Skip to content

Policies and Permissions

You manage access in VECTR by creating policies and attaching them to identities (users or groups). A policy is an object that, when associated with an identity or resource, defines their permissions. SRA Auth evaluates these policies when a user makes a request. Permissions in the policies determine whether the request is allowed or denied.

Policy Types

  • Identity-based policies. Attach managed policies to IAM identities (users or groups). Identity-based policies grant permissions to an identity.
  • Resource-based policies. These are policies that grant permission to a resource.

Identity-based Policies

Identity-based policies are permissions policy documents that control what actions an identity (users or group) can perform, on which resources, and under what conditions.

Resource-based Policies


Currently, resource-based policies affect all users. In a future release, resource-based policies will support the ability to configure principals (users) that have access to these resources.

Policy Category

All policies are either managed by SRA or the customer (end-user):

  • SRA managed policies. Policies that are created and managed by SRA. These policies cannot be modified or removed by the customer.

  • Customer managed policies. Policies that you create and manage in your account.

Policies and the Default Root User

The default root user is not affected by any policies. By default, the root user belongs to the BasicAccess and Admins group, however their permission is not affected by the policies belonging to these groups. You can even remove the root user from these groups, or delete these groups and the root user will still have full access to VECTR.

Default SRA Managed Policies

The following default policies are provided by SRA. Some policies are application-specific. SRA Managed policies cannot be deleted or modified.

Name Description
AdminFullAccess Provides full access to all resources and IAM permissions.
AppSettingsReadOnly1 Provides the ability for a user to read application configurations.
IAMFullAccess Provides full access to IAM related resources and permissions, including managing users, groups, and policies.
TokenRefreshAccess Provides the ability for users to stay logged into the application by automatically updating their JWT before it expires. Users who do not have this permission will be time-boxed to the application for 30 minutes.
UserProfileAccess1 Provides the ability for a user to edit their own information, such as name and password.

Default VECTR Policies

The following are VECTR specific default policies:

Name Description
AllDatabaseFullAccess Provides the ability to perform read and write (including update and delete) operations on all test environments.
AllDatabaseReadOnly Provides access to perform read operations on all test environments.
AnyPathResourceFullAccess Provides full access (read/write/update/delete) to any non-test environment related endpoints.
AnyPathResourceReadOnly1 Provides read-only access to any non-test environment related endpoint.
DatabaseManagement2 Provides the ability for a user to manage (list, edit, backup, restore) the environments which they have access to.
DatabaseManagementFullAccess2 Provides the ability to manage (list, create, edit, delete, backup, restore) all environments.
GoldStandardFullAccess Provides read and write access to the Library.
GoldStandardReadOnly1 Provides read-only access to the Library.
ListDatabases12 Allows a user to list the environments they can access.
RenameDatabase2 Allows a user to rename an environment that they have access to.
TagManagement Provides the ability for a user to manage (view, edit) tags. This policy is required in order for a user to work with tags, including tagging Assesssment data.

  1. These policies are required at a minimum for a user to gain basic access to VECTR. 

  2. These policies on their own do not provide read or write access to any environments. Instead, they simply give the provided permissions on environments which a user already has access to. These policies must be combined with a DB access policy such as AllDatabaseFullAccess, AllDatabaseReadOnly, or a custom DB policy that you created.