Airlock as a Service Knowledge Base
API Reference Service Status Airlock Console
airlock.com

SaaS Admins: Roles and permissions

In Airlock SaaS, users that interact with the Airlock Console are called actors. Actors hold certain roles with corresponding permissions. These permissions allow performing the tasks associated with the role. By assigning a role to a user, the corresponding permissions are granted.

For an overview of the SaaS actors, see below. For a detailed overview of available roles and permissions, see .

SaaS Admin

In Airlock SaaS, a SaaS Admin is responsible for managing and operating the Airlock SaaS service. A SaaS Admin with the role SaaS Administrator has full access to the organization, including all its tenants and its administrators. This role also allows managing generic secrets and key pairs used in the IAM configurations. Additionally, a SaaS Admin with the role role SaaS Administrator can view and manage OAuth 2.0 clients used for system to system communication via Airlock APIs.

The first SaaS Admin of an organization, automatically obtains the role SaaS Administrator. This is the person who creates the Airlock SaaS account by performing a self-registration flow. Upon successfully completing the self-registration flow, this first SaaS administrator can access the Airlock Console (see also Setup Airlock).

The first SaaS administrator can set up the SaaS organization that represents the SaaS customer as well as all required tenants. They may also invite other administrators and assign the invited administrators to tenants.

Invited administrators can by default only perform tasks on end-users, such as search for and manage end-users, view end-user logs, -profiles and authentication tokens. It is possible to assign additional roles to the invited administrator, such as the SaaS Administrator role or individual roles, depending on their task. For a detailed overview or roles, permissions, and related actors, see .

End-user

End-users are the persons that access your company's applications. They do this via the tenant Loginapp, according to the authentication and authorizations flows defined in the corresponding active tenant IAM configuration.

Notice
The roles shown below do not apply to end-users. End-users have their own roles, which are configured as part of the tenant configuration. For more information, see Working with end-users.

Airlock Partner

The Airlock Partner actor is responsible for creating/altering a tenant IAM configuration according to the requirements of your company, and uploading these new/altered IAM configurations into the Airlock Console. Currently, only employees of Airlock or Airlock partners can hold this role.

The diagram below graphically illustrates the SaaS concept of actors, roles and permissions.

Airlock SaaS roles and permissions

The tables below lists the available SaaS roles and associated permissions. Most roles and permissions apply to the administrator actor.

The first table shows the roles and permissions relevant for working with the Airlock Console, such as creating a tenant, inviting administrators or activating an IAM configuration. The second table lists roles and permissions only applicable to the tenant IAM Adminapp, where administrators manage the end-users of your application(s).

Permissions relevant to working with Airlock Console

The following table shows the roles and permissions relevant for working with the Airlock SaaS Airlock Console, such as creating a tenant, inviting administrators or activating an IAM configuration.

Role

Associated permissions

Granted by default to

First administrator

Invited administrator

Airlock SEC¹⁾

Functional limitation
This role can currently only be removed, not assigned. Only Airlock SaaS Support can assign this role.

  • Perform Getting started

  • Upload IAM configuration

  • Activate IAM configuration

  • Read vault entries (key only, value is hidden by design)

Airlock SEC actors have access to all tenants within their organization.

ⁿᐟᵃ

ⁿᐟᵃ

AMC - Manage administrators¹⁾

Risk
Users with this role can grant themselves the “SaaS Administrator” role, thereby gaining full control over all tenants, administrators and their respective roles.

  • Invite administrator

  • Manage administrator

  • Assign and remove roles to and from an administrator

­✓ ²⁾


AMC - Activate configuration

Activate configuration

­✓ ²⁾


AMC - Manage vault

  • Create vault entry

  • Update vault entry

  • Delete vault entry

­✓ ²⁾


AMC - Manage organization

  • Edit organization

  • Delete organization

­✓ ²⁾


AMC - Manage tenants

  • Create a tenant

  • Edit a tenant

  • Delete a tenant

²⁾


AMC - Manage TLS configuration

  • Read TLS configuration

  • Edit TLS configuration

²⁾


AMC - Manage users

Manage users

²⁾

­✓

AMC - View vault

Read vault entries (key only, value is hidden by design)

²⁾


SaaS Administrator¹⁾

Risk
If this role is accidently removed from all SaaS administrators, access to the corresponding organization is no longer possible. Contact SaaS Support to regain access to the organization- and tenant settings.

Within the AMC:

  • Perform Getting started

  • Activate configuration

  • Invite administrator

  • Manage administrator

  • Activate configuration

  • Edit organization

  • Delete organization

  • Create a tenant

  • Edit a tenant

  • Delete a tenant

  • Read TLS configuration

  • Edit TLS configuration

  • Read vault entries

  • Create vault entry

  • Update vault entry

  • Delete vault entry

  • Read OAuth 2.0 clients

  • Create OAuth 2.0 clients

  • Edit OAuth 2.0 clients

  • Delete OAth 2.0 clients³⁾

  • Manage users

The SaaS Administrator has access to all tenants within his organization.

­✓


ⁿᐟᵃ
¹⁾
²⁾
³⁾

not applicable
This role gives significant power to the holder, for the reasons mentioned in the table. Therefore, exercise caution when assigning the role.
Implicitly through the SaaS Administrator role
Currently not possible. Contact SaaS Support if you need to delete an OAuth 2.0 client.


Permissions relevant to working with the tenant Adminapp

The table below lists roles and permissions only applicable to the tenant IAM Adminapp, where administrators manage the end-users of your application(s).

Notice
The associated permissions match the name of the role.

Role

Granted by default to first Administrator

Granted by default to invited Administrator

Activate Authentication Token

­✓


Add New User

­✓


Deactivate Authentication Token

­✓


Delete Authentication Token

­✓


Delete Maintenance Messages

­✓


Delete User

­✓


Delete User Password



Edit Authentication Token

­✓


Edit Maintenance Messages

­✓


Edit User Profile

­✓


Edit Username

­✓


Generate Or Set User Password

­✓


Import Tokens

­✓


List Maintenance Messages

­✓

­✓

Lock User

­✓


Search Users

­✓

­✓

Trigger Password Reset

­✓


Unlock User

­✓


View Airlock 2FA Activation Secret



View Authentication Token

­✓

­✓

View User

­✓

­✓

View User Logs

­✓

­✓

View User Profile

­✓

­✓