Skip to main content

Access Control Overview

Access control within Lacework is extremely powerful while remaining easy and intuitive to manage. Lacework's approach to access control lets you give more granular access to specific accounts and resources and prevents unwanted access to other accounts and resources.

Role-based access control (RBAC) is control over user groups and access to resources based on a defined role at either an account level or organization level.

Organization Roles

At organization level, Lacework supports two roles: Administrator and User.

The following tabs describe in detail each role and its permissions.

User typeDescription
Org adminUsers with the organization administrator role have full access to all organization-level settings. They also have administrator role access to all underlying accounts within the organization. See Create Users for an Organization.

Account Roles

At account level, Lacework supports three roles: Admin, Power user, and Read-only user.

The following tabs describe in detail each role and its permissions.

User type: Standard user
User group: Account admin
Read
Write
Delete
Lacework Console
Alerts
✔︎
✔︎
✔︎
Compliance
✔︎
✔︎
✔︎
Vulnerabilities
✔︎
✔︎
✔︎
Code security
✔︎
✔︎
✖︎
Resources
✔︎
✔︎
✖︎
Policies
✔︎
✔︎
✔︎
Reports
✔︎
✔︎
✔︎
Subscription
✔︎
✔︎
✔︎
Account Settings
Alert channels
✔︎
✔︎
✔︎
Alert rules
✔︎
✔︎
✔︎
Cloud accounts
✔︎
✔︎
✔︎
Container registries
✔︎
✔︎
✔︎
Resource groups
✔︎
✔︎
✔︎
API keys
✔︎
✔︎
✔︎
Agents
✔︎
✔︎
✖︎
Report rules
✔︎
✔︎
✔︎
Data export rules
✔︎
✔︎
✔︎
General
✔︎
✔︎
✔︎
License
✔︎
✖︎
✖︎
Audit logs
✔︎
✖︎
✖︎
Access control
✔︎
✔︎
✔︎

Service Users

Lacework supports service users to provide programatic access to the Lacework API without allowing logins to the Lacework Console. Service users have three roles: Admin, Power user, and Read-only user.

The following tabs describe in detail each role and its permissions.

User typeUser groupDescription
Service userAccount adminUsers with the account administrator role have full access to all Lacework API endpoints.