HashiDays One conference. Three cities. Find a city near you
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Configure Vault Radar permissions

Vault Radar is initially configured by a user with the HCP IAM admin role. Any HCP IAM user with the admin role can perform all functions within Vault Radar. Admins can add a data source, trigger an on-demand scan, view events, and edit event remediation state.

You must add other HCP IAM user who do not have the HCP admin role to an HCP IAM group. The group must belong to the project configured with Vault Radar, and the group assigned one or more data sources.

Vault Radar supports both organization and project level users in the HCP Portal, and service principals for the Vault Radar CLI. It is recommend to assign permissions at the project level following the least privileged access model.

Add a user for Vault Radar

Note

If a user has the HCP IAM admin role, they do not need to be a member other groups to access Vault Radar.

  1. Find which RBAC role the user will require by referencing the HCP Vault Radar permissions in the table below:

    Vault Radar permissionsDeveloper - viewerDeveloper - contributorViewerContributorAdmin
    View events✅ (assigned repos only)✅ (assigned repos only)
    Edit event remediation state
    Add or manage data sources
    Add or manage filters
    Add or manage event rules
    Add or manage custom expressions
    Add or manage ignore rules
    Configure PR checks policies
    Trigger on-demand scans

  2. Verify or create an HCP IAM group with the desired role.

  3. Invite the user from the parent organizations IAM dashboard.

  4. When the user accepts the invitation (and if necessary signs up for HCP), assign the user a project level HCP IAM role.

  5. Add the user to the project with the desired level of access.

Additional information

Refer to the Users page to learn how to invite users and assign roles.

Assign resource to developer role groups

The Vault Radar developer role does not have any permissions by default and you must have an HCP IAM Group created. A project admin assigns the role to a specific resources in the Vault Radar UI. To assign resources to the HCP group:

  1. Go to the Vault Radar portal.

  2. Select /Resources.

  3. Select the resources.

    Select resource to assign to group

  4. Click Assign Groups.

  5. Select the Group.

    Select group to assign

  6. Select Viewer or Contributor type.

  7. Click OK.

    View resource to assign to group

The developer can now access Vault Radar Event page so see the findings assign to their group.

Assign resources to developer role groups

To remove a resource to a group.

  1. Go to the Vault Radar portal.

  2. Select /Resources.

  3. Click on the resource.

  4. Click on the trash icon next to the group name.

    Remove resource to assign to group

Note

The resource is now removed from that HCP Group and individuals within that group will no longer be able to see it in the Vault Radar Portal.