Permission management guide

Effective permission management is key to achieving both security and collaboration efficiency. You can establish a systematic permission management strategy using Alpacon’s IAM (Identity and Access Management) features.

For more details, see IAM overview.

Role-based permission system

Alpacon provides three roles to manage user permissions hierarchically.

Permissions by role

User (regular user)

  • Permission scope: Access and use of assigned resources
  • Key features:
    • Access servers in groups they belong to
    • Control servers via Websh
    • Manage their own profile and settings
  • Applicable to: General team members, developers, operators

Staff (administrator)

  • Permission scope: User permissions + user and group management
  • Key features:
    • Invite users and manage accounts
    • Create groups and manage members
    • Register servers and change settings
    • Manage some workspace settings
  • Applicable to: Team leaders, project managers

Superuser (super administrator)

  • Permission scope: Staff permissions + highest system-wide administrative privileges
  • Key features:
    • Manage all users and groups
    • Manage all workspace settings
    • Manage billing and subscriptions
    • Access audit logs
  • Applicable to: System administrators, CTO, security officers

For more details, see User management.

Group-based permission management

Using groups allows you to efficiently manage permissions by logically separating users and servers.

Group design strategies

1. Team-based group structure

Create groups based on your organization’s team structure.

Example:

  • Backend Team: Backend server access
  • Frontend Team: Frontend and build server access
  • DevOps Team: All infrastructure server access
  • Data Team: Database and analytics server access

2. Environment-based group structure

Separate access permissions based on server environments.

Example:

  • Production Group: Production servers (restricted access)
  • Staging Group: Staging servers
  • Development Group: Development servers (open access)

3. Project-based group structure

Manage servers and personnel by project.

Example:

  • Project A Team: Project A related servers
  • Project B Team: Project B related servers
  • Shared Infrastructure: Common infrastructure servers

For more details, see Groups overview.

Principle of least privilege

Enhance security by granting users only the minimum permissions necessary to perform their tasks.

Implementation methods

1. Limit use of default group

  • Only register servers requiring common access in the Alpacon users default group
  • Separate sensitive servers into dedicated groups
  • New users start in the default group, with additional groups assigned as needed

2. Minimize roles

  • Most users should start with the User role
  • Grant Staff role only to those performing actual administrative tasks
  • Restrict Superuser role to a minimal number of people (2-3)

3. Regular permission reviews

  • Review user permissions and group memberships quarterly
  • Immediately revoke permissions for departed employees or role changes
  • Deactivate long-unused accounts

Server access control

Enhance security by designating which groups can access each server.

Access control scenarios

Protecting production servers

Group: Production-Access
- Members: Senior Engineers, DevOps Team
- Servers: Production Web Server, Production DB Server

Regular developers are restricted from direct access to production servers

Separating development environments

Group: Dev-Team-A
- Members: Team A developers
- Servers: Team A dev server, shared dev DB

Group: Dev-Team-B
- Members: Team B developers
- Servers: Team B dev server, shared dev DB

Each team can only access their own development servers

For more details, see Server connection.

Activity monitoring and auditing

Track user activities to prevent security incidents and support post-incident analysis.

Monitoring targets

User activity logs

You can check each user’s activity history:

  • Login time and IP address
  • Server access history
  • Configuration change history
  • Task success/failure status

For more details, see User detail - Activity tab.

Server access history

You can check the history of users and groups that accessed each server:

  • Access records by system user
  • Access records by system group

For more details, see Server detail - Access tab.

Command execution history

You can check the record of commands executed on servers:

  • Execution time and user
  • Command content and results

For more details, see Server detail - Activity tab.

Permission management checklist

A checklist for effective permission management.

Initial setup

  • Design and create groups matching your organizational structure
  • Assign appropriate servers to each group
  • Determine roles (User/Staff/Superuser) for each user
  • Place users in appropriate groups

Operations phase

  • Grant minimum permissions when registering new users
  • Assign new servers only to appropriate groups
  • Allow access to sensitive servers only to restricted groups
  • Minimize server list in default group (Alpacon users)

Regular reviews

  • Review user permissions quarterly (roles and group memberships)
  • Immediately deactivate or delete accounts of departed employees
  • Check and take action on long-unused accounts
  • Review appropriateness of group structures
  • Identify abnormal behavior patterns in activity logs

Security enhancements

  • Restrict production server access to Senior level and above
  • Limit Superuser role to 2-3 people
  • Consider dual approval process for critical operations
  • Provide regular security training and share guidelines