resource_analysis | View resource risk analysis |
| organization.view_settings | View organization settings |
| trust_condition.delete | Delete the trust condition |
| trust_condition.update | Update the trust condition |
| trust_condition.view | View the trust condition |
| workflow.delete | Delete the workflow |
| workflow.dispatch | Run the workflow |
| workflow.edit | Update the workflow |
| workflow.view | View the workflow |
| workflow_run.view | View the workflow run, including exit codes and the output of the run |
| workflow_snapshot.view | View the workflow snapshot |
ロールと権限のマッピング
| Permission | organization/auditor | organization/browser | organization/member | organization/owner | organization/user_browser |
|---|---|---|---|---|---|
| bot.create_trust_conditions | ❌ | ❌ | ❌ | ✅ | ❌ |
| bot.delete | ❌ | ❌ | ❌ | ✅ | ❌ |
| bot.delete_trust_conditions | ❌ | ❌ | ❌ | ✅ | ❌ |
| bot.list_trust_conditions | ✅ | ❌ | ❌ | ✅ | ❌ |
| bot.update_info | ❌ | ❌ | ❌ | ✅ | ❌ |
| bot.view_info | ✅ | ❌ | ❌ | ✅ | ❌ |
| integration.delete | ❌ | ❌ | ❌ | ✅ | ❌ |
| integration.edit | ❌ | ❌ | ❌ | ✅ | ❌ |
| integration.view | ❌ | ❌ | ❌ | ✅ | ❌ |
| notification_group.delete | ❌ | ❌ | ❌ | ✅ | ❌ |
| notification_group.edit | ❌ | ❌ | ❌ | ✅ | ❌ |
| notification_group.view | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.create_bot | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.create_integration | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.create_notification_group | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.create_project | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.create_team | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.create_workflow | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.delete_address_from_email_allowlist | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.delete_custom_decision_specification | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.delete_organization | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.describe_decision_specification | ✅ | ✅ | ✅ | ✅ | ❌ |
| organization.dispatch_workflow | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.invite_user | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.kick_user | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.list_bots | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.list_custom_decision_specification | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.list_integration | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.list_invitation | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.list_notification_group | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.list_project | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.list_team | ✅ | ❌ | ❌ | ✅ | ✅ |
| organization.list_user | ✅ | ❌ | ❌ | ✅ | ✅ |
| organization.list_workflow | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.list_workflow_run | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.manage_custom_decision_specification | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.query_real_data | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.register_address_to_email_allowlist | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.send_confirmation_to_mail_owner | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.triage_decision | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.update_settings | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.update_user_role | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.use_datasource_playground | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.verify_notification_channel | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.view_basic_info | ✅ | ✅ | ✅ | ✅ | ✅ |
| organization.view_dashboard | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.view_decision | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.view_email_allowlist | ❌ | ❌ | ❌ | ✅ | ❌ |
| organization.view_resource | ✅ | ✅ | ❌ | ✅ | ❌ |
| organization.view_resource_analysis | ✅ | ❌ | ❌ | ✅ | ❌ |
| organization.view_settings | ✅ | ❌ | ❌ | ✅ | ❌ |
| trust_condition.delete | ❌ | ❌ | ❌ | ✅ | ❌ |
| trust_condition.update | ❌ | ❌ | ❌ | ✅ | ❌ |
| trust_condition.view | ✅ | ❌ | ❌ | ✅ | ❌ |
| workflow.delete | ❌ | ❌ | ❌ | ✅ | ❌ |
| workflow.dispatch | ❌ | ❌ | ❌ | ✅ | ❌ |
| workflow.edit | ❌ | ❌ | ❌ | ✅ | ❌ |
| workflow.view | ✅ | ❌ | ❌ | ✅ | ❌ |
| workflow_run.view | ✅ | ❌ | ❌ | ✅ | ❌ |
| workflow_snapshot.view | ✅ | ❌ | ❌ | ✅ | ❌ |
project レベルの権限とロール
A project is the second level of hierarchy in Shisho Cloud, which is owned by an organization. It can aggregate resources, and it also defines some roles for Shisho Cloud principals to access the resources within the project.
An organization can have multiple projects, and the roles on the organization will be inherited to the projects. The role on a project will not affect other projects and the organization.
ロールの一覧
| Roles | Description |
|---|---|
| project/owner | An owner of the project, able to perform all actions on the project |
| project/triager | A triager, able to view risk statistics and details of each finding and triage these findings |
| project/viewer | A viewer, able to view risk statistics and details of each finding |
権限の一覧
| Permission | Description |
|---|---|
| bot.create_trust_conditions | Create a trust condition |
| bot.delete | Delete the bot |
| bot.delete_trust_conditions | Delete a trust condition |
| bot.list_trust_conditions | List trust conditions of the bot |
| bot.update_info | Update basic information of the bot |
| bot.view_info | View basic information of the bot |
| project.add_permission | Add principal(s) to the project permission table |
| project.delete | Deleete the project |
| project.delete_permission | Remove principal(s) from the project permission table |
| project.link_resource | Add a resource to the project scope |
| project.list_bots | List and describe bots within the project scope |
| project.list_scopable_entities | List scopable entities |
| project.triage_decision | Triage a finding |
| project.unlink_resource | Remove a resource from the project scope |
| project.update_info | Update project basic information |
| project.view | View project basic information |
| project.view_dashboard | View a dashboard with risk statistics without any resource details |
| project.view_decision | View risk statistics and details of each finding with resource details |
| project.view_permission | List and describe users within the project scope |
| project.view_resource | List and describe resources within the project scope |
| project.view_resource_analysis | View resource risk analysis. |
| trust_condition.delete | Delete the trust condition |
| trust_condition.update | Update the trust condition |
| trust_condition.view | View the trust condition |
ロールと権限のマッピング
| Permission | organization/auditor | organization/browser | organization/owner | project/owner | project/triager | project/viewer |
|---|---|---|---|---|---|---|
| bot.create_trust_conditions | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| bot.delete | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| bot.delete_trust_conditions | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| bot.list_trust_conditions | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| bot.update_info | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| bot.view_info | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| project.add_permission | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| project.delete | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ |
| project.delete_permission | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| project.link_resource | ✅1-9-0 | ✅1-9-1 | ✅1-9-2 | ✅1-9-3 | ❌ | ❌ |
| project.list_bots | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| project.list_scopable_entities | ✅1-11-0 | ✅1-11-1 | ✅1-11-2 | ✅1-11-3 | ❌ | ❌ |
| project.triage_decision | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ |
| project.unlink_resource | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| project.update_info | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| project.view | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| project.view_dashboard | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| project.view_decision | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| project.view_permission | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| project.view_resource | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| project.view_resource_analysis | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| trust_condition.delete | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| trust_condition.update | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| trust_condition.view | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
team レベルの権限とロール
A team is a Shisho Cloud principal that groups users. A team can be granted a role, and the role will be applied to all the users in the team.
ロールの一覧
| Roles | Description |
|---|---|
| team/owner | An owner of the team, able to perform all actions on the team. Note that the owner of the team is not necessarily the owner of the organization. |
| team/member | A member of the team, able to perform actions on the team. |
権限の一覧
| Permission | Description |
|---|---|
| team.act_as_team | Act as a team, able to perform actions on the team if the team has a role on other entities (e.g. organization, Shisho Cloud project, etc.) |
| team.delete | Delete the team |
| team.kick_user | Remove a user from the team |
| team.link_user | Add a user to the team |
| team.update_info | Update team basic information |
| team.view | View team basic information |
ロールと権限のマッピング
| Permission | organization/auditor | organization/owner | organization/user_browser | team/member | team/owner |
|---|---|---|---|---|---|
| team.act_as_team | ❌ | ❌ | ❌ | ✅ | ✅ |
| team.delete | ❌ | ✅ | ❌ | ❌ | ✅ |
| team.kick_user | ❌ | ✅ | ❌ | ❌ | ✅ |
| team.link_user | ❌ | ✅ | ❌ | ❌ | ✅ |
| team.update_info | ❌ | ✅ | ❌ | ❌ | ✅ |
| team.view | ✅ | ✅ | ✅ | ✅ | ✅ |
- To perform
project.list_scopable_entities,project/ownerrequiresorganization/browseras well.↩ - To perform
project.list_scopable_entities,organization/ownerrequiresproject/owneras well.↩ - To perform
project.list_scopable_entities,organization/browserrequiresproject/owneras well.↩ - To perform
project.list_scopable_entities,organization/auditorrequiresproject/owneras well.↩ - To perform
project.link_resource,project/ownerrequiresorganization/browseras well.↩ - To perform
project.link_resource,organization/ownerrequiresproject/owneras well.↩ - To perform
project.link_resource,organization/browserrequiresproject/owneras well.↩ - To perform
project.link_resource,organization/auditorrequiresproject/owneras well.↩