Restrict user permissions
This document is for:
Invicti Platform
This document explains how user permissions are managed and restricted within the Invicti Platform. Understanding this mechanism is crucial for ensuring appropriate access control and security in your organization.
Overview of permissions
User access within Invicti Platform is governed by roles, which define specific permissions. These roles can be assigned in two main ways:
- Direct role assignment: A user can be explicitly assigned one or more roles.
- Team-based role assignment: A user can inherit roles by being a member of one or more teams. Each team may have its own roles assigned.
Role scoping
Roles can be:
- Global: Apply to the entire platform and all collections (targets).
- Scoped: Limited to specific collections (targets). A scoped role only affects permissions on its assigned target(s).
Permission resolution
When determining a user's effective permissions, the platform aggregates all roles from both direct assignments and team memberships. The final permission is computed using a "most permissive wins" model.
Example resolution rules
- If a user has one role granting Read permission and another granting Full Access, then Full Access applies.
- If a role is scoped to a specific target, it only applies when the user is accessing that target.
- Multiple scoped roles may apply to different targets. Each is evaluated independently per target.
Key points
- A user may have multiple roles, both directly assigned and inherited from one or more teams.
- Roles are cumulative: permissions from all relevant roles are evaluated together.
- The highest level of permission from all applicable roles is granted.
- Scoped roles apply only to their designated targets and are not evaluated outside of that context.
Practical Tips
- To restrict access, avoid assigning broad roles directly. Instead, rely on scoped roles tied to specific targets.
- Use teams to group users and manage permissions more efficiently across departments or projects.
- Regularly audit roles and team memberships to ensure permission creep is avoided.