Identity & Access Management
Blameless providers users with the ability manage identities and access control via users, groups and roles.
Getting Started
This guide will walk users through setting up roles and groups in Identity Access Management in the Blameless Platform
Users
The user object is automatically created inside Blameless once we connect to your identity provider such as Okta.
Roles
Every product area within Blameless has specific roles associated with it.
Groups
Groups can be created inside Blameless. These groups can then be used to associate permissions for Blameless resources such as incidents and postmortems and a collection of users. The admin group is available by default.
Create a Group
Navigate to the settings page and click on the Identity Management section. Then click on "Add Group".
You will be able to name the group to whatever your preference is and attach an email address to that group.
Associate Users with the Group
Clicking on the settings for the group (3 dots lined vertically) you will be able to assign users and roles to the group you just created. Click on Assign/Unassign users and you will be able to select which users to add to the group.
Associate Roles with the Group
To associate roles to the group you created, click on the settings for that group. Select Assign/Unassign roles.
You will be able to select which roles and permissions the specific group has. Clicking on the roles you want for that group and clicking on Assign will save those settings.
After assigning users and roles to a group, you can view the group's associations by clicking on setting for the group and selecting Show Associations.
Role Based Access Control (RBAC)
Blameless ships with role-based access control policies that allow organizations to restrict access to certain APIs and resources. Each role is associated with one or more rules that dictate access. An example rule might be "incident read" (can read incidents) or "incident postmortem read" (can read postmortems). Rules are grouped into pre-defined roles that are mapped to user groups. Users that are granted access to the proper identity rules have the ability to add users to groups and roles to groups, providing fine-graned access to users. Note that all roles are pre-defined or generated by Blameless. There are cases where custom roles can be created, specifically when creating new incident types. Currently, outside of custom incidents, roles are only generated by Blameless engineering.
Here we enumerate the existing rules, rule-to-role mapping and the rules required to access specific resources in Blameless.
As of today there are two types of access control: API and sub-component. API access control will permit or restrict access at the REST API layer.
API Access Control
Each API endpoint has an authentication and authorization hook that ensures the caller is both authenticated and authorized to call the endpoint. The authorization hook is associated with a (verb, resource,rule) tuple. If the user's identity has a matching rule, then calling the (verb, resource) API is granted.
Sub-Component Access Control
Blameless consists of the following components:
- Incidents
- Postmortems
- Dashboards
- Settings
- Identity
- Comments
- SLO
The API access control mechanisms will permit access at the component level (e.g. you either have access to the dashboard component, or you don't) and sub-component level. As of this writing, there are two components with even finer-grained policies: incidents and settings. Both of these components have finer-grained mechanisms: incidents have type-based access control and settings have section-based access control.
Incident Type
Blameless allows customers to create custom incident types. For example, the security team may want to create incidents specific to security events and only permit access to the security team. When creating the new type, a new role is created with rules specific to reading, updating and creating that specific incident type. Only users with that role will be permitted access to that incident type.
When a new incident type is created, an associated Admin role is created for that type: <Type>IncidentAdmin. Type-specific rules similar to the rules mapped to IncidentAdmin will be created. This means that all users performing actions on incidents of the custom type must have the <Type>IncidentAdmin role.
Settings Sections
Blameless settings cover a few scopes (global, user, org) and sections (integrations, incident, etc.). There are cases where a user requires access to an org-level setting, such as incident for creating incidents, but should never have access to more senisitve settings, such as integration credentials (e.g. Jira password). Separating access by section gives customers the ability to ensure users can effectively use the platform, without compromising security.
Rules to Roles Mapping
Here we provide the mapping of the rules used to permit/restrict access to the customer-visible roles mapped to users/groups. This will allow users to reason about what roles to map to specific users based on the needs of each user group.
The format of the following list is as follows. Each list item contains an identifier for a rule in Blameless' RBAC system, formatted as Component[Subcomponent][Section|Type]Action.
For example, IncidentTaskReader is the rule that allows reading of incident tasks and SettingsSensitiveRead is the rule that allows reading of sensitive settings, such as passwords.
Each list item contains a nested list that corresponds to the user-visible roles this rule is mapped to. For example, the IdentityGroupCreaterule is mapped to theIdentityAdminandIdentityWriterroles. This means that a user mapped to theIdentityAdmin` can create new groups.
Finally, the Root role and rule permit access to all APIs and resources in Blameless.
API Access Control
Each API endpoint can have at most one rule associated with it. All users with matching rules are permitted access to the endpoint. Any endpoint without a rule (i.e. None) are accessible by all authenticated users.
For example, the health does not have access control, while GET /api/v1/incidents
requires the IncidentRead rule.
- None:
GET / - None:
GET /api/v1/health - None:
GET /api/v1/info/auth - IncidentRead:
GET /api/v1/incidents - IncidentRead:
GET /api/v1/incidents/<int:incident_id> - IncidentRoleRead:
GET /api/v1/incident-roles - None:
GET /api/v1/postmortem-states - IncidentCreate:
POST /api/v1/incidents - IncidentTicketCreate:
PUT /api/v1/incidents/<int:incident_id>/ticket - None:
GET /api/v1/integration/servicenow/fields/<string:ticket_id> - IncidentMemberDelete:
DELETE /api/v1/incidents/<int:incident_id>/team/<string:member_id> - IncidentUpdate:
PUT /api/v1/incidents/<int:incident_id> - IncidentDelete:
DELETE /api/v1/incidents/<int:incident_id> - TaskRead:
GET /api/v1/tasks - TaskRead:
GET /api/v1/tasks/<int:task_id> - IncidentTaskRead:
GET /api/v1/incidents/<int:incident_id>/tasks - IncidentTaskUpdate:
PATCH /api/v1/incidents/<int:incident_id>/tasks - IncidentTaskCreate:
POST /api/v1/incidents/<int:incident_id>/tasks - IncidentTaskUpdate:
PUT /api/v1/incidents/<int:incident_id>/tasks/<int:task_id> - IncidentTaskDelete:
DELETE /api/v1/incidents/<int:incident_id>/tasks/<int:task_id> - None:
GET /api/v1/actions - IncidentActionRead:
GET /api/v1/actions/<int:action_id> - IncidentActionRead:
GET /api/v1/incidents/<int:incident_id>/actionsMetadata - IncidentActionRead:
GET /api/v1/incidents/<int:incident_id>/actions - IncidentActionCreate:
POST /api/v1/incidents/<int:incident_id>/actions - IncidentActionUpdate:
PUT /api/v1/incidents/<int:incident_id>/actions/<int:action_id> - IncidentActionDelete:
DELETE /api/v1/incidents/<int:incident_id>/actions/<int:action_id> - None:
GET /api/v1/events - None:
GET /api/v1/events/<int:event_id> - IncidentEventRead:
GET /api/v1/incidents/<int:incident_id>/events - IncidentEventCreate:
POST /api/v1/incidents/<int:incident_id>/events - IncidentEventUpdate:
PUT /api/v1/incidents/<int:incident_id>/events/<int:event_id> - IncidentEventDelete:
DELETE /api/v1/incidents/<int:incident_id>/events/<int:event_id> - IncidentPostmortemRead:
GET /api/v1/incidents/<int:incident_id>/postmortem - IncidentPostmortemRead:
POST /api/v1/incidents/<int:incident_id>/postmortem/download/<string:extension> - IncidentPostmortemRead:
GET /api/v1/incidents/<int:incident_id>/collaborative_editor - IncidentPostmortemCreate:
POST /api/v1/incidents/<int:incident_id>/postmortem - IncidentPostmortemCreate:
POST /api/v1/postmortems - IncidentPostmortemUpdate:
PUT /api/v1/incidents/<int:incident_id>/postmortem - None:
GET /api/v1/metrics/postmortem-aggregates - IncidentPostmortemRead:
GET /api/v1/open_postmortems - IncidentPostmortemRead:
GET /api/v1/postmortems - DashboardChartRead:
GET /api/v1/dashboards/<string:dashboard_id>/charts/<string:chart_id> - DashboardRead:
GET /api/v1/dashboards/<string:dashboard_id> - None:
GET /api/v1/tags/search - None:
PUT /api/v1/incidents/<int:incident_id>/postmortem/tag - None:
DELETE /api/v1/incidents/<int:incident_id>/postmortem/tag - None:
GET /api/v1/tags - IncidentTagCreate:
POST /api/v1/tag - UserinfoRead:
GET /api/v1/slack-users-phone - None:
GET /api/v1/slack-channels - PrivatechannelRead:
GET /api/v1/search-slack-channels - PrivatechannelRead:
GET /api/v1/incidents/<int:incident_id>/slack-channels - UserinfoRead:
GET /api/v1/slack-users - None:
GET /api/v1/users/jira - None:
POST /api/v1/integration/jira/test - None:
GET /api/v1/integration/jira/projects - None:
GET /api/v1/integration/jira/project_issue_types - None:
GET /api/v1/integration/probes - None:
GET /api/v1/metrics/tags - SettingRead:
GET /api/v1/settings-metadata - SettingRead:
GET /api/v1/settings-metadata/<string:field_name>/search/<string:search_text> - IncidentRead:
GET /api/v1/settings-metadata/get_options - SettingRead:
GET /api/v1/settings/metadata - SettingRead:
GET /api/v1/settings/<string:section_id> - SettingRead:
GET /api/v1/settings/<string:section_id>/<string:sub_section_id> - SettingRead:
GET /api/v1/settings-section - SettingUpdate:
POST /api/v1/settings - None:
GET /api/v1/timezone-setting - SettingRead:
GET /api/v1/settings - None:
GET /api/v1/slack-oauth-url - None:
GET /api/v1/google-calendar-oauth-url - None:
GET /api/v1/google-calendar-oauth-callback-url - None:
GET /api/v1/integrations - None:
GET /api/v1/slo/dataproviders - IncidentCommunicationRead:
GET /api/v1/incidents/<int:incident_id>/communications - IncidentCommunicationRead:
GET /api/v1/incidents/communications/channels - IncidentCommunicationRead:
GET /api/v1/incidents/<int:incident_id>/internal_communications/<string:communication_id> - IncidentCommunicationCreate:
POST /api/v1/incidents/<int:incident_id>/internal_communications - IncidentCommunicationUpdate:
PUT /api/v1/incidents/<int:incident_id>/internal_communications/<string:communication_id> - IncidentCommunicationExecute:
PATCH /api/v1/incidents/<int:incident_id>/internal_communications/<string:communication_id> - IncidentCommunicationRead:
GET /api/v1/incidents/<int:incident_id>/external_communications/<string:communication_id> - IncidentCommunicationCreate:
POST /api/v1/incidents/<int:incident_id>/external_communications - IncidentCommunicationUpdate:
PUT /api/v1/incidents/<int:incident_id>/external_communications/<string:communication_id> - IncidentCommunicationExecute:
PATCH /api/v1/incidents/<int:incident_id>/external_communications/<string:communication_id> - IncidentCommunicationRead:
GET /api/v1/incidents/statuspage - DashboardRead:
GET /api/v1/boards - DashboardRead:
GET /api/v1/boards/<string:board_id> - DashboardCreate:
POST /api/v1/boards - DashboardUpdate:
PUT /api/v1/boards/<string:board_id> - DashboardUpdate:
PATCH /api/v1/boards - DashboardDelete:
DELETE /api/v1/boards/<string:board_id> - DashboardTitleCreate:
POST /api/v1/boards/<string:board_id>/tiles - DashboardTitleUpdate:
PUT /api/v1/boards/<string:board_id>/tiles/<string:tile_id> - DashboardTitleDelete:
DELETE /api/v1/boards/<string:board_id>/tiles/<string:tile_id> - TopicRead:
GET /api/v1/topics - FactRead:
GET /api/v1/facts - TopicSegmentRead:
GET /api/v1/topics/<string:topic_name>/segments - TopicExecute:
POST /api/v1/topics/<string:topic_name>/execute - TopicExecute:
POST /api/v1/topics/<string:topic_name>/validate - DashboardTemplateRead:
GET /api/v1/board_templates/<string:template_name> - None:
GET /api/v1/service-registry/services - None:
POST /api/v1/service-registry/services - None:
PUT /api/v1/service-registry/services/<int:service_id> - None:
GET /api/v1/slo/health - SloCreate:
POST /api/v1/slo/contact - SloRead:
GET /api/v1/slo/contact - SloRead:
GET /api/v1/slo/contact/<int:contact_id> - SloCreate:
POST /api/v1/slo/service - SloRead:
GET /api/v1/slo/service - SloRead:
GET /api/v1/slo/service/<int:service_id> - SloCreate:
POST /api/v1/slo/slio - SloRead:
GET /api/v1/slo/slio - SloRead:
GET /api/v1/slo/slio/<int:slio_id> - SloUpdate:
PUT /api/v1/slo/slio/<int:slio_id> - SloDelete:
DELETE /api/v1/slo/slio/<int:slio_id> - SloRead:
GET /api/v1/slo/sli-menu - SloRead:
GET /api/v1/slo/slio/<int:sli_menu_id> - SloCreate:
POST /api/v1/slo/user-journey - SloRead:
GET /api/v1/slo/user-journey - SloRead:
GET /api/v1/slo/user-journey/<int:user_journey_id> - None:
GET /api/v1/slo/slo-burndown/<int:slio_id> - SloExecute:
POST /api/v1/slo/datadog/validate - SloExecute:
POST /api/v1/slo/prometheus/validate - SloExecute:
GET /api/v1/slo/appdynamics/getapplications - SloExecute:
GET /api/v1/slo/appdynamics/getmetrics/<int:application_id> - SloExecute:
POST /api/v1/slo/appdynamics/validate - None:
GET /api/v1/slo/sli-computed-graph/<int:slio_id> - Slo-manual-minutesCreate:
POST /api/v1/slo/manual-minutes - None:
GET /api/v1/identity/health - IdentityUserCreate:
POST /api/v1/identity/user - IdentityUserUpdate:
POST /api/v1/identity/user/id/<int:user_id> - IdentityRead:
GET /api/v1/identity/user - IdentityUserRead:
GET /api/v1/identity/user/id/<int:user_id> - IdentityRead:
GET /api/v1/identity/user/groups/<int:user_id> - IdentityRead:
GET /api/v1/identity/user/roles/<int:user_id> - IdentityRead:
GET /api/v1/identity/user/rules/<int:user_id> - IdentityUserRead:
GET /api/v1/identity/user/authName/<string:auth_name> - IdentityUserDelete:
DELETE /api/v1/identity/user/id/<int:user_id> - IdentityUserRead:
GET /api/v1/identity/user/integration/<string:integration_type>/<string:integration_id> - IdentityRead:
GET /api/v1/identity/user/integrations/<int:user_id> - IdentityCreate:
POST /api/v1/userintegration - IdentityCreate:
POST /api/v1/userintegration/kvs/<string:integration_type>/<string:integration_id> - IdentityRead:
GET /api/v1/identity/userintegration/type/<string:integration_type>/id/<string:integration_id> - IdentityRead:
GET /api/v1/identity/userintegration/type - IdentityUpdate:
DELETE /api/v1/identity/userintegration/<string:integration_type>/<string:integration_id> - IdentityOrgCreate:
POST /api/v1/identity/org - IdentityOrgRead:
GET /api/v1/identity/org - IdentityOrgRead:
GET /api/v1/identity/org/id/<int:org_id> - IdentityRead:
GET /api/v1/identity/org/users/<int:org_id> - IdentityOrgUpdate:
PUT /api/v1/identity/org/id/<int:org_id> - IdentityOrgUpdate:
PUT /api/v1/identity/org/settings/<int:org_id> - IdentityGroupCreate:
POST /api/v1/identity/group - IdentityGroupUpdate:
POST /api/v1/identity/group/id/<int:group_id> - IdentityGroupDelete:
DELETE /api/v1/identity/group/id/<int:group_id> - IdentityRead:
GET /api/v1/identity/group/org/<int:org_id> - IdentityRead:
GET /api/v1/identity/group/id/<int:group_id> - IdentityRead:
GET /api/v1/identity/group/users/<int:group_id> - IdentityRead:
GET /api/v1/identity/group/roles/<int:group_id> - IdentityGroupUserCreate:
POST /api/v1/identity/group/user - IdentityGroupCreate:
POST /api/v1/identity/group/role - IdentityGroupUpdate:
DELETE /api/v1/identity/group/user/<int:group_id>/<int:user_id> - IdentityGroupUpdate:
DELETE /api/v1/identity/group/role/<int:group_id>/<int:role_id> - IdentityRuleCreate:
POST /api/v1/identity/rule - IdentityRead:
GET /api/v1/identity/rule/id/<int:rule_id> - IdentityRead:
GET /api/v1/identity/rule - IdentityRead:
GET /api/v1/identity/rule/roles/<int:rule_id> - IdentityRoleCreate:
POST /api/v1/identity/role - IdentityRead:
GET /api/v1/identity/role/id/<int:role_id> - IdentityRead:
GET /api/v1/identity/role - IdentityRead:
GET /api/v1/identity/role/rules/<int:role_id> - IdentityRoleUpdate:
POST /api/v1/identity/role/rule - IdentityRead:
GET /api/v1/identity/role/users/<int:role_id> - IdentityRead:
GET /api/v1/identity/role/groups/<int:role_id> - IdentityRoleCreate:
POST /api/v1/identity/role/custom - None:
GET /api/v1/slo/error-budget-policies - None:
GET /api/v1/slo/error-budget-policy-threshold - SloCreate:
POST /api/v1/slo/error-budget-policy-threshold-metadata - SloUpdate:
PUT /api/v1/slo/error-budget-policy-threshold - None:
GET /api/v1/incident-types - None:
GET /api/v1/incident-severities - None:
GET /api/v1/identity/rbac/enforce/<string:encoded_params> - None:
GET /api/v1/identity/rbac/params - AuditlogRead:
GET /api/v1/audit-logs - CommentsRead:
GET /api/v1/comments/<string:component_ref> - CommentsCreate:
POST /api/v1/comments - CommentsUpdate:
PUT /api/v1/comments/<int:comment_id>/resolve - CommentsDelete:
DELETE /api/v1/comments/<int:comment_id> - Comments_infoUpdate:
POST /api/v1/comments/<string:component_ref>/register - SloDelete:
DELETE /api/v1/slo/user-journey-steps/<int:user_journey_id> - SloRead:
GET /api/v1/slo/user-journey-steps/<int:user_journey_id> - SloRead:
GET /api/v1/slo/user-journey-steps - SloCreate:
POST /api/v1/slo/user-journey-steps - SloUpdate:
PUT /api/v1/slo/user-journey-steps/<int:user_journey_id>
Slack Bot Access Control
Each Slack command can have at most one rule associated with it. All users with matching rules are permitted access to the endpoint. Any endpoint without a rule (i.e. None) are accessible by all authenticated users.
- IncidentUpdate:
Add Incident Check In:
add incident check-in - IncidentUpdate:
Add Tags:
add tags {tag_labels_as_string} to {tag_category_to_add_to} - IncidentUpdate:
Add Timeline Event:
Add timeline even. - IncidentUpdate:
Assign Postmortem Role:
command - IncidentUpdate:
Assign Incident Role:
assign {assignee_slack_user_id} as {role_name_to_assign} - IncidentTaskUpdate:
Assign Task:
update task {task_sequence_number} - IncidentUpdate:
Close Swimlane:
close swimlane - IncidentTaskUpdate:
Complete Task:
complete task {task_sequence_number} - IncidentUpdate:
Create Swimlane:
add swimlane - IncidentTaskCreate:
Create Task:
create task {task_description} - DashboardRead:
dashboard select:
dashboard select {tile_id} {date_filter} - IncidentDelete:
Delete incident:
delete - IncidentUpdate:
Edit Swimlane Owner:
edit swimlane owner - IncidentUpdate:
Edit Swimlane Theory:
edit swimlane theory - IncidentTaskUpdate:
Mark Task Pending:
mark task pending {task_sequence_number} - IncidentUpdate:
Mute Incident:
command_from_args - IncidentRead:
Get postmortem:
get postmortem - DashboardRead:
Query Get:
query {topic_name} get {query_string} - DashboardRead:
Query Show Fields:
query {topic_name} show fields - IncidentUpdate:
Remove Tags:
remove tags {tag_labels_as_string} from {tag_category_to_remove_from} - IncidentUpdate:
Reopen Swimlane:
reopen swimlane - IncidentRead:
Send PM as email:
send pm as email to { .join(emails)} - IncidentUpdate:
Set Incident as duplicate:
duplicate of {incident_number} - IncidentUpdate:
Set Incident Description:
set description to {incident_description} - IncidentUpdate:
Set Incident Severity:
set severity to {severity_label} - IncidentUpdate:
Set Incident State:
set status to {incident_state} - IncidentUpdate:
Set Incident State to Resolved:
None - IncidentUpdate:
Set Incident Type:
set type to {incident_type} - IncidentRead:
Show Escalation Policy:
Show Escalation Policy - IncidentEventRead:
Show Events:
show events - IncidentRead:
Show Incident:
show incident - IncidentRead:
Show Incidents:
show incidents - IncidentRead:
Show Oncall:
show oncall - IncidentRead:
Show Swimlane:
show swimlane - IncidentRead:
Show Swimlanes:
show swimlanes - IncidentRead:
Show Tag Categories:
show tag categories - IncidentRead:
Show Tags:
show tags - IncidentTaskRead:
Show tasks by incident status:
show {all if get_all_tasks else my}{completed_or_pending_or_all} tasks - IncidentCreate:
Start Incident:
start {severity} {incident_type} incident {description} - IncidentRead:
Trigger Alert:
Trigger Alert - IncidentUpdate:
Unmute Incident:
unmute