Lightrun persona role-based access control (RBAC)¶
Lightrun supports enterprise-grade security through its Role-based Access Control (RBAC) feature, enhancing governance over both users and agents in your organization.
This topic applies to managing groups with persona-based roles, introduced in version 1.70.3 as a replacement to the role mechanism supported up to and including version 1.69. For more information, see Lightrun persona-based roles overview.
Benefits of RBAC¶
- Enhanced security – Enterprise-grade control of users and agents.
- Efficient resource allocation – Users perform their job functions while limiting unnecessary access.
- Enforced separation of duties – Precise assignment of roles prevents security risks and fraud.
Key concepts: users, roles, groups, and agent pools¶
To debug with Lightrun, you must have a Lightrun agent running alongside your application.
As your organization and codebase grow, so will the number of agents and users. It is important to be able to effectively manage how users interact with the Lightrun agents running in your system.
Users¶
Lightrun users are individuals with assigned roles. New users must belong to a group to access agent pools.
Predefined user roles¶
Roles are predefined, assigned directly to users, and cannot be edited. Roles determine what a user can do within accessible agent pools.
A user may have multiple roles; the highest permission takes precedence.
Groups¶
Groups are collections of users who require the same access to specific resources, such as agent pools.
For example:
A Company Admin can create a group for the DevOps team and grant the group access to all DevOps-related agent pools.
When a user is added to the organization, they are automatically assigned to the default group, which includes all users in the organization.
Users with a Company Admin role can:
- Create, manage, and delete groups.
- Assign the Group Admin role to other users to manage specific groups.
Agent pools¶
Agent pools are isolated groups of agents with a unique name and API key. Lightrun agents can only be assigned to a single agent pool; this provides a convenient way to securely isolate a group of agents from others in your system.
- You are assigned a default agent pool when you create a Lightrun account.
- Lightrun users with a Company Admin or Group Admin role can create new agent pools or grant groups access to an existing pool.
- To add agents to an agent pool, use the API key assigned to the pool as your Lightrun secret key.
To learn more:
- Get started with agent pools
- Manage agent pools
RBAC workflow: roles, groups, and agent pools¶
The following diagram shows how users, roles, groups, and agent pools interact.
- Create a user – Roles are assigned during creation.
- Assign roles – Roles define actions a user can perform within accessible agent pools.
- By default, new users get the Developer role in the default pool.
- Multiple roles are allowed; highest permission takes precedence.
- Add user to group – Group membership does not define permissions; it determines which agent pools the user can access.
- Assign agent pools to groups – Determines which sets of agents a user can access.
Example
- User: Alice
- Role: Group Admin – can manage agent configuration
- Group: US R&D Team
- Agent Pool: US R&D Agents
Alice can perform all actions allowed by her role, but only on agents in the US R&D Agents pool because of her group membership.
Lightrun predefined roles¶
| Role | Description |
|---|---|
| Developer | Perform debugging, view logs, and create/run snapshots in assigned pools. |
| Company Admin | Full access to manage users, agent pools, and company configurations. |
| Company Viewer | Read-only access to view configurations, logs, and dashboards. |
| Group Admin | Manage users and resources within specific groups and agent pools. |
| Security Admin | Configure security policies, audit logs, and compliance. |
| AppSec Admin | Application security operations, including PII redaction and SBOMs. |
| Incident Responder | View incidents, run debugging workflows, act during emergencies. |
| Company API | Access to company-level API operations. |
| Dev API | Access to developer API endpoints. |
| AppSec API | Access to AppSec-specific API operations. |
Supported permissions by role¶
Users can be assigned multiple Lightrun roles; the highest permission takes precedence.
Note
The roles are grouped in separate tables for display purposes only.
Developer, Company Admin, Company Viewer, Group Admin¶
| Description | Developer | Company Admin | Company Viewer | Group Admin |
|---|---|---|---|---|
| Log into Portal | ✅ | ✅ | ✅ | ✅ |
| Log into Plugin | ✅ | ✅ | - | ✅ |
| View account settings | - | R/W | R | - |
| Configure user authentication / provisioning | - | R/W | R | - |
| Manage users (No SCIM) | - | R/W | R | - |
| Manage API Keys | - | R/W | R | - |
| Manage webhooks | - | R/W | R | - |
| Configure SMTP (connectivity) | - | R/W | R | - |
| Manage integrations | - | R/W | R | - |
| Modify core service params | - | R/W | R | - |
| Configure Autonomous Debugger global settings | - | R/W | R | - |
| Configure server logs (level and sanitization) | - | R/W | R | - |
| Configure agent logs (level and sanitization) | - | R/W | R | - |
| Fetch server diagnostics | - | R/W | R | - |
| Fetch plugin diagnostics | - | R/W | R | - |
Company Admin, Company Viewer, Security Admin¶
| Description | Company Admin | Security Admin | Company Viewer |
|---|---|---|---|
| View/Export audit events | R/W | R/W | R |
| Create and update PII redaction patterns | R/W | R/W | R |
| Create and manage blocklists | R/W | R/W | R |
Company API, Dev API, AppSec API¶
| Description | Company Admin | Company API | Dev API | AppSec API |
|---|---|---|---|---|
| Authenticate opposite endpoints | ✅ | ✅ | ✅ | ✅ |
| Create API key | ✅ | ✅ | ✅ | - |
| Delete API key | ✅ | ✅ | ✅ | - |
| View API usage | ✅ | ✅ | ✅ | - |