TABLE OF CONTENT
Overview
Blameless users can be restricted access to only the incident they create, without having access to all other incidents of the same incident type, also granting them access to only the retrospectives created for the incidents they were allowed to create.
Users assigned the IncidentCreator role per incident type via Identity Management in Blameless gain the following permissions:
- can join the incident channel (private or public) in Slack or the incident group chat in Microsoft Teams.
- can only access and view incidents and the matching retrospective they created in the Blameless web UI.
- provides permission to execute the same Blameless commands as a user assigned the IncidentReader role per incident type (see incident roles).
- can be later revoked access to the incident (and retrospective) if it turns out that the incident is dealing with sensitive information that can only be visible to a limited number of authorized users (e.g. security incidents).
Users with revoked permissions to access a specific incident, can continue to chat in the incident channel or group chat, however they are no longer allowed to access the incident (and retrospective) in the Blameless web UI. If you want to remove users from a channel in Slack (private or public) or from the group chat team in Microsoft team, use capabilities native to the messaging tool (Slack or Microsoft Teams).
Users with global access to all incidents for selected or all incident types cannot be denied access at the incident level.
Assigning incident creator roles to users
In Identity Management, for each incident type created (check your list of incident types under Settings > Incidents > Incident Types), Blameless automatically creates several incident roles with the name of the incident type as a prefix.
For example, if the incident type name is “Customer incident”, the following roles are automatically created and can be found in the Roles tab in Identity Management:
- Customer incidentIncidentCreator
- Customer incidentIncidentReader
- Customer incidentIncidentWriter
- Customer incidentIncidentAdmin
Follow the next 2 step-instructions to assign one or more IncidentCreator roles to users, which is the same as assigning any other roles to users in Blameless Identity Management (see Groups and Users):
- Assign a role to a group
- Assign users to this group to assign those roles to these users
Step 1: Assign one or more IncidentCreator roles to a group
- Go to Identity Management in Blameless
- Click on the Groups tab
- Use one of your existing groups or click the Create Group button to create a dedicated group, which you can use to assign one or more IncidentCreator roles to users.
- After you complete the form, with at least the name of the group, click the Create button:
- Filter the list of groups, by typing the name of the group you want to assign one or more IncidentCreator roles:
- Click on the 3 vertical dots and select Assign/Unassign roles:
- In the new pop-up window, “Assign roles to …….”, type the keyword “creator” to filter only the IncidentCreator roles from the list of default roles.
- Select one or more IncidentCreator roles you want to assign to this group, then click the Assign button:
- You can optionally verify the list of roles assigned to this group by clicking on 3 vertical dots and the Show access settings option.
Step 2: Assign one or more users to this group
- Go to Identity Management in Blameless
- Click on the Groups tab
- Filter the list of groups, by typing the name of the group where you previously assigned one or more IncidentCreator roles:
- Click on the 3 vertical dots and select Assign/Unassign users
Managing user permissions in the incident
Conditions may change after incidents have started, so Blameless provides the flexibility to grant more Blameless permissions to Blameless users as they join incidents or to revoke permissions to access the Blameless incident (and retrospective) if the incident has to be handled and accessed only by a limited to number of authorized users.
This section describes the option to view and change user permissions (grant/revoke) at the incident level only (local roles) from within an incident channel in Slack (coming soon: from the incident detailed page in the Blameless web UI).
-
View permissions (local and global roles) for any users joining the incident, including the creator of the incident and anyone who joins the incident.
- Users joining an incident may have permissions set either at the incident-level only (local) or at the global level per incident type (or all incident types)
- Note that if a user has a role set at both the global and local level, the permissions at the global level prevail.
-
Change permissions for users with local roles only:
- Permissions inherited at the global level (per incident type) can only be updated under Identity Management in Blameless.
Required permissions to set user permissions
All users can view the user permissions per incident, however only users with the Writer or IncidentWriter roles can modify user permissions.
User permissions at the incident level
Users with permissions set at the incident level may be granted any of the three default local permissions:
Local role | Blameless commands | Access to the incident (and retrospective) in the Blameless web UI |
Writer | Can execute the same set of Blameless commands assigned to the IncidentWriter but only for this incident (see Slack command mapping table) |
|
Reader (*) | Can execute the same set of Blameless commands assigned to the IncidentReader but only for this incident (see Slack command mapping table). |
|
None | Users are not allowed to execute any Blameless commands. | Denied access |
(*) The creator of the incident automatically inherits this local role.
Users with None permission remain in the incident channel in Slack or the but no longer have access to the incident/retrospective in the Blameless web UI. However, those users can continue to chat in the Slack channel. If the incident channel is a private Slack channel, users can be then removed from the private channel using Slack’s native member management native capabilities.
User permissions in Slack
Use the following Blameless command to view or manage user permissions in Slack:
/blameless set permissions
The user permission modal automatically shows the list of all incident participants that have joined the incident channel.
Available controls to search users
- Use the Next or Previous button to navigate through long list of participants. These buttons are present only if the list of participants is longer than 10 users.
- Use the filters to reduce the list of users to only specific task roles or to specific local roles (None, Reader, Writer)
- Use the Search users text field to search users by their display name in Slack:
- Always hit "Enter" after you typed a few characters to filter the list of participants
- To show the entire list of participants again, empty the search field and hit "Enter"
Change user permissions
- Permissions updated per user take immediate effect
- Global roles can only be updated by an authorized Blameless user in Identity Management
User permissions in the Blameless web UI
Coming soon!
Comments
0 comments
Article is closed for comments.