Access control

An overview of how DevRev's access control system works, including how privileges are determined from roles and groups, how role-based policies govern dashboard and dataset access, and how to share Vista reports with other users.

Access control in DevRev authorizes actors to perform actions on objects within the application. An actor is any entity that interacts with the app, an organization member, a customer, a system user, or a service account.

When an actor attempts an action, such as creating an issue, the access control system checks the actor's roles to determine whether they have the necessary privileges to perform that action.

Actors

DevRev recognizes the following actor types:

Organization members are workspace users such as agents, admins, and other internal users. Their access is governed by roles assigned directly or through groups.
Customers are external users who interact with your workspace through support channels. Customer access is managed separately via customer groups; see Customer groups for details.
Service accounts are non-human actors used for integrations and automation. They are assigned roles in the same way as organization members.

Privilege determination

A role is a defined grouping of access privileges that determines what actions a user can perform on different objects, including stock objects (such as issues and tickets), custom objects, and their subtypes. Access can also be granted conditionally based on the attributes of an object, for example, its priority or owner.

When a user belongs to multiple groups with different roles, the system grants the highest applicable privilege across all of those roles.

The process of checking access is as follows:

Fetch all the user's groups.
Fetch the roles associated with the user directly, or roles associated with the groups the user belongs to.
For each role, identify the object for which access is being checked, for example, Tickets.
Examine each role's configuration for that object to determine the user's access level.
Connections between users, groups, roles, and objects

To assign roles to users or groups, go to Settings > User Management > Roles. For details on how roles are structured and configured, see Roles. For details on managing groups, see Groups.

If a user attempts an unauthorized action, they see the message: You are not authorized to perform this action. Relevant buttons may be inactive. Users can contact their organization's admins to request access.

inactive buttons

Access control for Vista reports

The sections below describe how access to Vista dashboards and datasets is controlled. This is a specialized application of the general role-based access system described above.

Two objects power Vista reports: dashboards and datasets. Dashboards represent the view; datasets represent the underlying data. A user must have at minimum read access to a dashboard to perform any meaningful operation on a Vista report.

For a full guide to working with Vista reports, see Vista reports.

Role-based access policies

Role-based access policies allow workspace admins to grant dashboard and dataset permissions to groups of users at scale. A workspace admin can define and enable roles in any combination that give user groups permission to perform operations on dashboards and datasets.

Out of the box, the following roles are enabled for the predefined user groups:

Admins role

Admins have full permissions on all dashboards and datasets by default, including read, create, update, delete, and share operations on both their own and others' dashboards and datasets.

Platform Users role

By default, platform users have the following permissions:

Create dashboards or reports.
Read, update, and delete their own dashboards or reports.
Create datasets.
Read, update, and delete their own datasets.

Platform users do not, by default, have permission to read datasets other than their own. Admins are responsible for granting read permissions to all or a subset of datasets, which platform users can then use when building dashboards or reports.

Sharing

The share functionality allows dashboard or report editors to grant read or update permissions to individual users directly.

Open the dashboard or report, then select Share from the actions drop-down.
Search for the desired user, assign them a role (Editor or Viewer), then click Share.

Vista privileges

The following operations are available on dashboards and datasets:

Read: View a dashboard or report. Dashboard read permission is required to view a dashboard or report.
Create: Build a dashboard or report. Dashboard create permission and dataset read permission are both required.
Update: Modify an existing dashboard or report. Dashboard update permission and dataset read permission are both required.
Share: Share an existing dashboard or report with other users. Dashboard update permission is required to share a dashboard or report.
Delete: Remove a dashboard, report, or dataset. Appropriate delete permission on the object is required.

📝 Note: The operations available to a given user depend on the roles assigned to their groups. Workspace admins configure these role assignments in Settings > User Management > Roles.