Roles and Permissions
Guardian Pro uses role-based access control (RBAC) to manage what users can see and do within the platform. Every user is assigned one of three roles, each providing a different level of access across Guardian Pro's feature modules.
The Three Roles
Guardian Pro provides three built-in roles designed to support common team structures:
Admin
The Admin role has full access to all Guardian Pro features, including the ability to manage users, modify organisation settings, and execute remediations.
Admins are typically:
- Cloud architects or platform engineers responsible for AWS governance.
- Security team leads who need to remediate findings directly.
- IT managers overseeing the organisation's cloud posture.
Every organisation must have at least one Admin user. The user who completes the initial onboarding is automatically assigned the Admin role.
Standard
The Standard role provides broad read and write access to operational features but restricts sensitive actions such as remediation execution and user management.
Standard users are typically:
- DevOps engineers who monitor infrastructure and review findings.
- Developers who need visibility into security and cost data.
- Analysts who review compliance reports and cost trends.
Read-Only
The Read-Only role provides view-only access across the platform. Read-Only users cannot modify any settings, execute remediations, or manage other users.
Read-Only users are typically:
- Auditors reviewing compliance and security posture.
- Executives or stakeholders viewing dashboards and reports.
- External consultants who need visibility without the ability to make changes.
Permission Matrix
The table below shows the specific permissions granted to each role across Guardian Pro's six permission modules.
| Module | Action | Admin | Standard | Read-Only |
|---|---|---|---|---|
| Security | View findings and scan results | Yes | Yes | Yes |
| Security | Acknowledge or suppress findings | Yes | Yes | No |
| Security | Execute remediations | Yes | No | No |
| Cost | View cost analysis and recommendations | Yes | Yes | Yes |
| Cost | Run cost analysis and modify budgets | Yes | Yes | No |
| Resources | View resource inventory | Yes | Yes | Yes |
| Accounts | View connected accounts | Yes | Yes | Yes |
| Accounts | Manage account connections | Yes | No | No |
| Users | View user list | Yes | Yes | Yes |
| Users | Add or remove users | Yes | No | No |
| Users | Send invitations | Yes | No | No |
| Organisation | View organisation settings | Yes | Yes | Yes |
| Organisation | Modify organisation settings | Yes | No | No |
Permission Actions Explained
Each module supports up to three types of actions:
- Read -- View data, dashboards, reports, and configuration. All roles have read access.
- Write -- Modify settings, acknowledge findings, update configurations. Available to Admin and Standard roles (varies by module).
- Specialised actions -- Module-specific actions like
remediate(Security) andinvite(Users). Available only to the Admin role.
How Permissions Are Enforced
Permissions are enforced at multiple levels:
- Navigation -- Settings pages and action buttons that require permissions you do not have are hidden from the interface.
- Page access -- If you navigate directly to a page you do not have permission for, you will see an Access Denied message.
- API level -- All API requests are validated against your role. Unauthorised requests are rejected regardless of how they are made.
Permission enforcement is consistent across the console, API, and AI Assistant. For example, if you ask the AI Assistant to remediate a finding and your role does not include remediation permissions, the assistant will inform you that the action requires elevated access.
Viewing Your Role
You can see your current role in several places:
- User menu -- Click your name in the top-right corner to see your role badge.
- Settings > Users -- Your entry in the user list shows your assigned role.
Changing Roles
Only Admin users can change another user's role. To change a role:
- Navigate to Settings > Users.
- Find the user whose role you want to change.
- Click the role badge or the Edit icon.
- Select the new role from the dropdown.
- Confirm the change.
Role changes take effect immediately. If you downgrade a user from Admin to Standard, they will instantly lose access to remediation and user management features. Ensure the user is aware of the change.
Role Change Restrictions
- You cannot change your own role.
- You cannot remove the last Admin from an organisation. At least one Admin must exist at all times.
- Role changes are logged in the audit trail for compliance purposes.
Feature Access Summary
Here is a high-level summary of which platform features each role can fully use:
| Feature | Admin | Standard | Read-Only |
|---|---|---|---|
| Dashboard | Full | Full | View only |
| Action Centre | Full (including remediation) | View and acknowledge | View only |
| Cost Intelligence | Full | View and run analysis | View only |
| Compliance Dashboard | Full | Full | View only |
| Architecture Advisor | Full | Full | View only |
| AI Assistant | Full | Full (no remediation actions) | Read-focused queries |
| Infrastructure Wizard | Full | Full | View only |
| Resource Explorer | Full | Full | View only |
| Settings | Full | Limited | View only |
Role Mappings
For organisations that want to automatically assign Guardian Pro roles based on existing AWS IAM roles, see Role Mappings. Role mappings allow you to define rules like "users who assume the SecurityAuditor IAM role should receive the Read-Only Guardian Pro role."
Next Steps
- Users -- Manage users and their role assignments.
- Role Mappings -- Automate role assignment based on AWS IAM roles.
- Invitations -- Invite new users with pre-assigned roles.