Gremlin provides role-based access control (RBAC) functionality that grants specific privileges to a role. These roles can then be assigned to users to apply the privileges to them. Any action taken in the Gremlin UI or API requires a specific privilege granted by a role. These privileges cannot be assigned independently of roles, although individual users can be assigned to more than one role at a time.
To view or edit users and roles, go to your company settings.
Roles
Roles are split into two categories: company roles, and team roles.
- Team roles grant privileges for actions performed within a Gremlin team, such as starting an experiment, adding a client, or revoking a team API key.
- Company roles grant privileges for actions performed outside the team, such as changing single sign-on (SSO) settings, creating new teams, or removing users from the company.
Though it is possible to create a role from scratch, we suggest that you instead pick an appropriate out-of-the-box role and clone that into new Team and Company Roles in order to add or remove privileges as desired.
Default roles
Gremlin provides the ability to set a Default Role for Companies and Teams. These provide privileges to a user automatically, based on their presence on the company or team.
Default Roles are pointers to out-of-the-box or custom roles which all users of that scope will receive automatically. A Default Team Role can be set at the company level, impacting all teams, and can be overridden on a per-team basis using the Initial Team Role.
The Initial Team Role will be granted to all users of a team, regardless of when they joined, but will override the Default Team Role set at the company level.
Note
Privilege assignment is always additive. Providing the user with a privilege in one role they hold, and not providing it for them in another they hold, will result in them receiving that privilege.
Company roles
The following table describes the privileges that are available for company roles, including the default roles.
| Privilege |
Description |
Company Owner |
Company Sec Admin |
Company Manager |
Company Coordinator |
Company User |
| API_KEYS_READ |
Allows viewing users API keys |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
| API_KEYS_WRITE |
Allows creating and managing users API keys |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
| ALL_API_KEYS_READ |
Allows viewing all users API keys |
✔️ |
|
✔️ |
|
|
| COMPANIES_READ |
Allows reading company properties and clients |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
| COMPANIES_WRITE |
Allows creating and deleting teams |
✔️ |
|
✔️ |
✔️ |
|
| COMPANY_PREFERENCES_WRITE |
Allows modification of Company preferences |
✔️ |
✔️ |
|
|
|
| COMPANY_SECURITY_WRITE |
Allows modification of Company security preferences |
✔️ |
✔️ |
|
|
|
| COMPANY_USERS_READ |
Allows reading all user information within the company |
✔️ |
|
✔️ |
|
|
| COMPANY_USERS_WRITE |
Allows adding or removing of users to Company |
✔️ |
|
✔️ |
✔️ |
|
| COMPANY_INTEGRATIONS_READ |
Allows reading all company integrations |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
| COMPANY_INTEGRATIONS_WRITE |
Allows updating all company integrations |
✔️ |
✔️ |
✔️ |
|
✔️ |
| RELIABILITY_REPORTS_READ |
Allows reading of Reliability Management (scores and risks) for Company |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
| REPORTS_READ |
Allows reading all reports within the team |
✔️ |
|
✔️ |
✔️ |
✔️ |
| ROLES_WRITE |
Allows editing roles within a company |
✔️ |
✔️ |
|
|
|
| SECURITY_REPORTS_READ |
Allows read access to security logs |
✔️ |
✔️ |
|
|
|
| TEAMS_READ |
Allows viewing of all Teams |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
| TEST_SUITES_READ |
Allows reading of all test suits for a company |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
| TEST_SUITES_WRITE |
Allows editing of all test suits for a company |
✔️ |
✔️ |
✔️ |
|
|
Team roles
The following table describes the privileges that are available for team roles, including the default roles.
| Privilege |
Description |
Company Owner |
Team Manager |
Team Credential Manager |
Team User |
Team Viewer |
| CLIENTS_READ |
Allows reading all client information within the team |
✔️ |
✔️ |
|
✔️ |
✔️ |
| CLIENTS_WRITE |
Allows editing all client information within the team |
✔️ |
✔️ |
|
✔️ |
|
| EXPERIMENTS_READ |
Allows reading all experiment information within a team |
✔️ |
✔️ |
|
✔️ |
✔️ |
| EXPERIMENTS_RUN |
Allows running an experiment within a team |
✔️ |
✔️ |
|
✔️ |
|
| EXPERIMENTS_WRITE |
Allows creating or updating an experiment for a team |
✔️ |
✔️ |
|
✔️ |
|
| FAULT_BLACKHOLE |
Allows performing blackhole experiments |
✔️ |
✔️ |
|
✔️ |
|
| FAULT_COLLECT_CERTS |
Allows performing certificate experiments |
✔️ |
✔️ |
|
✔️ |
|
| FAULT_CPU |
Allows performing CPU experiments |
✔️ |
✔️ |
|
✔️ |
|
| FAULT_DISK |
Allows performing disk experiments |
✔️ |
✔️ |
|
✔️ |
|
| FAULT_DNS |
Allows performing DNS experiments |
✔️ |
✔️ |
|
✔️ |
|
| FAULT_IO |
Allows performing I/O experiments |
✔️ |
✔️ |
|
✔️ |
|
| FAULT_LATENCY |
Allows performing latency experiments |
✔️ |
✔️ |
|
✔️ |
|
| FAULT_MEMORY |
Allows performing memory experiments |
✔️ |
✔️ |
|
✔️ |
|
| FAULT_PACKET_LOSS |
Allows performing packet loss experiments |
✔️ |
✔️ |
|
✔️ |
|
| FAULT_PROCESS_EXHAUSTION |
Allows performing process exhaustion experiments |
✔️ |
✔️ |
|
✔️ |
|
| FAULT_PROCESS_KILLER |
Allows performing process killer experiments |
✔️ |
✔️ |
|
✔️ |
|
| FAULT_SHUTDOWN |
Allows performing shutdown experiments |
✔️ |
✔️ |
|
✔️ |
|
| FAULT_TIME_TRAVEL |
Allows performing time travel experiments |
✔️ |
✔️ |
|
✔️ |
|
| HALT_WRITE |
Allows halting a specific experiment |
✔️ |
✔️ |
|
✔️ |
|
| IMAGES_READ |
Allows reading of images |
✔️ |
✔️ |
|
✔️ |
|
| IMAGES_WRITE |
Allows writing of images |
✔️ |
✔️ |
|
✔️ |
|
| INTEGRATIONS_READ |
Allows reading all team integrations |
✔️ |
✔️ |
|
✔️ |
✔️ |
| INTEGRATIONS_WRITE |
Allows updating all team integrations |
✔️ |
✔️ |
|
✔️ |
|
| MINIMUM_TEAM_PRIVILEGES |
Allows access to Gremlin attacks, templates, schedules, API keys |
✔️ |
✔️ |
|
✔️ |
|
| REPORTS_READ |
Allows reading all reports for a Team |
✔️ |
✔️ |
|
✔️ |
|
| RELIABILITY_MANAGEMENT_READ |
Allows reading all RM services |
✔️ |
✔️ |
|
✔️ |
|
| RELIABILITY_MANAGEMENT_RUN |
Allows running of an RM test for a Team |
✔️ |
✔️ |
|
✔️ |
|
| SCHEDULES_READ |
Allows viewing a Schedule for a Team |
✔️ |
✔️ |
|
✔️ |
|
| SCHEDULES_WRITE |
Allows adding and updating a Schedule for a Team |
✔️ |
✔️ |
|
✔️ |
|
| SCENARIO_SHARE_WRITE |
Allows sharing scenarios with other teams within the company |
✔️ |
✔️ |
|
✔️ |
|
| SCENARIOS_READ |
Allows reading all scenario information within a team |
✔️ |
✔️ |
|
✔️ |
✔️ |
| SCENARIOS_RUN |
Allows running scenarios within a team |
✔️ |
✔️ |
|
✔️ |
|
| SCENARIOS_WRITE |
Allows creating new scenarios within a team |
✔️ |
✔️ |
|
✔️ |
|
| SERVICES_READ |
Allows reading information about services and reliability management |
✔️ |
✔️ |
|
✔️ |
|
| SERVICES_WRITE |
Allows writing to manage services and reliability management |
✔️ |
✔️ |
|
✔️ |
|
| TEAM_SECURITY_READ |
Allows reading of team related credential information |
✔️ |
✔️ |
✔️ |
|
|
| TEAM_SECURITY_WRITE |
Allows writing of tream related credential information |
✔️ |
✔️ |
✔️ |
|
|
| TEAMS_WRITE |
Allows modification of a given Team |
✔️ |
✔️ |
|
|
|
| USERS_READ |
Allows reading all user information within the team |
✔️ |
✔️ |
|
✔️ |
✔️ |
| USERS_WRITE |
Allows for adding and editing of users on team |
✔️ |
✔️ |
|
|
|
| WEBHOOKS_READ |
Allows reading of Team webhooks |
✔️ |
✔️ |
|
✔️ |
|
| WEBHOOKS_WRITE |
Allows editing of Team webhooks |
✔️ |
✔️ |
|
✔️ |
|
Note
An
asterisk(*) next to the role name means the role is hidden in the UI. It can only be set via an
API call.
FAQs
Is a user required to have both team and company roles?
No. All roles are granted independently of each other.
Do I have to have a team role to run experiments?
Yes. To run experiments for a team, you need user privileges or higher for that team.