Enhanced Access Control
The Enhanced Access Control feature is part of the Compliance+ Add-On.
The Enhanced Access Control feature gives you fine-grained access control over what each of your team members can view or modify within your organization's Friendly Captcha dashboard. This allows you to implement the principle of least-privilege by granting team members only the minimum permissions they need to perform their duties. You can create roles tailored to your organization's structure, such as view-only auditors, billing administrators, or developers with access to only specific Applications. This can help you to satisfy security best practices and enterprise compliance requirements.
For many organizations, tightly controlling access and keeping an audit log of changes are critical components of cybersecurity and compliance. Enhanced Access Control combines well with the Audit Logs feature to help you satisfy these requirements.
Additionally, if you are using our Single Sign-On (SSO) feature to leverage your organization's existing identity provider for authentication, you can use Enhanced Access Control to create a Default Role with minimal (or even zero) permissions so that any team member logging in for the first time using SSO won't have more access than you intended.
Features
App Groups
If you have many Applications configured in the Friendly Captcha Dashboard, you may want some team members to only have access to a specific set of applications. To make this easier, you can create an App Group with one or more Applications, and then create a Custom Role that has view or edit permissions for this App Group.
Custom Roles
There are three default roles:
- Member: This role can manage Applications, API Keys, and Widget Themes.
- Admin: This role is like Member, but can also send invites to new users.
- Owner: This role has maximum access, including deleting Members or changing their role, configuring Single Sign-On, and viewing Audit Logs.
If you have many team members that have access to your organization's Friendly Captcha Dashboard, you may want to have more fine-grained access control. Custom Roles lets you create new roles that have exactly the permissions you want, such as read-only access, or edit access to only one specific App Group.
Enabling Enhanced Access Control
Enhanced Access Control is enabled by default for all customers with the Compliance+ Add-On.
Managing Enhanced Access Control
In the Friendly Captcha Dashboard, navigate to the Settings page and find the App Groups and Custom Roles sections. They look like this:
App Groups
There is a built-in App Group called Default. If you haven't created any additional App Groups yet, all of your Applications belong to the Default App Group.
To add a new App Group, type a suitable name into the input box and click the Add App Group button:
Your new App Group should now be visible in the list of App Groups:
To assign an Application to your new App Group, navigate to the Applications page to see your list of Applications. Click the Manage button for the Application you want to assign. You should see a page like this:
Click the App Group drop-down menu and select your new App Group, then click the Save changes button. You can repeat this step for any other Applications that you want to put into this App Group.
Go back to the main Applications page to see your list of Applications. You can now see the name of the App Group in the details of each Application:
You cannot delete an App Group that still has Applications assigned to it. To delete an App Group, you first need to assign all of the Applications that are in that App Group to a different App Group.
Custom Roles
To add a new Custom Role, click the Add custom role button:
You will be taken to a page where you can configure your new Custom Role:
The form has these fields:
- Role Name: The name for your new Custom Role.
- Account Permissions: These are broad permissions that you can grant to this Custom Role. You might for example give the
Manage Billingpermission to a Custom Role designed for your finance team, but give them no other permissions. - All Apps Permissions: The permission level you set here will be granted to this Custom Role across all Applications. These are the available choices:
- Manage: View, create, update, or delete Applications.
- Edit: View or update Applications.
- View: View all Applications.
- None: Cannot view any Applications.
- App Group Permissions: Here you can grant permissions to one or more specific App Groups. The permission levels (i.e. Manage, Edit, View) behave the same as for All Apps Permissions described above.
In the example below, we will create a Custom Role that can Manage Widget Themes, Manage API Keys, has the View permission level for all Applications, and the Manage permission level for Applications in one specific App Group:
All Apps Permissions takes precedence over App Group Permissions. It behaves like the default permission level across all App Groups. You can then use App Group Permissions to grant increased permissions to a specific App Group.
You cannot use App Group Permissions to restrict permissions below the level of permissions granted by All Apps Permissions. If you try to do this, the dashboard will display an error message.
Click the Save Changes button when you are done. You will be taken back to the main Settings page, where you can see your new Custom Role:
You can now assign specific users to your new Custom Role. In the Settings page, scroll to the Members section, click the Role drop-down menu next to the desired user, and select your new Custom Role:
When inviting a new user, you have to select a role for them when sending the invite. The choice of roles includes any Custom Roles you have created.
You cannot delete a Custom Role that still has users assigned to it. To delete a Custom Role, you first need to assign all of the users with that role to a different role.