User Roles and Personas
© 2025 Sonrai Security. All rights reserved.
Overview
The Sonrai platform provides Role Based Access (RBAC) to support the needs of a wide variety of users and public cloud security use cases.
RBAC capabilities enable you to manage your users within the platform along with their role assignments (and corresponding permissions).
A Sonrai role determines which capabilities a user has access to within the Cloud Permissions Firewall.
Roles
Roles are managed through user invitations and the section listed within the User Profile.
To manage roles, users must have an appropriate level of permissions to manage roles and permissions (i.e., "Administrator" role).
Available Roles
Administrator
Full administrative access, including user and cloud account management, plus full administrative access of all available Cloud Permissions Firewall features
Cloud Permissions Firewall
Approver
Ability to approve/deny Permissions on Demand (PoD) requests
Cloud Permissions Firewall
Viewer
Ability to view information within the Cloud Permissions Firewall
To affect role addition/removal, users are urged to log out then log back into the platform
Personas
Platform Administrators
These users need full administrative capabilities for the entire platform. They can complete every available Cloud Permissions Firewall process and manage your users and cloud accounts.
| Responsibility Description | Cloud Permissions Firewall Page |
|---|---|
| Configuration and use of ChatOps integrations | |
| Management of role-based access for users | Manage > Users |
| Onboarding of Accounts (at the Org level) | Manage > Accounts |
| Execution of Service changes (disabling, exempting identities, etc.) | Permissions Firewall > Services |
| Review of reporting/audit information | Permissions Firewall > Reporting |
| Template generation for pending cloud changes | Permissions Firewall > Pending Changes |
| Assignment of Permissions on Demand Approvers at scope | Permissions Firewall > Approvers |
| Approval/denial of Permissions on Demand Requests at scope | Permissions Firewall > Requests |
If this user should be able to approve Permissions on Demand (PoD) requests, assign them as an Approver at scope within the Cloud Permissions Firewall.
*Platform Administrators can assign themselves as PoD Approvers, for convenience!
Cloud Permissions Firewall Approver
These users approve/deny cloud access requests spurred by your users, once service protections are in place.
| Responsibility Description | Cloud Permissions Firewall Page |
|---|---|
| Approval/denial of Permissions on Demand Requests at scope | Permissions Firewall > Requests |
Cloud Permissions Firewall Viewer
These users are allowed to view services, pending changes, etc.
| Responsibility Description | Cloud Permissions Firewall Page |
|---|---|
| Viewers have read-only access to all pages. Data population of pages is subject to scoped permissions (i.e. Viewers will only be able to see Permissions on Demand (PoD) Requests that are created at the scope at which the Viewer is assigned as a PoD Approver). | All Cloud Permissions Firewall pages |
Default RBAC User Permissions
For reference, the Sonrai platform requires specific user permissions to work properly out-of-the box and so the following are assigned to every user by default:
| Permission | Description |
|---|---|
Role, | Ability to read Role elements |
UserToken, | Ability to read User Token elements |
Advanced - Searching for Detailed Role Permissions
To review a granular list of the specific permissions granted to each role, use the following query in the Advanced Search area:
query SonraiRoleDetails {
SonraiRoles {
count
items {
name
description
permissions
# Optionally return users for each role
roleAssignments {
count
items {
scope
user {
count
items {
email
name
}
}
}
}
}
}
}