RBAC permissions
ThreatLens authorization is permission-based. Each API and admin action is guarded by a named permission key. Roles are simply named bundles of those keys — so you can build custom roles without any code change. For the how-to, see roles & access.
Permission catalog
| Category | Permission | What it grants |
|---|---|---|
| Users | manage_users | Invite, enable, disable, and remove users |
manage_roles | Create roles and assign them to users | |
| Tenant | manage_sso | Configure SSO and group→role mappings |
manage_billing | Manage billing and subscription | |
| Providers | manage_provider_connections | Add, edit, and remove model-provider connections |
edit_provider_trust | Set the trust tier of a provider/destination | |
| Policy | edit_enforcement_matrix | Edit the policy matrix (class → action) |
edit_policy_mode | Switch monitor ↔ enforce | |
edit_classification_rules | Edit classification / custom detection rules | |
edit_redaction_rules | Edit redaction behavior | |
view_policy_audit | View policy-change history | |
| Exceptions | view_exception_requests | See pending approval requests |
approve_exceptions | Approve held requests | |
deny_exceptions | Deny held requests | |
request_exceptions | Submit an exception/approval request | |
| Incidents | review_incidents | Review flagged incidents |
| Audit | view_all_audit_logs | View every user's audit records |
view_own_audit_logs | View one's own audit records | |
export_audit_logs | Export audit/event data (e.g. to SIEM) | |
| General | view_dashboard | View dashboards and reporting |
use_gateway | Send requests through the governed gateway |
Default roles
Six roles ship by default. The Tenant Owner holds every permission and cannot be locked out (last-owner protection). New users are assigned User by default.
| Role | Purpose | Permissions |
|---|---|---|
| Tenant Owner | Full control of the tenant | All permissions |
| Security Admin | Operates providers, policy, and incidents | Provider, policy, incident, exception, audit, and dashboard permissions |
| Policy Manager | Owns the policy matrix and rules | Policy + classification/redaction editing, policy audit, dashboard |
| Approver | Handles exception requests | View / approve / deny exceptions, dashboard |
| Auditor | Read-only oversight | View all audit logs, export, policy audit, dashboard |
| User | Everyday governed AI use | use_gateway, view_own_audit_logs, request_exceptions |
Custom roles need no code
Because guards check permission keys, you can compose any subset into a new role from the Roles page — the gateway and admin APIs enforce it immediately.
Audit
Every change to users, roles, and access is recorded as a control-plane audit event — see audit events and the RBAC audit log.