Topics on this page

Assign roles to users

Trend Micro Cloud One uses role-based access control (RBAC) to define user permissions and API key permissions for an account. The roles restrict or allow access to the account's administrative functions and the Trend Micro Cloud One services that it's using.

When an account administrator invites a user to join their account, they assign a role to that user. Access rights are attached to roles and not directly to users. Each user should be assigned a role that restricts their activities to those necessary for the completion of their duties. To change the access rights of an individual user, assign a different role to the user or edit the role.

Account administrators also assign a role when creating an API key to define the access rights for that API key.

Predefined roles

Trend Micro Cloud One comes preconfigured with two roles:

Full Access: The Full Access role gives users and API keys access to all Trend Micro Cloud One services, identity management, billing and licensing, and events in the audit log.
Read Only: The Read Only role gives users and API keys the ability to view all the information in the Trend Micro Cloud One services but without the ability to make any modifications except to their own personal settings, such as password and contact information.

Define a custom role

You can create one or more custom roles and set the permissions for each of the Trend Micro Cloud One services and administrative functions.

On the main page of the Trend Micro Cloud One console, select User Management.
On the left, select Roles.
Select New.
In the lower part of the page, define the role:
- Role Name: Name used to identify the role.
- Role ID: Unique ID assigned to the role. This ID cannot be changed.
- Role Description: Optional description of the role.
- Privileges: Assign an access level for various Trend Micro Cloud One services. Select a service and then assign the permissions. To add another privilege, select +. If you don't assign a permission level to a service, it defaults to No Access. You can set privileges for these services:
  - Identity and Account: Invite users, remove users from the account, create or remove API keys, and manage account permissions such as changing the account properties and deleting the account. Set the permission to either Full Access or Read Only.
  - Billing and Licensing: Access to the billing and licensing settings for the Trend Micro Cloud One account. Set the permission to either Full Access or Read Only.
  - Audit: Access to the events in the Trend Micro Cloud One audit log. Set the permission to either Full Access or Read Only.
  - Workload Security: For this service, you can choose Full Access, Read Only (which is mapped to the "Workload Security Read Only" role in the Workload Security service). You can also select a custom Workload Security role, if you configured one in the Workload Security console. For details on Workload Security roles, see Define roles for users
  - Network Security: Set the permission to either Full Access or Read Only.
  - Application Security: Set the permission to either Full Access or Read Only.
  - File Storage Security: Set the permission to either Full Access or Read Only.
  - Container Security: Set the permission to either Full Access or Read Only.
  - Conformity: Set the permission to either Full Access or Read Only.
  - Open Source Security by Snyk: Currently, Open Source Security by Snyk only supports Full Access roles. Read Only roles do not have access to the service.
Select Save. Now the role is ready to assign when you invite users or add API keys to the account.

Edit a role

To edit an existing role, go to the Roles page as described above, select the role that you want to edit, and make the changes in the lower part of the page.

Manage roles programatically

You can also use the Trend Micro Cloud One Roles APIs to manage roles.

Manage Permissions

To modify the contents of the Permissions drop-down list, see Define roles for users.