Roles & Permissions Overview
Role management is only available to organization administrators on the Paid plan. Free-tier organizations cannot create or manage roles.
EntryGuard uses Role-Based Access Control (RBAC) to manage which users can access which cloud resources.
How RBAC Works
Roles Group Resources and Users
A Role is a named collection of cloud resources that can be assigned to multiple users. Roles simplify permission management by grouping resources logically (e.g., "Production DB Access", "Staging Environment").
Users Access Resources Through Roles
When a user clicks Start Session, EntryGuard checks which roles the user belongs to and whitelists their IP on all resources from those roles.
Admin vs Member
Administrators (Admin badge) can manage all organization settings, users, roles, resources, and credentials.
Members (Member badge) can only start sessions for resources assigned through their roles, and manage their own profile and MFA.
Direct Resource Assignment
In addition to role-based access, admins can assign individual resources directly to a user without creating a role. This is useful for temporary or one-off access grants.
Permission Summary
A user can start a session on a resource if:
- The user is an administrator, OR
- The resource is assigned to one of the user's roles, OR
- The resource is directly assigned to the user
Managing Roles in the UI
Navigate to Roles under the Admin section in the sidebar. The roles table shows all roles with their name, description, resource count, and user count. Click a row to expand it and see the assigned resources and users.
Next Steps
API Reference: For programmatic access, see Roles API.