IAM - Getting Started

Blameless providers users with the ability manage identities and access control via users, groups and roles. This guide will walk users through setting up roles and groups in Identity Access Management in the Blameless Platform.

Users

The user object is automatically created inside Blameless once we connect to your identity provider such as Okta.

Roles

Every product area within Blameless has specific roles associated with it. You will be able to select which roles and permissions the specific group has. Clicking on the roles you want for that group and clicking on Assign will save those settings.

Groups

Groups can be created inside Blameless. These groups can then be used to associate permissions for Blameless resources such as incidents and postmortems and a collection of users. Permissions are assigned indirectly to a group based on the role assigned to the group.

note

The admin group is available by default.

You will be able to name the group to whatever your preference is and associate an email address to that group. After assigning users and roles to a group, you can view the group's associations by clicking on setting for the group and selecting "Show Associations".

Refer to the Identity & Access Management page for more information.

Role-based Access Control (RBAC)

Blameless ships with role-based access control policies that allow organizations to restrict access to certain APIs and resources. Each role is associated with one or more rules that dictate access. Users that are granted access to the proper identity rules have the ability to add users to groups and roles to groups, providing fine-graned access to users. All roles are pre-defined or generated by Blameless Engineering. There are cases where custom roles can be created, specifically when creating new incident types.

Refer to the Role- & Permission-based Access Control page for more information.

Access Control Types

As of today there are two types of access control:

  • API / Slack Bot API

  • Component

    note

    API access control will permit or restrict access at the REST API layer.

API Access Control

Each API endpoint has an authentication and authorization hook that ensures the caller is both authenticated and authorized to call the endpoint. Each API endpoint can have at most one rule associated with it. All users with matching rules are permitted access to the endpoint. Any endpoint without a rule (i.e. None) are accessible by all authenticated users.

Refer to the API Access Control Examples list for more information.

Slack Bot Access Control

Each Slack command can have at most one rule associated with it. All users with matching rules are permitted access to the endpoint. Any endpoint without a rule (i.e. None) are accessible by all authenticated users. Refer to the Slackbot Access Control List Examples for more information.

Component Access Control

Blameless consists of the following components:

  • Incidents
  • Postmortems
  • Dashboards
  • Settings
  • Identity
  • Comments
  • SLO

The API access control mechanisms will permit access at the component level (e.g. you either have access to the dashboard component, or you don't) and sub-component level. As of this writing, there are two components with even finer-grained policies: incidents and settings.

  • Incidents which have type-based access control
  • Settings which have section-based access control

Refer to the Identity & Access Management page for more information.

Rules to Roles Mapping

Here we provide the mapping of the rules used to permit/restrict access to the customer-visible roles mapped to users/groups. This will allow users to reason about what roles to map to specific users based on the needs of each user group. Refer to the Roles Mapping List for more information.