# Access Management (RBAC) Firefly’s Access Management lets you control who can access specific parts of your cloud environment, which actions they can perform, and which data sources their permissions apply to. This provides stronger security, clearer governance, and flexibility as your teams scale. ## Overview Access Management introduces a role-based permission model across the Firefly platform. With RBAC you can: * Assign fine-grained permissions for every part of the platform * Control access by Users, Teams, and Service Accounts * Generate API keys with scoped permissions * Limit access to specific cloud integrations or allow full-tenant access * Enforce least-privilege access across your organization RBAC applies to all major Firefly areas, including Inventory, Governance, Integrations, Notifications, IaC Explorer, and more. *** ## Access Management Menu Access Management consolidates identity and access controls into one place: **Access Management →** * Users * Teams * Service Accounts * Roles * API Keys (per Users, Teams, Service Accounts) *** ## Key Concepts ### Roles A role defines a set of permissions. Roles can be assigned to: * Users * Teams * Service Accounts #### Default roles Every tenant includes two built-in roles: * **Admin** – Full access to all scopes and actions. * **Viewer** – Read-only access to all supported areas. Admins can create additional custom roles. *** ### Permission modes When creating or editing a role, each role can operate in one of three modes: #### Full Access (Admin) Grants all available permissions across all data sources.\ All actions are enabled, and all integrations are accessible. #### Read-only Users can view everything but cannot create, update, delete, or remediate. #### Limited Access (Scoped) Fully customizable, including: * Specific integrations (for example, specific AWS/GCP/Azure accounts) * Specific actions (for example, “View Inventory” but not “Delete Asset”) This is ideal for least-privilege or team-specific access. *** ### Service accounts Service accounts let you create identities for automation tools or CI/CD systems without tying them to human users. Each service account can have: * Roles * API keys *** ## Migration from legacy permissions Firefly automatically migrates existing tenants into the new RBAC model. ### What happens during migration * Existing Admins become **Admin** role users. * Existing Viewers become **Viewer** role users. * Legacy tenant-level API keys are migrated into **Service-Account-level API keys**. * All migrated keys retain their original capabilities. *** ## Best practices * Use **Teams** to manage access at scale. * Use **Service Accounts** for automation instead of human API keys. * Start with **Read-only** roles for new users. * Use **Scoped roles** for vendors, temporary users, or least-privilege access. * Rotate API keys regularly, especially after migration. * Review role assignments periodically (for example, quarterly). *** ## Limitations * Only **Admins** can access the **Access Management** screen. * Only **Admins** can manage **Integrations**, including create, update, and delete operations. * Legacy **API keys** will be migrated and linked to a specified **Service-Account**. * Workflows permissions will be supported using Access Management in the next phase. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.firefly.ai/getting-started/access-management-rbac.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.