Role-based access control in Cayosoft Guardian
Overview
Cayosoft Guardian introduces a granular Role-Based Access Control (RBAC) model that enables organizations to delegate permissions with more precision than the legacy Global Administrator and Global Reader roles.
Organizations can now assign one or more of six distinct built-in roles to users or groups, allowing fine-tuned control aligned with security best practices, compliance needs, and operational delegation.
This features allows to:
- Provide read-only access to specific features (for example, Change History only).
- Allow some teams to manage Threat Detection without access to Change Monitoring or Forest Recovery.
- Restrict who can initiate Forest Recovery.
- Limit visibility of threat-related data to only those who require it.
- Separate operational access (for example, rollback) from configuration and system-wide control.
With this release, administrators can assign any combination of six predefined roles to any user or group.
Role descriptions
The following roles can be assigned when selecting a role under Settings > Delegation:
| Role name | Tooltip description |
|---|---|
| Global Administrator | Full access to all features and settings in Cayosoft Guardian. Can manage system configuration, security, and all user roles. |
| Global Reader | Read-only access to all areas in Cayosoft Guardian, including configuration and monitoring data. |
| Threat Alerts Reader | Review all detected threats and alert details. Cannot modify or resolve alerts. |
| Threat Detection Operator | Manage threat detection jobs, configure notifications, and mark threats as resolved. |
| Change History Reader | Review the full history of configuration and object changes across connected systems. |
| Change Monitoring Operator | Manage change monitoring, review changes, and manage alerts. |
Learn more: Configuration: Managing role delegation in Cayosoft Guardian.
Role access matrix
| Feature Area | Global Administrator | Global Reader | Threat Detection Operator | Threat Alerts Reader | Change Monitoring Operator | Change History Reader |
|---|---|---|---|---|---|---|
| Threat Detection – Dashboard | Full | Read-only | Partial (no live update) | No access | No access | No access |
| Threat Detection – Threat Alerts | Full | Read-only | Full | Export only; properties read-only | No access | No access |
| Threat Detection – Threat Definitions | Full | Read-only | Export + download only | No access | No access | No access |
| Change Monitoring – Dashboard | Full | Read-only | No access | No access | Full | No access |
| Change Monitoring – Change History | Full | Read-only | No access | No access | Full | Read-only (Find Related, Export, Rediscover Initiator) |
| Change Monitoring – Change Alerts | Full | Read-only | No access | No access | Full | No access |
| Change Monitoring – Alerting Rules | Full | Read-only | No access | No access | Full | No access |
| Change Monitoring – Event Log | Full | Read-only | No access | No access | Full | No access |
| Reports | Full | Read-only | Full | Access | Full | Access |
| Archive – Threat Alerts | Full | Read-only | Full | Read-only | No access | No access |
| Archive – Change Alerts | Full | Read-only | No access | No access | Full | No access |
| Archive – Change History | Full | Read-only | No access | No access | Full | Read-only (Find Related, Export, Rediscover Initiator) |
| Jobs | Full | Read-only | No access | No access | No access | No access |
| Forest Recovery | Full | Read-only | No access | No access | No access | No access |
| Microsoft 365 | Full | Read-only | No access | No access | No access | No access |
| Active Directory | Full | Read-only | No access | No access | No access | No access |
| Configuration | Full | Read-only | No access | No access | No access | No access |
| Settings | Full | Read-only | No access | No access | No access | No access |
Comments
0 comments
Please sign in to leave a comment.