Access Model
Roles
Polaris has three access levels:
- Unauthenticated — Can browse read-only data: systems, components, technologies, teams, licenses, version constraints, violations, and approvals.
- Authenticated (User) — Can create and manage systems, technologies, version constraints, and submit SBOMs. Can view audit logs and their own profile.
- Superuser — Full administrative access. Can manage teams, users, API tokens, license allow/deny lists, impersonation, and GitHub imports.
Access by Element
The table below shows which operations are available at each access level. A dash (—) means the operation does not apply to that element.
| Element | View | Create | Edit | Delete | Notes |
|---|---|---|---|---|---|
| Systems | Public | Authenticated | Owner team* | Owner team* | * Superusers or members of the system's owner team |
| Repositories | Public | Authenticated | — | — | Added to systems; viewed as part of system detail |
| Components | Public | — | — | — | Created only via SBOM ingestion, never directly |
| Technologies | Public | Authenticated | — | Owner team* | * Superusers or members of the technology's steward team |
| Teams | Public | Superuser | Superuser | Superuser | Full team management is superuser-only |
| Users | Superuser | Superuser | — | Superuser | Technical users only; OAuth users are created on sign-in |
| API Tokens | Superuser | Superuser | — | Superuser | Managed per technical user; token value shown once |
| Version Constraints | Public | Authenticated | Creator* | Creator* | * Superusers or the user who created the version constraint |
| Licenses | Public | — | — | — | Discovered via SBOM ingestion; not directly managed |
| License Allow/Deny | Authenticated | Superuser | Superuser | Superuser | Superusers manage the organization license whitelist |
| Violations | Authenticated | — | — | — | Compliance and version constraint violations; read-only for authenticated users |
| Approvals | Public | Authenticated | — | — | Team members approve technologies for their team |
| SBOMs | — | Authenticated | — | — | Submitted via API; creates/updates components and licenses |
| Audit Logs | Authenticated | — | — | — | Automatically generated; read-only |
| GitHub Import | — | Superuser | — | — | Creates a system from a GitHub repo without cloning |
| Impersonation | Superuser | Superuser | — | Superuser | Start/stop impersonation of other users |
How Elements Are Created
Not all elements are created directly through the UI. The table below clarifies the creation path for each element.
| Element | Creation Method |
|---|---|
| Systems | Created via the UI form or GitHub import |
| Repositories | Added when creating or editing a system, or via GitHub import |
| Components | Discovered automatically when an SBOM is submitted — never created directly |
| Technologies | Created via the UI form by authenticated users |
| Teams | Created via the UI by superusers |
| Users (OAuth) | Created automatically on first sign-in via GitHub OAuth |
| Users (Technical) | Created via the UI by superusers for API access |
| API Tokens | Generated via the UI by superusers for technical users |
| Version Constraints | Created via the UI by authenticated users |
| Licenses | Discovered automatically from SBOM component metadata |
| Approvals | Created when a team member approves a technology for their team |
| Audit Logs | Generated automatically on every create, update, and delete operation |
Superuser-Only Pages
The following pages and actions are only visible in the navigation and UI when the current user (or impersonated user) has the superuser role:
- Users — User list and user detail pages, including technical user creation and API token management.
- Impersonate User — View the application as another user to verify access controls.
- License Allow/Deny — Manage the organization license whitelist and deny list.
- Import from GitHub — Import a system from a GitHub repository on the Systems page.
- Team management — Create, edit, and delete teams on the Teams page.
Impersonation
Superusers can impersonate other users to verify what they see. While impersonating, the UI respects the impersonated user's role — superuser-only actions and navigation items are hidden if the impersonated user is not a superuser.
Audit Trail
All create, update, and delete operations are recorded in the audit log with the user ID, operation type, affected entity, changed fields, and timestamp. The audit log is viewable by authenticated users at /audit.