Skip to content

User roles

A user role is a predefined set of permissions that determines which actions a user can perform on the ONEKEY platform. Rather than granting permissions to each user one by one, you assign one or more roles to a user group, and every member of that group inherits the combined permissions.

This makes it easy to apply least-privilege access – for example, letting external partners only upload firmware, while your analysts can view the results, request expert review, and generate reports.

To assign user roles:

  1. Click on your profile in the top-right corner.
    Select profile
  2. Select User groups.
  3. Either:
    • Click Create new user group to set up a new group, or
    • Click the Edit button next to an existing user group.
  4. Move the relevant roles to the assigned list.
  5. Click Save.

Permissions

A permission grants the ability to perform a specific set of actions. Each role bundles a fixed set of permissions, so the roles you add to a user group determine what its members can do.

Permissions are scoped at one of two levels:

  • Tenant — applies across the entire tenant. Covers platform-wide features such as managing users, working with Analysis Profile rules, or editing custom issues and CVEs.
  • Product Group — applies only to the product groups assigned to the user group. Covers firmware-level actions such as uploading, restarting analysis, editing reports, and editing compliance results.

Use the tabs below to see which permissions each role includes, or expand Permissions overview for a side-by-side comparison.

  • Tenant Level:

    • Manage tenant
    • View tenant
    • View Analysis Profile
    • Edit Analysis Profile
    • Edit analysis configuration
    • Request expert review
    • Edit components (SBOM)
    • View audit records
    • Edit custom issues
    • View custom issues
    • Edit CVEs
    • View CVEs
    • Generate reports

  • Product Group Level:

    • Upload firmware
    • Start firmware analysis
    • View firmware
    • Edit firmware
    • View reports
    • Edit reports
    • Share reports
    • Edit monitoring
    • Edit compliance
    • Update vulnerability
    • Apply Analysis Profile

  • Tenant Level:

    • View tenant
    • View Analysis Profile
    • View audit records
    • View custom issues
    • View CVEs

  • Product Group Level:

    • View firmware
    • View reports

  • Tenant Level:

    • View Analysis Profile
    • Edit Analysis Profile
    • Request expert review
    • Edit components (SBOM)
    • Edit custom issues
    • View custom issues
    • Edit CVEs
    • View CVEs
    • Generate reports

  • Product Group Level:

    • Upload firmware
    • Start firmware analysis
    • View firmware
    • Edit firmware
    • View reports
    • Edit reports
    • Share reports
    • Edit monitoring
    • Edit compliance
    • Update vulnerability
    • Apply Analysis Profile

  • Tenant Level:

    • Request expert review
    • Edit components (SBOM)
    • View custom issues
    • View CVEs
    • Generate reports

  • Product Group Level:

    • View firmware
    • Edit firmware
    • View reports
    • Edit reports
    • Update vulnerability

  • Tenant Level:

    • Request expert review
    • Generate reports

  • Product Group Level:

    • View firmware
    • View reports
    • Edit reports

  • Tenant Level:

    No tenant-level permissions

  • Product Group Level:

    • Upload firmware
    • Start firmware analysis

Note

The Uploader role grants the Start firmware analysis permission, but this only matters for reanalyzing existing firmware – the initial analysis runs automatically as part of upload. Without View firmware, an Uploader-only user has no way to locate firmware to reanalyze in either the UI or the API. Pair Uploader with a role that grants view access – such as Viewer, Editor, or Observer – so Uploader can reanalyze firmware.

  • Tenant Level:

    • Request expert review

  • Product Group Level:

    • View firmware
    • View reports

  • Tenant Level:

    • Request expert review

  • Product Group Level:

    • View firmware
    • View reports
    • Edit compliance

  • Tenant Level:

    • View audit records

  • Product Group Level:

    No product group permissions

Note

Combine the Auditor role with other roles (like Viewer, Compliance, or Editor) to ensure users can access the content they need to audit.

  • Tenant Level:

    • Manage tenant
    • View tenant
    • View Analysis Profile
    • Edit Analysis Profile
    • Edit analysis configuration
    • Request expert review
    • Edit components (SBOM)
    • View custom issues
    • View CVEs
    • Generate reports

  • Product Group Level:

    • Upload firmware
    • Start firmware analysis
    • View firmware
    • Edit firmware
    • View reports
    • Edit reports
    • Share reports
    • Edit monitoring
    • Edit compliance
    • Update vulnerability
    • Apply Analysis Profile
Permissions overview
Admin Observer Analyst Editor Reporter Uploader Viewer Compliance Auditor Manager
Manage tenant [Tenant] X X
View tenant [Tenant] X X X
Upload firmware [Product Group] X X X X
Start firmware analysis [Product Group] X X X X
View firmware [Product Group] X X X X X X X X
Edit firmware [Product Group] X X X X
View reports [Product Group] X X X X X X X X
Edit reports [Product Group] X X X X X
Share reports [Product Group] X X X
Generate reports [Tenant] X X X X X
Edit monitoring [Product Group] X X X
Edit compliance [Product Group] X X X X
Update vulnerability [Product Group] X X X X
Apply Analysis Profile [Product Group] X X X
View Analysis Profile [Tenant] X X X X
Edit Analysis Profile [Tenant] X X X
Edit analysis configuration [Tenant] X X
Request expert review [Tenant] X X X X X X X
Edit components (SBOM) [Tenant] X X X X
View audit records [Tenant] X X X
Edit custom issues [Tenant] X X
View custom issues [Tenant] X X X X X
Edit CVEs [Tenant] X X
View CVEs [Tenant] X X X X X

Actions

A single permission can unlock several actions across the platform UI and API. Use the table below to trace a concrete task – downloading an SBOM, sharing a report, editing compliance results – back to the permission that enables it, and therefore the role you need to add to the user's group.

Permission Actions
Manage tenant [Tenant]
  • Add/remove users
  • Add permissions
  • Create user and product groups
  • Create API tokens
  • View analysis configurations
View tenant [Tenant]
  • View users
  • View permissions
  • View user and product groups
  • View API tokens
  • View analysis configurations
Upload firmware [Product Group]
  • Upload firmware
Start firmware analysis [Product Group]
  • Restart analysis / reanalyze firmware
View firmware [Product Group]
  • See the analysis results
  • See the Dashboard
  • Download SBOM
  • See Analysis history
  • See Product history
  • Compare analyses
Edit firmware [Product Group]
  • Edit firmware info
View reports [Product Group]
  • View report configurations
  • Download reports
Edit reports [Product Group]
  • Create new report configurations
  • Create reports
  • Delete/bulk delete reports
Share reports [Product Group] Only available via API
  • Create a one-time-link for PDF report downloads
Generate reports [Tenant]
  • Generate new report
Edit monitoring [Product Group]
  • Enable/disable monitoring
Edit compliance [Product Group]
  • Edit results in compliance
Update vulnerability [Product Group]
  • Perform/edit CVE and security issue assessments
Apply Analysis Profile [Product Group]
  • Apply Analysis Profile from firmwares page
View Analysis Profile [Tenant]
  • View Analysis Profile rules
Edit Analysis Profile [Tenant]
  • Create and edit Analysis Profile rules
Edit analysis configuration [Tenant]
  • Create and edit analysis configurations
Request expert review [Tenant]
  • Request expert review for a specific firmware
Edit components (SBOM) [Tenant]
  • Add individual components
  • Delete individual components
  • Edit components manually
View CVEs [Tenant]
  • View custom CVEs
Edit CVEs [Tenant]
  • View custom CVEs
  • Add custom CVEs
  • Delete custom CVEs
  • Edit custom CVEs