Role-based access control (RBAC)

RBAC allows merchants and merchant aggregators to align certain user roles to functions they need to perform in the Spreedly application. It enables the limitation of operational and brand risk including:

  • Security: RBAC improves overall security related to compliance, confidentiality, privacy and access management to resources and other sensitive data and systems.
  • Selective access: Supports users holding multiple roles with specific permissions for each role.
  • Security as a function of organization structure: Able to impose hierarchy for permission-assignment based on seniority or topology of the organization.
  • Separation of duties (SoD): No one person has sole control over a task. SoD benefits organizations as cyber-attacks on a single account will not cause significant harm to systems.
  • Flexibility: Periodically review and adjust permissions associated with each role

Roles overview

Spreedly offers four pre-configured roles including an Administrator (Admin) role with full access, and three limited-access roles.

Available roles

RoleDescription
Administrator (Admin)Admins have access to all Spreedly tools. They can invite/remove and configure RBAC for their users, change organization and environment details, and enable/disable functionality such as Advanced Vault features.
Environment ManagerEnvironment managers can view, read, update and create new environments and view the environment list. They can also create and delete environment access secrets. An environment manager can review organization details and settings, and view users, but cannot edit these areas.
Billing ManagerBilling managers can access their Chargify billing portal to view and modify billing functionality, but cannot view or manipulate other areas of the application. This role is designed for customers on flex plans, but not annual contracts.
AnalystAllows a user read-only access to the reporting and analytics dashboards in our application. Analysts can access the list of their assigned environments, but cannot manipulate settings or create new environments.

Note:

  • Merchants missing the Billing Manager in their RBAC selection means it is not a relevant role for their connection with Spreedly
  • RBAC applies to the Spreedly application only. Access to the Spreedly API is controlled by separate API credentials. RBAC can be used to limit who views/creates new API credentials, but cannot be used to limit or revoke existing credentials

Using RBAC

  • All new users in the Spreedly application require RBAC selection of at least one role to be invited
    • New users can be added by Admin so long as they have email address and name available for the user
  • New users can be assigned one or multiple RBAC roles according to their desired permissions-set in a variety of combinations:
    1. Admin only with full access
    2. Environment manager, Billing manager & Analyst (does not equal full Admin access)
    3. Environment manager & Analyst
    4. Environment manager & Billing manager
    5. Billing manager & Analyst
  • Role changes require than an Admin select the user and modify their role in the Users tab of the application
    • Admin cannot remove themselves from their assigned role and must instead have another Admin update their permissions if desired
  • There can be no less than 1 Admin per organization, but we strongly suggest having at least two Admins to avoid situations like unexpected departures which could leave an organization without an alternative
    • Spreedly customer success can reset the primary Admin in these cases where this user is denied access, changed to a different individual or otherwise unavailable

Invite and remove users

Review users across all environments by opening the organization pop-out menu on the bottom-left of the navigation and selecting Organization Users. Users are presented in a tabular format with email, name, and selected roles. A timestamp of each user's last login is also available.

New users can be invited by selecting Add user, which will open a page where we require name, email, and at least one RBAC selection to confirm the invite. New users will receive an email with instructions to login.

View and edit users and roles

Users with Admin roles can modify other users by selecting the gear icon in that user's row of the user list. This will open a page where RBAC selections can be updated, and missing names can be added. All users must have at least one role selected before they can be updated.

Activity log

To see a complete list of all role updates made from the Users page, Admins can navigate to Activity Log from the Organization pop-out menu.

There is a tabular, timestamped record of any role changes made and saved from the RBAC modal. This includes what change was made, who made the change, and which user was impacted.

Export the Activity Log by clicking Download CSV on the page, which will be formatted to match the table above.