Zenduty's Role Based Access Control
Role Based Access Control is a feature set available for growth and enterprise users providing fine-grained access management of Zenduty. Zenduty RBAC allows you segregate duties and access within your team and grant only the permissions to users that they need to perform their responsibilities.
If RBAC is not enabled, Zenduty's default role structure follows with the pre-defined roles of Owner, Admin, Team Manager and User.
What can I do with RBAC?
- Create custom account roles with specific permissions and assign it to groups of users with similar responsibilities and use cases. For eg: customized roles for Engineering Managers could have
viewpermissions for all teams, allowing for visibility into the entire organization. - Change a team's settings to grant all users certain specific permissions. For eg: the Database team's incidents can be configured to be viewable by all dependant users allowing them to correlate Database issues with other incidents.
- Enable incident responders to pull in other associated team's on-call users, allowing for more effective collaborative triaging and a decrease in fire-fighting friction.
An organisation can implement RBAC via 2 mediums:
- Team Level Permissions i.e. making some data associated to a team to be visible to non-team members across your Zenduty account
- Account Level Permissions i.e. making custom roles and assigning to users granting them certain chosen permissions only
Team Level Permissions
By default, only the members of a team can view the incidents, escalation policies, schedules, services and other associated information. However, users can harness this ability to tinker with the privacy permissions of a team and make some or all data attached to the team visible to all non-team members of your Zenduty account. This allows for the operational status of teams that are centerpieces of an organisation's engineering structure be accessible to all dependant members.
The final permission set of a user is a union of their account level permissions and a particular team's permissions, implying that even if a user with a custom role is denied permission to view incidents in general, they'll be able to access incidents of a particular team that has configured their incidents to be visible to all members in their team level permissions.
Modifying Team Level Permissions
Only the Account Owner, Account Admins and Team Manager can modify team level permissions.
-
Click on the team whose permissions you'd like to edit from the Teams section, navigate to the Settings tab on the very bottom.
-
Switch the Access Level setting from Private to Restricted.
-
Select the restricted permissions that you'd like to provide to non-team members and click on Update.
List of Team Level Permissions
Note: Selecting some permissions would automatically select others that the chosen permission requires.
| Permission | Effect |
|---|---|
| View Analytics | Allows all account members to view team's analytics and download reports |
| View Incidents | Allows all account members to view incidents generated in a team |
| View Integrations | Allows all account members to view the integrations created within a team's services |
| View Postmortems | Allows all account members to view the postmortems created within a team |
| View Schedules | Allows all account members to view the schedules created within a team |
| View Stakeholder Template | Allows all account members to view stakeholder templates created within a team |
| View Teams | Allows all account members to view the team and its members |
| Attach Escalation Policies | Allows all account members to use a team's escalation policies in their incidents |
| Edit Incidents | Allows all account members to acknowledge, resolve and edit all parameters of an incident generated in a team |
| View Team Maintenance | Allows all account members to view a team's maintenance windows |
| View Priorities | Allows all account members to view the priority levels created within a team |
| View Services | Allows all account members to view the services belonging to a team |
| View Team Tags | Allows all account members to view the tags created within a team |
| View Escalation Policies | Allows all account members to view the escalation policies in place within a team |
| View Incident Roles | Allows all account members to view the incident roles created within a team |
| View Members | Allows all account members to view the members of a team |
| Attach Schedules | Allows all account members to add a team's scheduled on-call responder to their incidents |
| View SLAs | Allows all account members to view the SLA policies created within a team |
| View Task Templates | Allows all account members to view the task templates created within a team |
Account Level Permissions
Via account level permissions, users can create custom roles and assign to users to grant them specific access to Zenduty resources. This allows organisations to grant special privileges to certain power users and owners, thus lowering dependencies on other responders in dire situations and smoothening the incident resolution process.
Modifying Account Level Permissions
Only the Account Owner and Account Admins can create custom roles and assign them to users.
-
Click on your profile bubble on the top-right corner and then on Account.
-
Navigate to the Custom Roles section, and click on the Add New Role button.
-
Fill in the Name and Description fields, select the permissions as desired. For eg: we create a custom role for Engineering Managers that can view all teams and associated data. Click on Create.
-
Now go to the Users tab from the sidebar on the left.
-
Find the user you want to assign the newly created role and simply select the role from the dropdown menu.
List of Account Level Permissions
Note: Selecting some permissions would automatically select others that the chosen permission requires.
| Permission | Effect |
|---|---|
| View Analytics | Allows the member to view the analytics and reports of all teams |
| View Incidents | Allows the member to view incidents of all teams |
| Edit Incidents | Allows the member to acknowledge, resolve and edit all incidents created within all teams |
| View Incident Roles | Allows the member to view the incident roles created within all teams |
| Edit Incident Roles | Allows the member to edit incident roles created within all teams |
| View Team Maintenance | Allows the member to view the maintenance windows of all teams |
| Edit Team Maintenance | Allows the member to edit the maintenance windows of all teams |
| View Members | Allows the member to view the members belonging to all teams |
| Edit Members | Allows the member to edit the members belonging to all teams |
| View Teams | Allows the member to view all teams created under the account |
| View Priorities | Allows the member to view the priority levels created within all teams |
| Edit Priorities | Allows the member to edit the priority levels created within all teams |
| View Schedules | Allows the member to view the on-call schedules created within all teams |
| Edit Schedules | Allows the member to edit the on-call schedules created within all teams |
| View SLAs | Allows the member to view the SLA policies created within all teams |
| Edit SLAs | Allows the member to edit the SLA policies created within all teams |
| View Stakeholder Template | Allows the member to view the Stakeholder Templates created within all teams |
| Edit Stakeholder Template | Allows the member to edit the Stakeholder Templates created within all teams |
| View Task Template | Allows the member to view the task templates created within all teams |
| Edit Task Templates | Allows the member to edit the task templates created within all teams |
| View Escalation Policies | Allows the member to view the escalation policies created within all teams |
| Edit Escalation Policies | Allows the member to edit the escalation policies created within all teams |
| View Integrations | Allows the member to view the integrations created within all team's services |
| Edit Integrations | Allows the member to edit the integrations associated within services for all teams |
| View Postmortems | Allows the member to view the postmortems created within all teams |
| Edit Postmortems | Allows the member to edit the postmortems created within all teams |
| View Services | Allows the member to view the services associated with all teams |
| Edit Services | Allows the member to edit the services associated with all teams |
| View Team Tags | Allows the member to view the tags created within all teams |
| Edit Team Tags | Allows the member to edit the tags created within all teams |
Leveraging Alert Rules and RBAC together
With RBAC enabled, can also leverage Zenduty Alert Rules to automatically Assign the incident to a User from another Team, Attach Escalation Policies from other teams and Add Global Users and On-Call Users from Global Schedules as responders to incoming incidents.
Before proceeding with building your alert rules, please ensure that the necessary permissions have been enabled for the teams and users which you want to be accessible via alert rules.
So to use the Route to Escalation Policy action, the Attach Escalation Policies permission should be enabled on the Account Level Access settings for the team to which the Escalation Policy belongs to.
To assign an incident to a user outside the team via alert rules, grant them a role with the Edit Incidents permission.
Example: Add the On-Call User from a Global Schedule as an Incident Responder
To enable this action, please make sure that the team with the incoming incident has the View Incident permission enabled, and the team to which the Schedule belongs to has the Attach Schedules and View Services permissions enabled on the Account Level Access settings.
-
Click on the Service your Integration is in.
-
Go to the Integrations tab and choose the integration for which you want to add an RBAC Alert Rule.
-
Click on the Alert Rules tab from the secondary sidebar and then the Create Alert Rule button.
-
Give your alert a name and set the conditions and actions as intended, an example is shown below. Save to apply.
Discover more Alert Rules use-cases and examples here.