Topics on this page
Assign roles to users
Trend Cloud One uses role-based access control (RBAC) to define user permissions and API key permissions for an account. The roles restrict or allow access to the account's administrative functions and the Trend Cloud One services that it is using.
When an account administrator invites a user to join their account, they assign a role to that user. Access rights are attached to roles and not directly to users. Each user should be assigned a role that restricts their activities to those necessary for the completion of their duties. To change the access rights of an individual user, assign a different role to the user or edit the role.
Account administrators also assign a role when creating an API key to define the access rights for that API key.
Predefined roles and permissions
Trend Cloud One is preconfigured with the following roles and permissions:
-
Full Access: This role gives users and API keys access to all Trend Cloud One services, identity management, billing and licensing, and events in the audit log.
-
Read Only: This role gives users and API keys the ability to view all the information in the Trend Cloud One services but without the ability to make any modifications except to their own personal settings, such as password and contact information.
-
Scanner: This permission supports Trend Micro Artifact Scanner (TMAS) and gives users access to vulnerability and malware scans, while blocking access to the rest of the container security. An API key is given a more restricted access, as TMAS is often a component of automated workflows, continuous integration (CI) workflows, or continuous delivery (CD) workflows. For more information, see Set up TMAS.
Define a custom role
You can create one or more custom roles and set the permissions for each of the Trend Cloud One services and administrative functions:
- On the main page of the Trend Cloud One console, select User Management.
- On the left, select Roles.
- Click New.
-
Use the lower part of the page to define the role by completing the following Role fields:
- Name: Name used to identify the role.
- ID: Unique ID assigned to the role. This ID cannot be changed.
- Description: Optional description of the role.
- Privileges: Assign an access level for various Trend Cloud One services. Select a service and then assign the permissions. To add another privilege, select +. If you do not assign a permission level to a service, it defaults to No Access. You can set privileges for the following services:
- Identity and Account: Invite users, remove users from the account, create or remove API keys, and manage account permissions such as changing the account properties and deleting the account. Set the permission to either Full Access or Read Only.
- Billing and Licensing: Access to the billing and licensing settings for the Trend Cloud One account. Set the permission to either Full Access or Read Only.
- Audit: Access to the events in the Trend Cloud One audit log. Set the permission to either Full Access or Read Only.
- Workload Security: For this service, you can choose Full Access, Read Only (which is mapped to the Workload Security Read Only role in the Workload Security service). You can also select a custom Workload Security role, if you configured one in the Workload Security console. For details on Workload Security roles, see Define roles for users
- Network Security: Set the permission to either Full Access or Read Only.
- Application Security: Set the permission to either Full Access or Read Only.
- File Storage Security: Set the permission to either Full Access or Read Only.
- Container Security: Set the permission to either Full Access, Read Only, or Scanner.
- Conformity: Set the permission to either Full Access or Read Only. Power Users have full privileges for all existing accounts as well as for accounts that will be added in the future. They do not have access to the Organization-level settings.
- Open Source Security by Snyk: Currently, Open Source Security by Snyk only supports Full Access roles. Read Only roles do not have access to the service.
-
Click Save.
Now the role is ready to assign when you invite users or add API keys to the account.
Edit a role
To edit an existing role, navigate to Roles, select the role you want to edit, and make the changes in the lower part of the page.
Manage roles programmatically
You can also use the Trend Cloud One Roles APIs to manage roles.
Manage Permissions
To modify the contents of the Permissions list, see Define roles for users.