User and Permission Configuration
Fine-tune your team's access with the RBAC system
KaliaOps features a Role-Based Access Control (RBAC) system with 4 system roles and over 90 granular permissions. Invite collaborators via email, assign them appropriate roles for their responsibilities, and define access scopes (entire tenant, organization, team, or personal data). Two-factor authentication is mandatory for administrators.
RBAC Overview
KaliaOps uses a Role-Based Access Control (RBAC) system to precisely manage who can access what in your instance. This system relies on three key concepts:
- Users
- People who log into KaliaOps. Each user has a unique email, a password, and can be linked to an employee in your organization.
- Roles
- Sets of permissions that define what a user can do. A user is assigned a role that determines their access rights.
- Permissions
- Elementary actions that are allowed or denied: view, create, edit, delete. Each permission is associated with a resource (assets, incidents, contracts, etc.).
This system enables the principle of least privilege: each user only has access to features strictly necessary for their work.
System Roles
KaliaOps provides 4 predefined system roles that cover the most common needs. These roles cannot be deleted, but you can create custom roles if needed.
Administrator
Full access to all instance features. Administrators can:
- Manage all users, roles, and permissions
- Configure tenant settings (SSO, webhooks, API)
- Access all CMDB and ITSM modules
- View audit logs
- Export all data
Default scope: Entire tenant
Manager
Extended access with organizational management capabilities:
- Create, edit, and delete CMDB and ITSM entities
- Manage employees and teams in their organization
- Approve changes and close incidents
- Access reports and dashboards
Default scope: Organization
Technician
Operational access for daily work:
- View and edit CMDB entities
- Manage assigned incidents, problems, and requests
- Create knowledge base articles
- Use impact analysis tools
Default scope: Team
Viewer
Read-only access:
- View CMDB and ITSM entities
- Access dashboards
- Browse the knowledge base
Default scope: Personal data
Inviting Users
Access user management
In the sidebar menu, click Settings → Users. The list of existing users displays with their role, status, and last login date.
Create an invitation
Click the "Invite User" button. Fill in the following information:
- Email address: the collaborator's professional email
- Role: select the appropriate role
- Associated employee (optional): link the user to an existing employee record
User receives their invitation
An invitation email is sent automatically. It contains a secure one-time link valid for 7 days. The user clicks this link to set their password and activate their account.
Account setup
The user sets their password and, if required by their role (administrator) or by choice, configures two-factor authentication. Their account is then active and they can access KaliaOps.
Permission Management
KaliaOps offers over 90 granular permissions organized by category. Each permission follows the resource.action format.
Available Actions
| Action | Description |
|---|---|
view | View list and details |
create | Create a new entity |
edit | Modify an existing entity |
delete | Delete an entity |
Permission Categories
- CMDB
- assets, applications, contracts, vendors, clients, vlans, racks, network_flows
- ITSM
- incidents, problems, changes, service_requests, sla, workflows
- Organization
- organizations, teams, employees, sites, projects
- Administration
- users, roles, api_tokens, webhooks, imports, exports, audit_logs
Special Permissions
Some permissions control advanced features:
dependencies.view: View dependencies between entitiesimpact_analysis.view: Use the impact analysis toolpredictive_analytics.view: Access predictive analyticssso.manage: Configure SSO authenticationcloud_connections.sync: Trigger cloud synchronization
Access Scopes
Scopes define the data perimeter accessible for each permission. A user may have permission to view assets, but only those belonging to their team.
The 4 Scope Levels
- all - Entire Tenant
- Access to all instance data. Reserved for administrators and global supervision roles.
- organization - Organization
- Access to data from the user's organization and its sub-organizations. Ideal for department or subsidiary managers.
- team - Team
- Access to data from the user's team. Suitable for technicians and project team members.
- own - Personal Data
- Access only to entities created by the user or explicitly assigned to them.
Practical Example
A support technician with "team" scope on incidents:
- Can view: incidents assigned to their team
- Can edit: incidents assigned to their team
- Cannot view: incidents from other teams
Sensitive Data Protection
KaliaOps includes a sensitive field protection system (FieldGuard) that automatically masks certain information based on user permissions.
Protected Fields by Resource
| Resource | Sensitive Fields | Required Permission |
|---|---|---|
| Contracts | Annual cost, total cost, unit price | contracts.field.cost |
| Vendors | Bank account (IBAN) | vendors.field.bank |
| Vendors | Company ID, VAT number | vendors.field.legal |
Behavior
When a user doesn't have permission to view a sensitive field:
- In detail views: the field shows
*** - In exports: the field is omitted or masked
- In API: the field is not included in the response
This protection applies automatically, with no additional configuration required.
Best Practices
Principle of Least Privilege
Always assign the role with the minimum necessary permissions. It's easier to add rights than to revoke them after a security incident.
Two-Factor Authentication
2FA is mandatory for administrators but we strongly recommend enabling it for all users. KaliaOps supports standard TOTP apps (Google Authenticator, Authy, Microsoft Authenticator).
Regular Access Review
Schedule a quarterly review of users and their roles:
- Disable accounts of employees who have left the company
- Verify that roles still match current responsibilities
- Review audit logs to detect anomalies
Using Scopes
Prefer restrictive scopes (team, organization) over "entire tenant". This limits the impact of a compromised account.
User-Employee Linking
Systematically link user accounts to employee records. This facilitates:
- Identifying people in audit logs
- Automatic deactivation when an employee leaves
- Assigning incidents and requests to the right people
- 4 predefined system roles: Administrator, Manager, Technician, Viewer
- Over 90 granular permissions covering all modules
- Access scopes: entire tenant, organization, team, or personal data
- Email invitations with secure one-time link (valid 7 days)
- 2FA mandatory for administrators, recommended for everyone