Role-based access control (RBAC)

Role-based access control (RBAC) policies define how users interact with Metronome, what they are allowed to see, and what changes they are allowed to make. This increases your control over the data a user can access and the actions they can take. Implementing RBAC minimizes the scope of security vulnerabilities and reduces human error.

Custom roles

We also support custom roles, allowing you to tailor permissions to your needs.

Defined roles

Metronome offers three out-of-the-box roles:

• Administrator

  Ideal for project leads who need full functional access to oversee Metronome configuration and integration with other systems, along with administrative controls. Administrators have full CRUD (create, read, update, and delete) access to all components of the Metronome system.

• Writer

  Ideal for members of the working team who are responsible for configuring and maintaining Metronome, including integrations with other systems. Writers have CRUD access to everything in Metronome except the creation of API keys or administrative settings (like setting up data export).

• Reader

  Ideal for a non-acting member of the working team that is not involved with configuration, but needs access to Metronome data or is supporting the roll out of Metronome at your organization. Readers can view all components of the Metronome system, but have no create, update, or delete access to any parts of the system.

Set up RBAC

RBAC policies are defined by your Identity Provider; you must set up SSO. If no SSO is configured, all users with access to Metronome have full access permissions.

To set up RBAC:

1. Set up SSO.

2. With your Identity Provider, create a new claim to specify user roles.

   a. The claim can be called anything; we recommend role.

   b. The values for this claim are: admin, writer, reader, or any custom roles you work with the Metronome team to create.

3. Provide your Metronome representative the new claim name.

4. Let your Metronome representative know which role users should default to if not specified. By default, any user with no specified role is denied access to Metronome.