User Roles

User roles are a collection of permissions that can be assigned to individual users using the symflow CLI.

Overview

The three user roles available at Sym are:

  • admin
  • member
  • guest

To check your role from Slack, run /sym whoami:

1567

User creation defaults

  • Users in your primary domain, or whose email domains have been added via symflow will be created with member roles.
  • Users in your Slack Workspace who do not share your primary domain and whose email domains have not been added via symflow will be created with guest roles
  • Users must be explicitly granted admin privileges by other Admins

📘

For more information about Roles and Domains, see Working With Multiple User Domains

Role details

admin Role

The admin role enables a User to interact fully with the symflow CLI, including:

  • Full CRUD for Services, Users, Resources, and Domains
  • Setting Roles for other Users (e.g. creating other admin Users)
  • Applying Terraform to update an Organization's Sym configuration.

In addition, admin Users can initiate requests from Slack or the Sym API, and can interact with the approval dialog in Slack.

This role is usually held by the implementer, who will need to push Sym configuration changes via terraform apply.

member Role

The member role lets users make access requests, and allows them to interact with the approval dialog in Slack. Members cannot run terraform apply, or change configurations via symflow CLI.

This role is usually held by team members who need to make access requests and/or approve access requests made by other team members.

guest Role

The guest role conditionally lets users interact with the approval dialog in Slack. By default, guests are not allowed to interact with the approval dialog.

This behavior can be controlled by the allow_guest_interaction boolean parameter that can optionally be set on the Flow resource in Terraform. When the boolean is set to true, guests are able to interact with the Approve, Deny, and Revoke buttons in the approval dialog. When not provided, or set to false, guests' clicks will be ignored, and they will receive a DM explaining why.

Permissions table

ActionAdminMemberGuest
terraform apply configuration changesX
Make access requestsXX
Approve/Deny/Revoke access in approval dialogXXX (conditionally)
Assign/revoke roles from other usersX