Role-Based Access Control (RBAC)

Sublime's built-in and custom roles make it easy to give your team the perfect amount of access.

Managing Roles

When you create a new user from the Admin > Account page, you'll have the option to select a role.

To change an existing user's role, select the user in the Users table, select Actions > Edit, and update the user's role.

Roles

RoleDescription
AdminAll Sublime features, including the ability to create custom roles.
EngineerBuild detection rules, Backtest, Hunt, investigate and remediate flagged and user reported messages, view system error notifications, and more.
AnalystInvestigate and remediate flagged and user reported messages, view system error notifications. Cannot create or modify rules, Search, Backtest, or Hunt.
CustomAnyone with the Admin role can create a custom role with granular permissions.

The below table enumerates the Sublime Platform permissions and denotes which role contains it. A green check ✅ denotes that the permission is included in the role. A green check with an asterisk ✅* denotes that the role has the listed permission, but can only operate on resources that the current user has created themselves (e.g. an Engineer can only read API keys that were created by themselves, whereas an Admin can read API keys regardless of which user they were created by).

CategoryPermissionAdminEngineerAnalyst
Audit Logmanage_audit_log
Audit Logread_audit_log
IP Allowlistmanage_ip_allowlist
IP Allowlistread_ip_allowlist
MDM Retentionupdate_full_message_retention
Mailbox Auto-Activationread_auto_activate
Mailbox Auto-Activationupdate_auto_activate
Abuse Mailbox Settingsmanage_abuse_mailbox
Abuse Mailbox Settingsread_abuse_mailbox
API Keyscreate_api_keys✅*✅*
API Keysread_api_keys✅*✅*
API Keysdelete_api_keys✅*✅*
API Keysset_external_api_keys✅*
API Keysread_external_api_keys✅*
Userscreate_users
Usersread_users
Usersupdate_users
Usersdelete_users
Usersinvite_users
Message Sourcescreate_message_sources
Message Sourcesread_message_sources
Message Sourcesread_message_sources_inline_message_meta
Message Sourcesupdate_message_sources
Message Sourcesdelete_message_sources
Mailboxesread_mailboxes
Mailboxesactivate_mailbox
Mailboxesdeactivate_mailbox
Rulescreate_rules
Rulesread_rules
Rulesupdate_rules
Rulesdelete_rules
Listscreate_lists
Listsread_lists
Listsupdate_lists
Listsdelete_lists
Actionscreate_actions
Actionsread_actions
Actionsupdate_actions
Actionsdelete_actions
Actionsassociate_rules_to_actions
Feedscreate_feeds
Feedsread_feeds
Feedsupdate_feeds
Feedsdelete_feeds
Backtestbacktest
Hunthunt
Huntprivate_hunt
Searchsearch
Investigationaccess_all_message_contents
Investigationaccess_flagged_message_contents
Investigationaccess_user_reported_message_contents
Remediationperform_actions
Error Logaccess_error_logs
URL Defenseread_url_defense_settings
URL Defensemanage_url_defense_settings
Content viewing settingmanage_view_contents_requirements
OIDC settingmanage_oidc
OIDC settingread_oidc
SCIMread_scim_resources
Provider groupread_provider_groups
Provider groupupdate_provider_groups
Exclusionscreate_exclusions
Exclusionsread_exclusions
Exclusionsupdate_exclusions
Exclusionsdelete_exclusions
Historical ingestionstart_historical_ingestion_jobs
Historical ingestionabandon_historical_ingestion_jobs
Historical ingestionread_historical_ingestion_jobs
Rolesread_roles
Telemetrymanage_telemetry
Deletiondelete_org
Polling settingmanage_message_polling
Overview Reportread_org_stats
Overview Reportread_remediation_stats
Link clicksread_link_clicks
S3 exportmanage_message_export
Setup guidemanage_account_setup_guide
Message creationcreate_new_message

Custom roles

You can create an unlimited number of custom roles within your organization by heading to Admin > Account and clicking Create Role.

Multi-tenant custom roles

For multi-tenant instances, custom roles can only be created or managed by the parent org. While Admins can assign custom roles to team members on any child org, they can't create new roles or edit the permissions on existing roles via the child org.

Team members who have access to the parent org will inherit their existing role when they log into the child org for the first time. Admins can change their role afterwards if they want that team member to have a different role on a specific child org.

All custom roles created by the parent org are available to all of the child orgs, so we recommend that custom role names don't include child org information, such as business names. You can alternatively limit anyone with a custom role from seeing available roles by withholding the read_roles permission.