メインコンテンツまでスキップ

権限とロール

organization レベルの権限とロール

An organization is a top-level hierarchy of Shisho Cloud. It basically corresponds to a company, and it includes all the resources and users.

ロールの一覧

RolesDescription
organization/ownerAn owner of the entire organization, able to perform all actions on the organization.
organization/memberA member of the organization with least permissions on the organization.
organization/auditorAn auditor of the organization, able to view all the resources and users in the organization but not able to make any changes.
organization/browserA browser of the organization, able to view all resources in the organization with without risk statistics
organization/user_browserA user browser of the organization, able to view all users and teams in the organization

権限の一覧

PermissionDescription
bot.create_trust_conditionsCreate a trust condition
bot.deleteDelete the bot
bot.delete_trust_conditionsDelete a trust condition
bot.list_trust_conditionsList trust conditions of the bot
bot.update_infoUpdate basic information of the bot
bot.view_infoView basic information of the bot
integration.deleteDelete the integration
integration.editUpdate the integration
integration.viewView basic information of the integration
notification_group.deleteDelete the notification group
notification_group.editUpdate configuration of the notification group
notification_group.viewView configuration of the notification group
organization.create_botCreate a bot
organization.create_integrationCreate an integration
organization.create_notification_groupCreate a notification group
organization.create_projectCreate a Shisho Cloud project
organization.create_teamCreate a team
organization.create_workflowCreate a workflow
organization.delete_address_from_email_allowlistDelete an email address from the email allowlist
organization.delete_custom_decision_specificationDelete a custom decision specification
organization.delete_organizationDelete an organization
organization.describe_decision_specificationDescribe a decision specification
organization.dispatch_workflowList workflows
organization.invite_userSend a user invitation
organization.kick_userCreate a user
organization.list_botsList bots
organization.list_custom_decision_specificationList custom decision speficiations
organization.list_integrationList integrations
organization.list_invitationList invitations
organization.list_notification_groupList notification groups
organization.list_projectList Shisho Cloud projects
organization.list_teamList teams
organization.list_userList users
organization.list_workflowDelete a user
organization.list_workflow_runList workflow runs
organization.manage_custom_decision_specificationCreate and update a custom decision specification
organization.query_real_dataQuery a GraphQL API to get real data integrated to Shisho Cloud
organization.register_address_to_email_allowlistAdd an email address to the email allowlist
organization.send_confirmation_to_mail_ownerSend a confirmation email to the email address owner
organization.triage_decisionTriage a finding
organization.update_settingsUpdate organization settings
organization.update_user_roleUpdate a user
organization.use_datasource_playgroundUse a datasource playground
organization.verify_notification_channelVerify a notification channel is working
organization.view_basic_infoView organization basic information
organization.view_dashboardView a dashboard with risk statistics without any resource details
organization.view_decisionView risk statistics and details of each finding with resource details
organization.view_email_allowlistView the email allowlist
organization.view_resourceList and describe resources integrated to Shisho Cloud with risk statistics
organization.view_resource_analysisView resource risk analysis
organization.view_settingsView organization settings
trust_condition.deleteDelete the trust condition
trust_condition.updateUpdate the trust condition
trust_condition.viewView the trust condition
workflow.deleteDelete the workflow
workflow.dispatchRun the workflow
workflow.editUpdate the workflow
workflow.viewView the workflow
workflow_run.viewView the workflow run, including exit codes and the output of the run
workflow_snapshot.viewView the workflow snapshot

ロールと権限のマッピング

Permissionorganization/auditororganization/browserorganization/memberorganization/ownerorganization/user_browser
bot.create_trust_conditions
bot.delete
bot.delete_trust_conditions
bot.list_trust_conditions
bot.update_info
bot.view_info
integration.delete
integration.edit
integration.view
notification_group.delete
notification_group.edit
notification_group.view
organization.create_bot
organization.create_integration
organization.create_notification_group
organization.create_project
organization.create_team
organization.create_workflow
organization.delete_address_from_email_allowlist
organization.delete_custom_decision_specification
organization.delete_organization
organization.describe_decision_specification
organization.dispatch_workflow
organization.invite_user
organization.kick_user
organization.list_bots
organization.list_custom_decision_specification
organization.list_integration
organization.list_invitation
organization.list_notification_group
organization.list_project
organization.list_team
organization.list_user
organization.list_workflow
organization.list_workflow_run
organization.manage_custom_decision_specification
organization.query_real_data
organization.register_address_to_email_allowlist
organization.send_confirmation_to_mail_owner
organization.triage_decision
organization.update_settings
organization.update_user_role
organization.use_datasource_playground
organization.verify_notification_channel
organization.view_basic_info
organization.view_dashboard
organization.view_decision
organization.view_email_allowlist
organization.view_resource
organization.view_resource_analysis
organization.view_settings
trust_condition.delete
trust_condition.update
trust_condition.view
workflow.delete
workflow.dispatch
workflow.edit
workflow.view
workflow_run.view
workflow_snapshot.view

project レベルの権限とロール

A project is the second level of hierarchy in Shisho Cloud, which is owned by an organization. It can aggregate resources, and it also defines some roles for Shisho Cloud principals to access the resources within the project.

An organization can have multiple projects, and the roles on the organization will be inherited to the projects. The role on a project will not affect other projects and the organization.

ロールの一覧

RolesDescription
project/ownerAn owner of the project, able to perform all actions on the project
project/triagerA triager, able to view risk statistics and details of each finding and triage these findings
project/viewerA viewer, able to view risk statistics and details of each finding

権限の一覧

PermissionDescription
bot.create_trust_conditionsCreate a trust condition
bot.deleteDelete the bot
bot.delete_trust_conditionsDelete a trust condition
bot.list_trust_conditionsList trust conditions of the bot
bot.update_infoUpdate basic information of the bot
bot.view_infoView basic information of the bot
project.add_permissionAdd principal(s) to the project permission table
project.deleteDeleete the project
project.delete_permissionRemove principal(s) from the project permission table
project.link_resourceAdd a resource to the project scope
project.list_botsList and describe bots within the project scope
project.list_scopable_entitiesList scopable entities
project.triage_decisionTriage a finding
project.unlink_resourceRemove a resource from the project scope
project.update_infoUpdate project basic information
project.viewView project basic information
project.view_dashboardView a dashboard with risk statistics without any resource details
project.view_decisionView risk statistics and details of each finding with resource details
project.view_permissionList and describe users within the project scope
project.view_resourceList and describe resources within the project scope
project.view_resource_analysisView resource risk analysis.
trust_condition.deleteDelete the trust condition
trust_condition.updateUpdate the trust condition
trust_condition.viewView the trust condition

ロールと権限のマッピング

Permissionorganization/auditororganization/browserorganization/ownerproject/ownerproject/triagerproject/viewer
bot.create_trust_conditions
bot.delete
bot.delete_trust_conditions
bot.list_trust_conditions
bot.update_info
bot.view_info
project.add_permission
project.delete
project.delete_permission
project.link_resource1234
project.list_bots
project.list_scopable_entities5678
project.triage_decision
project.unlink_resource
project.update_info
project.view
project.view_dashboard
project.view_decision
project.view_permission
project.view_resource
project.view_resource_analysis
trust_condition.delete
trust_condition.update
trust_condition.view

team レベルの権限とロール

A team is a Shisho Cloud principal that groups users. A team can be granted a role, and the role will be applied to all the users in the team.

ロールの一覧

RolesDescription
team/ownerAn owner of the team, able to perform all actions on the team. Note that the owner of the team is not necessarily the owner of the organization.
team/memberA member of the team, able to perform actions on the team.

権限の一覧

PermissionDescription
team.act_as_teamAct as a team, able to perform actions on the team if the team has a role on other entities (e.g. organization, Shisho Cloud project, etc.)
team.deleteDelete the team
team.kick_userRemove a user from the team
team.link_userAdd a user to the team
team.update_infoUpdate team basic information
team.viewView team basic information

ロールと権限のマッピング

Permissionorganization/auditororganization/ownerorganization/user_browserteam/memberteam/owner
team.act_as_team
team.delete
team.kick_user
team.link_user
team.update_info
team.view

Footnotes

  1. To perform project.link_resource, organization/auditor requires project/owner as well.

  2. To perform project.link_resource, organization/browser requires project/owner as well.

  3. To perform project.link_resource, organization/owner requires project/owner as well.

  4. To perform project.link_resource, project/owner requires organization/browser as well.

  5. To perform project.list_scopable_entities, organization/auditor requires project/owner as well.

  6. To perform project.list_scopable_entities, organization/browser requires project/owner as well.

  7. To perform project.list_scopable_entities, organization/owner requires project/owner as well.

  8. To perform project.list_scopable_entities, project/owner requires organization/browser as well.