Skip to main content

Role Based Access Control

Zenduty's Role Based Access Control

Role Based Access Control is a feature set available for growth and enterprise users providing fine-grained access management of Zenduty. Zenduty RBAC allows you segregate duties and access within your team and grant only the permissions to users that they need to perform their responsibilities.
If RBAC is not enabled, Zenduty's default role structure follows with the pre-defined roles of Owner, Admin, Team Manager and User.

What can I do with RBAC?

  • Create custom account roles with specific permissions and assign it to groups of users with similar responsibilities and use cases. For eg: customized roles for Engineering Managers could have view permissions for all teams, allowing for visibility into the entire organization.
  • Change a team's settings to grant all users certain specific permissions. For eg: the Database team's incidents can be configured to be viewable by all dependant users allowing them to correlate Database issues with other incidents.
  • Enable incident responders to pull in other associated team's on-call users, allowing for more effective collaborative triaging and a decrease in fire-fighting friction.

An organisation can implement RBAC via 2 mediums:

  • Team Level Permissions i.e. making some data associated to a team to be visible to non-team members across your Zenduty account
  • Account Level Permissions i.e. making custom roles and assigning to users granting them certain chosen permissions only

Team Level Permissions

By default, only the members of a team can view the incidents, escalation policies, schedules, services and other associated information. However, users can harness this ability to tinker with the privacy permissions of a team and make some or all data attached to the team visible to all non-team members of your Zenduty account. This allows for the operational status of teams that are centerpieces of an organisation's engineering structure be accessible to all dependant members.

The final permission set of a user is a union of their account level permissions and a particular team's permissions, implying that even if a user with a custom role is denied permission to view incidents in general, they'll be able to access incidents of a particular team that has configured their incidents to be visible to all members in their team level permissions.

Modifying Team Level Permissions

Only the Account Owner, Account Admins and Team Manager can modify team level permissions.

  1. Click on the team whose permissions you'd like to edit from the Teams section, navigate to the Settings tab on the very bottom.

  2. Switch the Access Level setting from Private to Restricted.

  3. Select the restricted permissions that you'd like to provide to non-team members and click on Update.

List of Team Level Permissions

Note: Selecting some permissions would automatically select others that the chosen permission requires.

Permission Effect
View Analytics Allows all account members to view team's analytics and download reports
View Incidents Allows all account members to view incidents generated in a team
View Integrations Allows all account members to view the integrations created within a team's services
View Postmortems Allows all account members to view the postmortems created within a team
View Schedules Allows all account members to view the schedules created within a team
View Stakeholder Template Allows all account members to view stakeholder templates created within a team
View Teams Allows all account members to view the team and its members
Attach Escalation Policies Allows all account members to use a team's escalation policies in their incidents
Edit Incidents Allows all account members to acknowledge, resolve and edit all parameters of an incident generated in a team
View Team Maintenance Allows all account members to view a team's maintenance windows
View Priorities Allows all account members to view the priority levels created within a team
View Services Allows all account members to view the services belonging to a team
View Team Tags Allows all account members to view the tags created within a team
View Escalation Policies Allows all account members to view the escalation policies in place within a team
View Incident Roles Allows all account members to view the incident roles created within a team
View Members Allows all account members to view the members of a team
Attach Schedules Allows all account members to add a team's scheduled on-call responder to their incidents
View SLAs Allows all account members to view the SLA policies created within a team
View Task Templates Allows all account members to view the task templates created within a team

Account Level Permissions

Via account level permissions, users can create custom roles and assign to users to grant them specific access to Zenduty resources. This allows organisations to grant special privileges to certain power users and owners, thus lowering dependencies on other responders in dire situations and smoothening the incident resolution process.

Modifying Account Level Permissions

Only the Account Owner and Account Admins can create custom roles and assign them to users.

  1. Click on your profile bubble on the top-right corner and then on Account.

  2. Navigate to the Custom Roles section, and click on the Add New Role button.

  3. Fill in the Name and Description fields, select the permissions as desired. For eg: we create a custom role for Engineering Managers that can view all teams and associated data. Click on Create.

  4. Now go to the Users tab from the sidebar on the left.

  5. Find the user you want to assign the newly created role and simply select the role from the dropdown menu.

List of Account Level Permissions

Note: Selecting some permissions would automatically select others that the chosen permission requires.

Permission Effect
View Analytics Allows the member to view the analytics and reports of all teams
View Incidents Allows the member to view incidents of all teams
Edit Incidents Allows the member to acknowledge, resolve and edit all incidents created within all teams
View Incident Roles Allows the member to view the incident roles created within all teams
Edit Incident Roles Allows the member to edit incident roles created within all teams
View Team Maintenance Allows the member to view the maintenance windows of all teams
Edit Team Maintenance Allows the member to edit the maintenance windows of all teams
View Members Allows the member to view the members belonging to all teams
Edit Members Allows the member to edit the members belonging to all teams
View Teams Allows the member to view all teams created under the account
View Priorities Allows the member to view the priority levels created within all teams
Edit Priorities Allows the member to edit the priority levels created within all teams
View Schedules Allows the member to view the on-call schedules created within all teams
Edit Schedules Allows the member to edit the on-call schedules created within all teams
View SLAs Allows the member to view the SLA policies created within all teams
Edit SLAs Allows the member to edit the SLA policies created within all teams
View Stakeholder Template Allows the member to view the Stakeholder Templates created within all teams
Edit Stakeholder Template Allows the member to edit the Stakeholder Templates created within all teams
View Task Template Allows the member to view the task templates created within all teams
Edit Task Templates Allows the member to edit the task templates created within all teams
View Escalation Policies Allows the member to view the escalation policies created within all teams
Edit Escalation Policies Allows the member to edit the escalation policies created within all teams
View Integrations Allows the member to view the integrations created within all team's services
Edit Integrations Allows the member to edit the integrations associated within services for all teams
View Postmortems Allows the member to view the postmortems created within all teams
Edit Postmortems Allows the member to edit the postmortems created within all teams
View Services Allows the member to view the services associated with all teams
Edit Services Allows the member to edit the services associated with all teams
View Team Tags Allows the member to view the tags created within all teams
Edit Team Tags Allows the member to edit the tags created within all teams

RBAC Alert Rules

With RBAC enabled, can also leverage Zenduty Alert Rules to automatically Assign the incident to a Global User, Attach Global Escalation Policies and Add Global Users and On-Call Users from Global Schedules as responders to incoming incidents.

Before proceeding with building your alert rules, please ensure that the necessary permissions have been enabled for the teams and users which you want to be accessible via alert rules.
So to use the Route to Escalation Policy action, the Attach Escalation Policies permission should be enabled on the Account Level Access settings for the team to which the Escalation Policy belongs to.
To assign an incident to a user outside the team via alert rules, grant them a role with the Edit Incidents permission.

Example: Add the On-Call User from a Global Schedule as an Incident Responder

To enable this action, please make sure that the team with the incoming incident has the View Incident permission enabled, and the team to which the Schedule belongs to has the Attach Schedules and View Services permissions enabled on the Account Level Access settings.

  1. Click on the Service your Integration is in.

  2. Go to the Integrations tab and choose the integration for which you want to add an RBAC Alert Rule.

  3. Click on the Alert Rules tab from the secondary sidebar and then the Create Alert Rule button.

  4. Give your alert a name and set the conditions and actions as intended, an example is shown below. Save to apply.

Discover more Alert Rules use-cases and examples here.