Role-Based Access Controls
FireHydrant offers user roles to help restrict and define access to parts of the platform, enabling you to create a secure and scalable incident management process.
Users, Roles, and Definitions
Licensed and Unlicensed users
- Licensed users - Users with FireHydrant accounts and login access, split into 4 access roles (see next section)
- Unlicensed users - Everyone else. Users who cannot log in and perform the vast majority of actions with one exception.
Because we believe in helping teams build cultures with open Incident Management processes, any users, licensed or unlicensed, within your Slack workspace can declare a new incident by running:
/fh new # Command aliases include /firehydrant and /incident
Additionally, any user in Slack, including unlicensed, can join an incident channel, keep tabs on an open incident, and participate in conversations. However, unlicensed users can't take any actions that change the incident state, such as running most commands, posting updates, assigning/completing tasks, etc.
Licensed user roles
For any users who need to respond to incidents or generally access the FireHydrant platform, you will want to create a licensed user account and assign them a role. We offer four access roles:
- Viewer: Read-only access to incidents and analytics in the FireHydrant web app.
- Collaborator: Basic incident response access but cannot update settings or Runbooks.
- Member: Full access to update incident management processes, Runbooks, Settings, Teams, and more.
- Owner: Full access to the full platform, including user administration, integrations, API Keys, and other organization settings.
Permissions Table
Below is a table denoting the complete list of actions and whether each role/user type can perform it.
Action | Owner | Member | Collaborator | Viewer |
---|---|---|---|---|
Declare Incidents | ✅ | ✅ | ✅ | ✅ |
Invited to Slack incident channels | ✅ | ✅ | ✅ | ✅ |
Access UI & view Analytics | ✅ | ✅ | ✅ | ✅ |
Receive Alerts in Signals | ✅ | ✅ | ✅ | ✅ |
Assigned Shifts in On Call Schedules | ✅ | ✅ | ✅ | ✅ |
Request Coverage for Shifts | ✅ | ✅ | ✅ | ✅ |
Respond to Incidents | ✅ | ✅ | ✅ | |
↳ Run all Slack commands | ✅ | ✅ | ✅ | |
↳ Manage Incident in the UI | ✅ | ✅ | ✅ | |
↳ Assigned Incident Roles | ✅ | ✅ | ✅ | |
↳ Assigned Tasks and Follow-Ups | ✅ | ✅ | ✅ | |
↳ Participate in Retrospectives | ✅ | ✅ | ✅ | |
Manage Incident Settings | ✅ | ✅ | ||
Manage Runbooks | ✅ | ✅ | ||
Manage Service Catalog | ✅ | ✅ | ||
Manage Teams | ✅ | ✅ | ||
Manage On-Call Schedules | ✅ | ✅ | ||
Manage Escalation Policies | ✅ | ✅ | ||
Manage Alert Rules | ✅ | ✅ | ||
Manage Status Templates | ✅ | |||
Manage API Keys | ✅ | |||
Manage Integrations | ✅ | |||
Manage Organization Settings | ✅ | |||
Manage Users | ✅ |
Configuring Roles
Any Owner can navigate to the User settings page in FireHydrant and update another user's role.
Additionally, you can update user roles using our SCIM API and your IDP (Okta, Active Directory, etc.). Read our SSO with SCIM docs to learn about provisioning users and roles.
Commonly-asked questions
-
Can a non-licensed user access the retrospective?
A non-responding user can only access a retrospective after the PDF is published and exported. The options to access a retrospective before completion also requires being a FireHydrant user with at least Viewer permissions. -
Can a Viewer or non-licensed user “star” events to be included in the starred incident timeline?
This option is only currently available for users with at least Collaborator level permissions. -
Can a Viewer or non-licensed user’s chat messages on Slack still be recorded within the incident timeline?
Yes. Any Slack users are still able to join the channel and have their messages recorded within the incident timeline. -
Can a Viewer or non-licensed user be assigned action-items?
No. You must be a user with at least Collaborator level permissions in order to be assigned an action item. -
Can a non-licensed user view the status page?
Yes. You do not need to be a licensed user on FireHydrant in order to view a status page. However, if you have an authenticated status page, a Viewer license will be required.
Updated about 1 month ago