Permissions on Demand Personas
© 2025 Sonrai Security. All rights reserved.
Overview
Certain use cases and personas have associated best practice recommendations within the confines of the Permissions on Demand methodology.
General
CloudOps Teams
Members of this team leverage the Cloud Permissions Firewall to deploy service-related changes (protections, disablements, identity exemptions, etc.) to ensure the core cloud infrastructure at hand is appropriately controlled.
Developers
Often, developers are subject to being Permissions on Demand Requestors, as they break new ground in product development and keep the business pushing forward.
Managers
Management team members are often Permissions on Demand Approvers, handling requests from developers and other staff for access to privileged permissions.
Exemption-worthy Personas
Root Accounts
To maintain full Organizational access for root accounts, create a global exemption for *:root at the top of the Organization tree.
If preferred, or if you have multiple root accounts which are designated for a specific OU or Account, create a global exemption for *:root at that scope.
Break Glass Identities
Break glass identities often go unused for a long period of time, only put to use when emergency recoveries and/or incidents occur.
These types of identity often have administrative level permissioning to provide ease of access and quick remediation capabilities during high risk situations.
To ensure Sonrai's Cloud Permissions Firewall (CPF) appropriately allows break glass functionality when you need it most, add them as exemptions for individual accounts in advance of (or in tandem with) implementing a service protection.
Machine Identities (Infrastructure Deployment)
These deployment identities are part of the CICD pipeline processes used by teams to deliver applications in the cloud.
These types of identity often require sensitive cloud permissioning to allow adding/removing elements of a cloud (like networks, gateways, etc.).
To ensure Sonrai's Cloud Permissions Firewall appropriately allows your machine identities to deploy your cloud infrastructure without issue, add them as exemptions for individual accounts in advance of (or in tandem with) implementing a service protection.