In Airlock SaaS, users that interact with the Airlock Console are called actors. Actors hold certain roles with corresponding permissions. These permissions allow performing the tasks associated with the role. By assigning a role to a user, the corresponding permissions are granted.
For an overview of the SaaS actors, see below. For a detailed overview of available roles and permissions, see .
SaaS Admin |
In Airlock SaaS, a SaaS Admin is responsible for managing and operating the Airlock SaaS service. A SaaS Admin with the role SaaS Administrator has full access to the organization, including all its tenants and its administrators. This role also allows managing generic secrets and key pairs used in the IAM configurations. Additionally, a SaaS Admin with the role role SaaS Administrator can view and manage OAuth 2.0 clients used for system to system communication via Airlock APIs. The first SaaS Administrator of an organization, automatically receives the SaaS Administrator role. This is the person who creates the Airlock as a Service account through the self-registration process. After completing the self-registration successfully, they can access the Airlock Console (see also Setup Airlock). The first SaaS Administrator can set up the SaaS organization that represents the customer and create the required tenants. They can also invite additional administrators and assign them to tenants. Invited administrators can by default only perform tasks on end-users, such as search for and manage end-users, view end-user logs, -profiles and authentication tokens. It is possible to assign additional roles to the invited administrator, such as the SaaS Administrator role or individual roles, depending on their task. For a detailed overview or roles, permissions, and related actors, see . |
End-user |
End-users are the persons that access your company's applications. They do this via the tenant Loginapp, according to the authentication and authorizations flows defined in the corresponding active tenant IAM configuration. Notice |
Airlock Partner |
The Airlock Partner actor is responsible for creating/altering a tenant IAM configuration according to the requirements of your company, and uploading these new/altered IAM configurations into the Airlock Console. Currently, only employees of Airlock or Airlock partners can hold this role. |
The diagram below graphically illustrates the SaaS concept of actors, roles and permissions.
Airlock SaaS roles and permissions
The tables below lists the available SaaS roles and associated permissions. Most roles and permissions apply to the administrator actor.
The first table shows the roles and permissions relevant for working with the Airlock Console, such as creating a tenant, inviting administrators or activating an IAM configuration. The second table lists roles and permissions only applicable to the tenant IAM Adminapp, where administrators manage the end-users of your application(s).
Permissions relevant to working with Airlock Console
The following table shows the roles and permissions relevant for working with the Airlock SaaS Airlock Console, such as creating a tenant, inviting administrators or activating an IAM configuration.
Role |
Associated permissions |
Granted by default to |
|
First administrator |
Invited administrator |
||
|
Airlock SEC¹⁾
Functional limitation
This role can currently only be removed, not assigned. Only Airlock SaaS Support can assign this role. |
Airlock SEC actors have access to all tenants within their organization. |
ⁿᐟᵃ |
ⁿᐟᵃ |
|
AMC - Manage administrators¹⁾
Risk
Users with this role can grant themselves the “SaaS Administrator” role, thereby gaining full control over all tenants, administrators and their respective roles. |
|
✓ ²⁾ |
|
AMC - Activate configuration |
Activate configuration |
✓ ²⁾ |
|
AMC - Manage vault |
|
✓ ²⁾ |
|
AMC - Manage organization |
|
✓ ²⁾ |
|
AMC - Manage tenants |
|
✓ ²⁾ |
|
AMC - Manage TLS configuration |
|
✓ ²⁾ |
|
AMC - Manage users |
|
✓ ²⁾ |
✓ |
AMC - View vault |
Read vault entries (key only, value is hidden by design) |
✓ ²⁾ |
|
|
SaaS Administrator¹⁾
Risk
If this role is accidently removed from all SaaS administrators, access to the corresponding organization is no longer possible. Contact SaaS Support to regain access to the organization- and tenant settings. |
Within the AMC:
The SaaS Administrator has access to all tenants within his organization. |
✓ |
|
ⁿᐟᵃ |
not applicable |
Permissions relevant to working with the tenant Adminapp
The table below lists roles and permissions only applicable to the tenant IAM Adminapp, where administrators manage the end-users of your application(s).
The associated permissions match the name of the role.
Role |
Granted by default to first Administrator |
Granted by default to invited Administrator |
|---|---|---|
Activate Authentication Token |
✓ |
|
Add New User |
✓ |
|
Deactivate Authentication Token |
✓ |
|
Delete Authentication Token |
✓ |
|
Delete Maintenance Messages |
✓ |
|
Delete User |
✓ |
|
Delete User Password |
||
Edit Authentication Token |
✓ |
|
Edit Maintenance Messages |
✓ |
|
Edit User Profile |
✓ |
|
Edit Username |
✓ |
|
Generate Or Set User Password |
✓ |
|
Import Tokens |
✓ |
|
List Maintenance Messages |
✓ |
✓ |
Lock User |
✓ |
|
Search Users |
✓ |
✓ |
Trigger Password Reset |
✓ |
|
Unlock User |
✓ |
|
View Airlock 2FA Activation Secret |
||
View Authentication Token |
✓ |
✓ |
View User |
✓ |
✓ |
View User Logs |
✓ |
✓ |
View User Profile |
✓ |
✓ |