Roles, Permissions, and Ownership

Thorium uses groups to grant access to resources and role-based permissions to limit the ability of individuals to conduct certain operations on those resources.

Resource Ownership and Access

All resources within Thorium including files and analysis pipelines are owned by the person that created them, but uploaded to a group. Only group members and those with the Admin system role can access a group's resources or even know that a particular resource like a file has been uploaded. This explicit groups-based access model helps to prevent information leakage and supports multitenancy of the Thorium system. Different groups can use the same Thorium instance without risking sensitive data being leaked across groups. In order for a user to have access to resources, such as files, the user can be added to that resource's group or the resource can be reuploaded to one of the user's existing groups.

Roles

Roles within Thorium are scoped at two different levels: System and Group. The capabilities granted by Group roles apply to resources within a specific group while System roles apply globally.

System Roles

System roles primarily exist to limit individuals from conducting certain sensitive actions at a global level. Since anyone with a Thorium account can create their own groups, there is no practical way to limit certain actions using only Group roles.

A Thorium account will only have one System role at a time: User, Developer, or Admin. When you first register for an account, you are granted the User system role by default. This will allow you to conduct analysis within Thorium, but does not allow you to create new analysis pipelines or give you any privileged access to data outside of your groups. If your interactions with Thorium require you to add or modify existing pipelines or tools (called images), you will need a Thorium Admin to give you the Developer role. The Developer role is considered a privileged role because it effectively allows an account holder to execute arbitrary binaries/commands within Thorium's sandboxed analysis environments.

The Thorium Admin role grants access to view and modify all resources within Thorium, irrespective of the resource's group. In contrast, a User or Developer must still have the correct group membership and group role if they plan on using the resources of that group. Each Thorium deployment should have at least one person with the Admin system role. Admins help to curate the data hosted in Thorium and provide continuity when group members leave the hosting organization.

The following table summarizes the abilities granted by Thorium's three System level roles and any limitations that apply to those granted abilities:

You can view your System role on the profile page, as shown below.

Group Roles

Group roles control your ability to conduct certain operations on the group's resources. Group resources can include images, pipelines, repos, files, tags, comments, and analysis tool results.

There are four group roles: Owner, Manager, User, and Monitor. Anyone with a Thorium account can create their own groups. When you create a new group, you are automatically added as an Owner of the group. When you are added to an existing group your role within the group will be assigned. Group roles and their associated capabilities are defined in the following table.

1. For pipelines and images this ability also requires a Developer or Admin System level role. Without the correct System role, you will not be able to modify or create pipelines or images even if you have the correct group role (Owner, Manager, or User). However, you will still be able to run existing pipelines that other Developers have added so long as you are not a Monitor. ↩ ↩2