Team members can be granted access to multiple Lacework accounts and have different roles for each account. Team members can also be granted organization-level roles.
Create Team Members for an Account
- Log in to the Lacework Console as a Lacework account administrator.
- Navigate to Settings > Team Members.
- Click + Create New.
- Enter the member's name, email, and company.
- Select a role for the member.
- Click Save.
The new member appears in the table.
Use controls to enable/disable individual members. You can also filter and delete team members. To delete a member, select its checkbox and click the delete icon.
Create Team Members for an Organization
- Log in to the Lacework Console as a Lacework organization administrator.
- Navigate to Settings > Team Members.
- Click + Create New.
- Enter the member's name, email, and company.
- Determine whether the member is an organization administrator.
If the member is an organization admin, the member has admin privileges for organization settings and admin privileges for all accounts within the organization. Skip to the last step. - Determine whether the member is an organization user. If the member is an organization user, the member has user privileges for organization settings and user privileges for all accounts within the organization. You can still grant the account administrator role for specific accounts.
If the member is not an organization user, the user cannot access organization settings and does not have any privileges for accounts except what you specifically grant in the two following fields. - Select accounts where the member is an account administrator.
- Select accounts where the member is an account user.
- Click Save.
The new member appears in the table.
View Team Members Page
Go to Settings > Team Members to display the Team Members page. You can view the Name, Email, Role, Updated, Last Login Time, and Status on this page. In Lacework v4.22 and later, the Last Login Time displays the updated timestamp when you log in. If you have not logged in before, the Last Login Time displays -- instead of a timestamp.
Use controls to enable or disable individual members. You can also filter and delete team members. To delete a member, select the corresponding checkbox and click the delete icon.
Multiple Accounts
Team members can have access to more than one account. To see which accounts a member can access, click the number in the Accounts column.
If you are an organization administrator or user, you may have access to multiple accounts. Click the account name near the top right corner under the role name and select an account to switch to. The organization dashboard is indicated by (Organization). The account used to initially enroll in the organization is indicated by (Account). If the account you want to switch to is not listed in the drop-down menu, click View All Accounts to display the full list of accounts that you can access. Click Go to switch to that account. The current account has a disabled Go button.
If you have access to multiple accounts, logging in automatically directs you to the last account you used. If that account is not available, the first account alphabetically is used.
Account Roles
Lacework supports the following account roles: user and administrator. The following tables display privilege differences between users and administrators.
Application Settings
| Lacework Functionality | User | Administrator |
|---|---|---|
| Settings > API Keys | No access | Full access |
| Settings > Agents | View only | Full access |
| Settings > Alert Routing | View only | Full access |
| Settings > Audit Logs | View only | Full access |
| Settings > Authentication | View only | Full access |
| Settings > General Settings | View only | Full access |
| Settings > Integrations | View only | Full access |
| Settings > Resource Groups | View only | Full access |
| Settings > Team Members | View only your profile | Full access |
| Settings > Usage | Only view functionality is available | Only view functionality is available |
AWS, Azure, and GCP Compliance Recommendations
| Lacework Functionality | User | Administrator |
|---|---|---|
| Select a recommendation with a violation and then select the option to suppress this recommendation for a single resource or for all resources. Remove the suppression after it has been added. For more information, see Suppression in AWS Compliance Reports - Using Suppression. | No access | Full access |
| Disable a compliance recommendation entirely by turning it off. Enable a compliance recommendation after it has been turned off. For more information, see Advanced Suppression in AWS Compliance Reports - Using Suppression. | No access | Full access |
Organization Roles
Lacework supports the following organization roles: user and administrator.
Members with the organization user role have view only privileges to all organization-level settings. They also have user role access to all underlying accounts within the organization.
Members with the organization administrator role have full access to all organization-level settings. They also have administrator role access to all underlying accounts within the organization.