Access Management (RBAC)

Firefly’s Access Management lets you control who can access specific parts of your cloud environment, which actions they can perform, and which data sources their permissions apply to.

This provides stronger security, clearer governance, and flexibility as your teams scale.

Overview

Access Management introduces a role-based permission model across the Firefly platform.

With RBAC you can:

  • Assign fine-grained permissions for every part of the platform

  • Control access by Users, Teams, and Service Accounts

  • Generate API keys with scoped permissions

  • Limit access to specific cloud integrations or allow full-tenant access

  • Enforce least-privilege access across your organization

RBAC applies to all major Firefly areas, including Inventory, Governance, Integrations, Notifications, IaC Explorer, and more.

Access Management Menu

Access Management consolidates identity and access controls into one place:

Access Management →

  • Users

  • Teams

  • Service Accounts

  • Roles

  • API Keys (per Users, Teams, Service Accounts)

Key Concepts

Roles

A role defines a set of permissions.

Roles can be assigned to:

  • Users

  • Teams

  • Service Accounts

Default roles

Every tenant includes two built-in roles:

  • Admin – Full access to all scopes and actions.

  • Viewer – Read-only access to all supported areas.

Admins can create additional custom roles.

Permission modes

When creating or editing a role, each role can operate in one of three modes:

Full Access (Admin)

Grants all available permissions across all data sources. All actions are enabled, and all integrations are accessible.

Read-only

Users can view everything but cannot create, update, delete, or remediate.

Limited Access (Scoped)

Fully customizable, including:

  • Specific integrations (for example, specific AWS/GCP/Azure accounts)

  • Specific actions (for example, “View Inventory” but not “Delete Asset”)

This is ideal for least-privilege or team-specific access.

Service accounts

Service accounts let you create identities for automation tools or CI/CD systems without tying them to human users.

Each service account can have:

  • Roles

  • API keys

Migration from legacy permissions

Firefly automatically migrates existing tenants into the new RBAC model.

What happens during migration

  • Existing Admins become Admin role users.

  • Existing Viewers become Viewer role users.

  • Legacy tenant-level API keys are migrated into Service-Account-level API keys.

  • All migrated keys retain their original capabilities.

Best practices

  • Use Teams to manage access at scale.

  • Use Service Accounts for automation instead of human API keys.

  • Start with Read-only roles for new users.

  • Use Scoped roles for vendors, temporary users, or least-privilege access.

  • Rotate API keys regularly, especially after migration.

  • Review role assignments periodically (for example, quarterly).

Limitations

  • Only Admins can access the Access Management screen.

  • Only Admins can manage Integrations, including create, update, and delete operations.

  • Legacy API keys will be migrated and linked to a specified Service-Account.

  • Workflows permissions will be supported using Access Management in the next phase.

PreviousFirst Steps in FireflyNextDashboard Overview

Last updated

Was this helpful?