Configure Vault Radar permissions
Vault Radar is initially configured by a user with the HCP IAM admin role. Any HCP IAM user with the admin role can perform all functions within Vault Radar such as add a data source, trigger an on-demand scan, view events, and edit event remediation state.
Any HCP IAM user who does not have the HCP admin role must be added to an HCP IAM group, the group must belong to the project Vault Radar is configured in, and the group must be assigned to one or more data sources.
Vault Radar supports both organization and project level users in the HCP Portal, and service principals for the Vault Radar CLI. We recommend assigning permissions at the project level following the least privileged access model.
Add a user for Vault Radar
Note
If a user has been assigned the HCP IAM admin role, they do not need to be added to a group to access Vault Radar.
Determine which RBAC role the user will require by referencing the HCP Vault Radar permissions in the table below:
Vault Radar permissions Viewer Contributor Admin View events ✅ ✅ ✅ Edit event remediation state ✅ ✅ Add or manage data sources ✅ Add or manage filters ✅ Add or manage event rules ✅ Add or manage custom expressions ✅ Add or manage ignore rules ✅ Configure PR checks policies ✅ Trigger on-demand scans ✅ Verify or create an HCP IAM group with the desired role.
Invite the user from the parent organizations IAM dashboard.
When the user accepts the invitation (and if necessary signs up for HCP), assign the user a project level HCP IAM role.
Add the user to the project with the desired level of access.
Additional information
Refer to the Users page to learn how to invite users and assign roles.