Access Control Overview
Access control within Lacework is extremely powerful while remaining easy and intuitive to manage. Lacework's approach to access control lets you give more granular access to specific accounts and resources and prevents unwanted access to other accounts and resources.
Role-based access control (RBAC) is control over user groups and access to resources based on a defined role at either an account level or organization level.
Organization Roles
At organization level, Lacework supports two roles: Administrator and User.
The following tabs describe in detail each role and its permissions.
Administrator User
| User type | Description |
|---|---|
| Org admin | Users with the organization administrator role have full access to all organization-level settings. They also have administrator role access to all underlying accounts within the organization. See Create Users for an Organization. |
| User type | Description |
|---|---|
| Org user | Users with the organization user role have Read permission to all organization-level settings. They also have user role access to all underlying accounts within the organization. See Create Users for an Organization. |
Account Roles
At account level, Lacework supports three roles: Admin, Power user, and Read-only user.
The following tabs describe in detail each role and its permissions.
Admin Power user Read-only user
| Lacework Console | |||
| Alerts | |||
| Compliance | |||
| Vulnerabilities | |||
| Code security | |||
| Resources | |||
| Policies | |||
| Reports | |||
| Subscription | |||
| Account Settings | |||
| Alert channels | |||
| Alert rules | |||
| Cloud accounts | |||
| Container registries | |||
| Resource groups | |||
| API keys | |||
| Agents | |||
| Report rules | |||
| Data export rules | |||
| General | |||
| License | |||
| Audit logs | |||
| Access control | |||
| Lacework Console | |||
| Alerts | |||
| Compliance | |||
| Vulnerabilities | |||
| Code security | |||
| Resources | |||
| Policies | |||
| Reports | |||
| Subscription | |||
| Account Settings | |||
| Alert channels | |||
| Alert rules | |||
| Cloud accounts | |||
| Container registries | |||
| Resource groups | |||
| API keys | |||
| Agents | |||
| Report rules | |||
| Data export rules | |||
| General | |||
| License | |||
| Audit logs | |||
| Access control | |||
| Lacework Console | |||
| Alerts | |||
| Compliance | |||
| Vulnerabilities | |||
| Code security | |||
| Resources | |||
| Policies | |||
| Reports | |||
| Subscription | |||
| Account Settings | |||
| Alert channels | |||
| Alert rules | |||
| Cloud accounts | |||
| Container registries | |||
| Resource groups | |||
| API keys | |||
| Agents | |||
| Report rules | |||
| Data export rules | |||
| General | |||
| License | |||
| Audit logs | |||
| Access control | |||
Service Users
Lacework supports service users to provide programatic access to the Lacework API without allowing logins to the Lacework Console. Service users have three roles: Admin, Power user, and Read-only user.
The following tabs describe in detail each role and its permissions.
Admin Power user Read-only user
| User type | User group | Description |
|---|---|---|
| Service user | Account admin | Users with the account administrator role have full access to all Lacework API endpoints. |
| User type | User group | Description |
|---|---|---|
| Service user | Account power user | Users with the power-user role have full access to the following API endpoints: |
| User type | User group | Description |
|---|---|---|
| Service user | Account read-only user | Users with the read-only role have access to the following GET API endpoints: |