Access Controls
This article details the default access control options in the Security menu, including the access controls for each default role, how to create a new access control, and how to edit or delete an access control.
Introduction to access controls
Access controls define the permissions assigned to user roles, determining which modules and data they can access and how they can interact with them. Access controls are essential for maintaining security and ensuring that users have the appropriate level of access based on their roles and responsibilities.
Users with the System administrator or Security administrator role can access, create, delete, or modify permissions for other roles. The Brinqa Platform starts with certain default permissions for each role, but you can expand or modify them through the access control page.
To manage access controls, click Administration 
on the upper-right corner and under Security, select Access controls.
The Access controls page displays a list view of the existing permissions in the Brinqa Platform.
Default access controls
The Brinqa Platform comes with default roles and permissions for each role.
To view the access controls for each role in the Brinqa Platform, follow these steps:
-
Navigate to Administration > Security > Access controls.
-
Click the Roles filter at the top of the page.
-
Select the role(s) you want to view the access controls for.
-
Click Apply.
The list view updates with the access controls for the selected role. For example, the following screenshot illustrates filtering the access controls by the Configurator role:
The following sections cover the permissions of all the default roles in the Brinqa Platform. For additional information on the default roles, see the Roles documentation.
Administrator access controls
The Administrator role grants read-only access to all data in the Brinqa Platform, without the ability to perform actions or modify configurations. The following table details the default access controls for users with the Administrator role:
Table 1: Administrator access controls
| Permission | Resource |
|---|---|
| Access | CAASM and Brinqa Platform |
| Read | All datasets |
| Reset password | User |
Configurator access controls
Expand the section below to view the default access controls for users with the Configurator role:
Table 2: Configurator access controls
| Permission | Resource |
|---|---|
| Create, Read, Update, Delete | Analytics source |
| Read | Application event log |
| Access | CAASM and Brinqa Platform |
| Manage | Cache |
| Create, Read, Update, Delete | Cluster |
| Sync | Data source and its mapping |
| Create, Read, Update, Delete | Data model |
| Create, Read, Update, Delete | Data server |
| Create, Read, Update, Delete, Launch | Flow definition |
| Manage | Index |
| Create, Read, Update, Delete | Indicator |
| Create, Read, Update, Delete | Mail template |
| Create, Read, Update, Delete, Run | Report |
| Read | Role |
| Create, Read, Update, Delete | Saved query |
| Export, Import | Settings |
| Read | Task monitor |
| Read | User |
| Create, Read, Update, Delete | User defined library |
| Create, Read, Update, Delete, Share | View |
| Create, Read, Update, Delete | Visualization |
Data exporter access controls
The following table details the default access controls for users with the Data exporter role:
Table 3: Data exporter access controls
| Access Control | Resource |
|---|---|
| Read | Data export |
| Export | Datasets |
| Launch | Flow definition |
| Run | GraphQL |
Remediation owner access controls
The following table details the default access controls for users with the Remediation owner role:
Table 4: Remediation owner access controls
| Permission | Resource |
|---|---|
| Read | Analytics source |
| Read | Asset, Finding, Finding definition, and their child data models |
| Read | Attack mitigation |
| Read | Attack pattern |
| Read | Attack tactic |
| Read | Attack technique |
| Access | CAASM and Brinqa Platform |
| Read | Cluster |
| Create, Read, Update, Delete, Submit | Exception request |
| Create, Read, Update, Delete, Submit | False positive request |
| Read | Indicator |
| Read, Update, Delete | Remediation campaign |
| Create, Read, Update, Delete, Submit | Remediation validation request |
| Create, Read, Update, Delete, Share | Report |
| Read, Delete | Request |
| Create, Read, Update, Delete, Submit | Risk acceptance request |
| Create, Read, Update, Delete | Saved query |
| Read | User |
| Read, Update | Ticket and all child data models of Ticket |
| Read | View |
| Read | Visualization |
Risk analyst default access controls
The following table details the default access controls for users with the Risk analyst role:
Table 5: Risk analyst access controls
| Permission | Resource |
|---|---|
| Read | Assessment |
| Read | Attack mitigation |
| Read | Attack pattern |
| Read | Attack tactic |
| Read | Attack technique |
| Access | CAASM and Brinqa Platform |
| Read | Cluster |
| Read, Delete | False positive request |
| Read | EOL advisory |
| Read, Delete | Exception request |
| Read, Update, Delete | Remediation campaign |
| Read, Delete | Remediation validation request |
| Read, Delete | Request |
| Read, Delete | Risk acceptance request |
| Read | Security control |
| Read | Security control framework |
| Read | Threat intel |
| Read, Update | Ticket and all child data models of Ticket |
| Read | User |
Risk owner access controls
The following table details the default access controls for users with the Risk owner role:
Table 6: Risk owner access controls
| Permission | Resource |
|---|---|
| Read | Analytics source |
| Read | Asset, Finding, and Finding definition, and their child data models |
| Read | Attack mitigation |
| Read | Attack pattern |
| Read | Attack tactic |
| Read | Attack technique |
| Access | CAASM and Brinqa Platform |
| Read | Cluster |
| Read | Data export |
| Create, Read, Update, Delete, Submit, Review | Exception request |
| Create, Read, Update, Delete, Submit, Review | False positive request |
| Read | Indicator |
| Read, Update, Delete | Remediation campaign |
| Create, Read, Update, Delete, Submit, Review | Remediation validation request |
| Create, Read, Update, Delete, Share | Report |
| Read, Delete | Request |
| Create, Read, Update, Delete, Submit, Review | Risk acceptance request |
| Create, Read, Update, Delete | Saved query |
| Read | User |
| Read, Update | Ticket and all child data models of Ticket |
| Read | View |
| Read | Visualization |
Security administrator access controls
The following table details the default access controls for users with the Security administrator role, who have access only to items under Administration > Security. This includes managing users, roles, access controls, and security policies:
Table 7: Security administrator access controls
| Permission | Resource |
|---|---|
| Create, Read, Update, Delete | Access control |
| Create, Read, Update | Account lockout policy |
| Create, Read, Update | Password policy |
| Create, Read, Update, Delete | Role |
| Create, Read, Update, Delete | User |
System administrator access controls
Users with the System administrator role have full and unrestricted access to the Brinqa Platform. This role enables users to manage all aspects of the platform, including configuration, user management, security settings, and data models. With this level of access, users can create, edit, and delete any resources, configure system settings, and oversee all operations within the platform.
Due to the critical nature of this role, it is recommended to assign it only to trusted users who are responsible for the overall administration and security of the Brinqa Platform.
User access controls
The User role is a foundational role that provides basic access permissions. More specific permissions are inherited through roles that extend it, such as Risk analyst, Risk owner, and Remediation owner.
To ensure users have the appropriate permissions, assign them to specialized roles—such as Risk analyst, Risk owner, and Remediation owner—based on their responsibilities and avoid using the User role directly.
Create a new access control
Users with the System administrator or Security administrator role can create new access controls. To do so, follow these steps:
-
Navigate to Administration
> Security > Access controls. -
Click Create.
-
Fill in the following fields:
-
Title: The title of the access control.
-
Name: The system name of the access control. This field is automatically populated based on the Title, converting it to camel case. For example, if the title is Test Access Control, the system name becomes testAccessControl.
-
Type: The type of module that the access control is for. Options include: Data model, Application, or Flow action. The following table details the different fields associated with the different access control types:
Table 8: Access control fields by type
Selected type Available fields Description Data model Operation The action that can be performed on the data model. Options include: Create, Read, Update, Delete. Data model The data model that the access control applies to. Attributes The attributes of the data model. If no attributes are selected, you have access to all attributes of that data model. Application Operations The action that can be performed on the application. Options include: Access. Application The application that the access control applies to. Options include: Brinqa Platform or Cyber risk. Flow action Operations The action that can be performed on the flow. Options include: Execute or Transition. Data model The data model that the access control applies to. Flow type The type of flow associated with the flow action. Options include: Business process or Button flow.
A Business process is a flow that is automatically triggered when a dataset is created and can only be associated with one data model.
A Button flow is a special flow that can be triggered manually to perform actions on a single dataset or multiple datasets within a data model.Flow definition The action that the flow accomplishes. Options include: data model delete flow or compute flow. -
Description: The description of the access control.
-
Active: Whether the access control is active. Inactive access controls are effectively archived.
-
-
Access control roles: Roles that this access control applies to. Expand this section, click the Roles drop-down, and select the roles that inherit this access control.
-
Access control filter: Define specific criteria that further refine the access granted by the access control. You can only set filters if the access control type is either Data model or Flow action. The following options appear:
-
Attribute: Click the drop-down and select the data model attribute you want to filter. This attribute determines what aspect of the data model or flow action will be filtered. For example, if you're working with the Vulnerability data model, all available attributes on the Vulnerability data model appear in the drop-down.
-
Operator: Click the drop-down and select an operator to further define how the attribute is compared to the value you specify. For example, the operator could be "Greater than" if you want to filter results based on attributes that exceed a specific value. For additional information, see BQL operators.
-
Value: If applicable, enter the value you want the selected attribute to be compared against. This is required for certain operators. For example, if you're filtering on the Base risk score attribute with the Greater than operator, you might enter "8" in the value field to filter for vulnerabilities with a base risk score greater than 8.
-
-
Click Create.
The Access controls page reloads and you should see your new access control listed.
Edit or delete an access control
Users with the System administrator or Security administrator role can edit or delete existing access controls. To do so, navigate to Administration > Security > Access control, hold the pointer over the access control in the list view, and click Edit or Delete to modify or delete the existing access control.
In addition, users with the System administrator role can access and manage access controls from the data model level. To do so, navigate to Administration > Data > Models, select the data model for which you want to modify access controls, and then click Access controls.
Editing or deleting an access control is a critical action that can significantly impact the security and accessibility of data across the Brinqa Platform. Improper changes can lead to unintended access to sensitive data or the inability for users to perform essential tasks.
Before making any modifications, it is strongly recommended to review the changes carefully and consult with your Brinqa Account Manager or security team to ensure they align with your organization's security policies.