Role-based access control

User roles allow you to assign special privileges that specify what a user can see and do within your Bytesafe workspace.

These roles help you categorize your users into teams, and assign them different capabilities so that they can do what they need to do without getting in each other’s way.

They’re especially useful for larger organizations, with multiple teams, where there are different groups of employees responsible for different areas (i.e. SecOps team manages dependency firewalls).

Built-in user roles

Bytesafe have a number of built-in roles that manages permissions for common tasks. The initial user that creates the workspace is automatically assigned the account-owner and developer roles and can invite additional team members.

Role	Description
account-owner	Account owners can update account settings, manage users and close the account.
admin	Admins can invite and manage users, including their roles,
billing	Billing managers can access and update billing information,
developer	Developers can manage packages, registries and their associated settings. All new users are assigned this role.
read-only	Read-only users are ideal for keeping colleagues and stakeholders up to speed when you don’t require the whole range of Bytesafe features, such as uploading and downloading packages. Read-only users do not need a paid seat in the subscription plan.

Users can have more than one role assigned. Example: a user that should have read-only access to issues in the workspace, should have both the developer (or some other role with registry read-access) and read-only roles assigned.

Managing user roles

You can change the roles assigned to a user from the Teams menu.

Klick the Edit button to open the sidepanel with user settings.

Users must have at least one role assigned.

Custom user roles

I addition to the built-in roles, you can create custom roles to manage access to firewalls and registries. You can use there roles to group users by teams, or function. Enterprise users can map their existing directory user groups as part the the onboarding process.

You can manage custom roles from the account settings, User roles.

Managing registry access

The different actions a user can perform on a registry are governed by sets of permissions. These sets of permissions can be assigned to one or more user roles.

Permission set	Description
Owners	Owners can update settings, including role-based access, and delete the registry. Owners are also implicit readers.
Readers	Readers can access packages and issues in the registry, including downloading package contents.
Writers	Writers can upload packages and update issues in the registry.
SecOps	SecOps can quarantine and release packages in the registry. Users need SecOps permissions in all of the firewall registries to release a package quarantined by multiple firewalls.

Registry access for read-only users

Users with the read-only user role assigned, can only access a registry in the web application, regardless of which other roles and permissions they have. They can’t download and install packages from a registry using a package manager.

To assign permissions to user roles, open the registry settings for Role-based access:

A newly created registry have all permissions assigned to the developer role.

Managing user status

Users can be deactivated if they leave your organisation. When a user is deactivated, all access tokens for that user are automatically expired. There is no need to remove individual roles to revoke access to the workspace.

Deactivating a user expires all access tokens

If a user is reactivated, new access tokens must be created for that user. For more information, see access token no longer valid.