Permissions

LIVCK features a comprehensive, granular permission system that allows you to control exactly what users can access and modify within your status page. This fine-grained approach ensures that team members have appropriate access levels for their responsibilities.

Permission Structure

Permissions in LIVCK follow a resource-based structure with five standard actions for most resources:

  • list - View a list of resources
  • show - View details of a specific resource
  • create - Create new resources
  • update - Modify existing resources
  • delete - Remove resources

This consistent structure makes it easy to understand and manage permissions across different areas of the application.

Permission Categories

Monitor Permissions

Control access to monitoring functionality and monitor management.

  • monitor.list - View all monitors
  • monitor.show - View individual monitor details
  • monitor.create - Create new monitors
  • monitor.update - Modify existing monitors
  • monitor.delete - Remove monitors

Use Case: Grant monitoring team members the ability to manage monitors without access to sensitive settings.

SSL Certificate Permissions

Manage SSL certificate monitoring and configuration.

  • ssl-certificate.list - View all SSL certificates
  • ssl-certificate.show - View certificate details
  • ssl-certificate.create - Add new SSL certificate monitors
  • ssl-certificate.update - Modify SSL certificate settings
  • ssl-certificate.delete - Remove SSL certificate monitors

Use Case: Allow security team members to manage SSL certificates independently.

Newsletter Permissions

Control access to newsletter subscriber management and email campaigns.

  • newsletter.list - View newsletter subscribers
  • newsletter.show - View subscriber details
  • newsletter.create - Add new subscribers
  • newsletter.update - Modify subscriber information
  • newsletter.delete - Remove subscribers
  • newsletter.compose.show - View newsletter compose interface
  • newsletter.compose.send - Send newsletters to subscribers

Use Case: Grant marketing team access to newsletters without system administration rights.

Alert Permissions

Manage who can create and modify alerts, announcements, maintenance windows, and incidents.

  • alert.list - View all alerts
  • alert.show - View alert details
  • alert.create - Create new alerts
  • alert.update - Modify existing alerts and update status
  • alert.delete - Remove alerts

Use Case: Enable on-call engineers to post incidents and updates without full admin access.

Permission Management

Control who can manage the permission system itself.

  • permission.list - View all available permissions
  • permission.show - View permission details
  • permission.create - Create custom permissions
  • permission.update - Modify permission definitions
  • permission.delete - Remove permissions

Use Case: Restrict permission management to senior administrators only.

Role Permissions

Manage role definitions and assignments.

  • role.list - View all roles
  • role.show - View role details and associated permissions
  • role.create - Create new roles
  • role.update - Modify role permissions and settings
  • role.delete - Remove roles

Use Case: Allow team leads to manage role assignments for their teams.

Session Permissions

Control user session management capabilities.

  • session.list - View active user sessions
  • session.show - View session details
  • session.create - Create new sessions (typically system-managed)
  • session.update - Modify session settings
  • session.delete - Terminate user sessions

Use Case: Enable security administrators to monitor and terminate suspicious sessions.

User Permissions

Manage user accounts and access.

  • user.list - View all users
  • user.show - View user details
  • user.create - Create new user accounts
  • user.update - Modify user information
  • user.delete - Remove user accounts

Use Case: Grant HR or team managers the ability to manage user accounts without full system access.

Setting Permissions

Control access to system settings and configuration.

  • setting.show - View system settings
  • setting.edit - Modify system settings

Use Case: Restrict system configuration changes to senior administrators.

Designer Permissions

Manage access to the status page design and customization features.

  • designer.use - Access the visual designer interface

Use Case: Grant design team members access to customize the status page appearance.

Code Permissions

Control access to custom CSS and JavaScript code injection.

  • code.show - View custom code
  • code.edit - Modify custom CSS and JavaScript

Use Case: Restrict code editing to developers who understand the security implications.

Assigning Permissions

Permissions can be assigned to users in two ways:

Direct Assignment

Individual permissions can be assigned directly to specific users. This is useful for one-off access requirements or exceptions to standard role definitions.

Role-Based Assignment

The preferred method is to assign permissions to roles, then assign roles to users. This approach is more maintainable and follows the principle of role-based access control (RBAC). See the Users and Roles documentation for more details.

Permission Hierarchy

Some permissions naturally depend on others. For example:

  • update typically requires show permission
  • delete typically requires list permission

When creating role groups, consider these logical dependencies to ensure users have the permissions they need to perform their tasks effectively.

Best Practices

Principle of Least Privilege

Grant users only the permissions they need to perform their specific job functions. This minimizes security risks and prevents accidental changes.

Use Roles Instead of Direct Permissions

Whenever possible, create roles that represent job functions and assign permissions to those roles. This makes it easier to:

  • Onboard new team members
  • Audit access levels
  • Modify permissions for multiple users at once

Regular Permission Audits

Periodically review user permissions to ensure they still align with current responsibilities. Remove unnecessary permissions promptly when roles change.

Separate Concerns

Create distinct roles for different responsibilities:

  • Monitoring Team: monitor.*, alert.*
  • Security Team: ssl-certificate.*, session.*
  • Marketing Team: newsletter.*
  • Super Admin: setting.*, user.*, role.*, permission.*

Document Custom Roles

When creating custom role groups, document the intended purpose and permission set to help future team members understand the access model.

Security Considerations

Sensitive Permissions

Some permissions grant significant control over the system:

  • code.edit - Allows JavaScript injection
  • setting.edit - Modifies system configuration
  • user.delete - Can remove user accounts
  • permission.* - Controls the permission system itself

These should be restricted to Super Admin only.