User Management & Permissions¶
TagOps implements a three-tier role-based access control (RBAC) system to ensure users have appropriate access levels based on their responsibilities.
User Roles¶
Administrator¶
Description: Full system access for account owners and system administrators.
Permissions:
- All PowerUser permissions
- User management (create, modify, delete users)
- Subscription management
- Billing and payment configuration
- System-wide settings
Use Cases:
- Account owners
- IT administrators
- Security officers
PowerUser¶
Description: Operational access for users who manage AWS tagging operations.
Permissions:
- Add/edit/remove AWS accounts
- Create and modify tagging rules
- Configure scan settings
- Configure service and account settings
- All ReadOnly permissions
Use Cases:
- DevOps engineers
- Cloud engineers
- Operations team members
ReadOnly¶
Description: View-only access for users who need visibility without modification rights.
Permissions:
- View dashboard
- View resource inventory
- Export data (CSV)
Use Cases:
- Auditors
- Management/executives
- Support staff
- Junior team members
Permission Matrix¶
| Feature | Administrator | PowerUser | ReadOnly |
|---|---|---|---|
| View Dashboard | ✅ | ✅ | ✅ |
| View Inventory | ✅ | ✅ | ✅ |
| Export CSV | ✅ | ✅ | ✅ |
| View Operation History | ✅ | ✅ | ✅ |
| Add AWS Accounts | ✅ | ✅ | ❌ |
| Edit AWS Accounts | ✅ | ✅ | ❌ |
| Remove AWS Accounts | ✅ | ✅ | ❌ |
| Create Rules | ✅ | ✅ | ❌ |
| Modify Rules | ✅ | ✅ | ❌ |
| Delete Rules | ✅ | ✅ | ❌ |
| Configure Scan Schedule | ✅ | ✅ | ❌ |
| Configure Services | ✅ | ✅ | ❌ |
| Configure Regions | ✅ | ✅ | ❌ |
| Create Users | ✅ | ❌ | ❌ |
| Modify Users | ✅ | ❌ | ❌ |
| Delete Users | ✅ | ❌ | ❌ |
| Manage Subscription | ✅ | ❌ | ❌ |
Role Assignment¶
Initial User¶
The first user who signs up automatically receives the Administrator role and becomes the account owner.
Adding New Users¶
Only Administrators can add new users:
- Navigate to Settings → User Management
- Click Invite User
- Fill in user details:
- Email address
- First name
- Last name
- Role: Select from dropdown
- Click Send Invitation
- User receives email with temporary password
Changing User Roles¶
Administrators can change user roles:
- Navigate to Settings → User Management
- Find user in list
- Click Edit
- Select new role from dropdown
- Click Save
Permission Enforcement¶
Buttons and features are hidden for insufficient permissions:
- ReadOnly users don't see "Add", "Edit", "Delete" buttons
- PowerUsers don't see "User Management" menu
- Disabled buttons show tooltip explaining permission requirement
Best Practices¶
Role Assignment Guidelines¶
Assign Administrator to:
- Account owner only
- Maximum 2-3 administrators per organization
- Trusted senior staff
Assign PowerUser to:
- Team members who manage AWS infrastructure
- DevOps and cloud engineers
- Staff who configure tagging automation
Assign ReadOnly to:
- Auditors and compliance staff
- Management who need visibility
- Junior staff learning the system
- External consultants
Security Recommendations¶
✅ Do:
- Follow principle of least privilege
- Regularly review user access
- Remove access for departed employees
- Use ReadOnly for maximum number of users
- Document why users have elevated access
❌ Don't:
- Grant Administrator to everyone
- Share user accounts
- Leave inactive accounts enabled
- Grant PowerUser without justification