Role-Based Access Control (RBAC)
InfraSage uses a 5-tier RBAC model. Every API request is authenticated and authorized before processing.
Role Hierarchy
| Role | Level | Description |
|---|---|---|
| Viewer | 1 | Read-only access to metrics, anomalies, RCA results, dashboards |
| Operator | 2 | Viewer + can trigger runbooks, acknowledge incidents |
| Admin | 3 | Operator + manage users, API keys, integration config |
| Super-Admin | 4 | Admin + manage tenants, billing plans, system config |
| System | 5 | Internal service-to-service communication only. Never assigned to human users. |
Higher roles include all permissions of lower roles.
Permission Reference
| Action | Viewer | Operator | Admin | Super-Admin |
|---|---|---|---|---|
| View metrics & anomalies | ✅ | ✅ | ✅ | ✅ |
| View RCA results | ✅ | ✅ | ✅ | ✅ |
| View runbook history | ✅ | ✅ | ✅ | ✅ |
| Trigger runbooks | ❌ | ✅ | ✅ | ✅ |
| Approve runbook steps | ❌ | ✅ | ✅ | ✅ |
| Acknowledge incidents | ❌ | ✅ | ✅ | ✅ |
| Create/delete API keys | ❌ | ❌ | ✅ | ✅ |
| Manage integrations | ❌ | ❌ | ✅ | ✅ |
| Manage users & roles | ❌ | ❌ | ✅ | ✅ |
| Manage tenants | ❌ | ❌ | ❌ | ✅ |
| Change billing plan | ❌ | ❌ | ❌ | ✅ |
Assigning Roles
Roles are embedded in JWTs or associated with API keys. To create a user with a specific role:
curl -X POST http://localhost:8080/api/v1/users \
-H "Authorization: Bearer $ADMIN_JWT" \
-H "Content-Type: application/json" \
-d '{
"email": "alice@mycompany.com",
"role": "operator",
"tenant_id": "acme-corp"
}'
Checking Permissions
curl http://localhost:8080/api/v1/rbac/permissions \
-H "Authorization: Bearer $YOUR_JWT"
{
"tenant_id": "acme-corp",
"user_id": "alice@acme.com",
"role": "operator",
"level": 2,
"permissions": ["read", "trigger_runbooks", "acknowledge_incidents"]
}
Teams and Role Inheritance
Users can belong to one or more teams. A user's effective role is the highest role across all their team memberships.
# Create a team with role
curl -X POST http://localhost:8080/api/v1/teams \
-H "Authorization: Bearer $ADMIN_JWT" \
-d '{
"name": "Platform SRE",
"role": "operator",
"members": ["alice@acme.com", "bob@acme.com"]
}'
Audit Trail
Every action (including read actions for sensitive data) is logged in infrasage_audit_log with:
- Timestamp (UTC)
- Actor (user ID / API key ID)
- Action type
- Resource affected
- Result (success / failure)
- IP address
- Request ID
Logs are retained for 365 days (Enterprise plan) or according to your plan's retention policy.