A security team is not one person. WinSentinel Pro lets you hand the right people the right amount of power over your fleet — an analyst who can scan and remediate, an auditor who can read and export compliance evidence, and a stakeholder who can watch the dashboard without touching anything. Three roles, one precise permission boundary, every action logged.
RBAC is a Pro capability — it governs the fleet control plane. Single-machine WinSentinel needs no accounts or roles at all.
Every member of a fleet has exactly one role. Roles are additive in trust, not nested in code — each endpoint declares precisely which roles it accepts.
Runs scans, pushes policies, dispatches fixes, manages webhooks, and administers the team (invite, change role, revoke, issue tokens). Everything an auditor and viewer can do, plus all mutations.
Give to: security engineers / fleet owners.
Read-only across the fleet, plus the two things auditors actually need: export compliance reports (CIS L1 / SOC 2 / HIPAA) to PDF/CSV, and read the full audit log. Cannot change a single setting.
Give to: GRC / compliance / external auditors.
Sees fleet-wide posture, per-node scores, and alerts. No mutations, no compliance export, no audit log. The safest credential to hand out widely.
Give to: managers, dashboards on a wall, read-only stakeholders.
The license owner is an admin. Whoever holds the raw Pro license key (WSP-XXXX-XXXX-XXXX) is treated as an admin for backward compatibility — that is how the very first admin bootstraps the team before any member tokens exist. After that, day-to-day access should move to per-member tokens so you are not passing the master key around.
The boundary, exactly as the control plane enforces it. A request that exceeds the caller’s role is rejected with 403 Forbidden — nothing is partially applied.
| Capability | viewer | auditor | admin |
|---|---|---|---|
| View fleet posture & per-node scores | ✓ | ✓ | ✓ |
| View drift & regression alerts | ✓ | ✓ | ✓ |
| View compliance rollups (on screen) | ✓ | ✓ | ✓ |
| Export compliance report (PDF / CSV) | — | ✓ | ✓ |
| Read the audit log | — | ✓ | ✓ |
| List team members | — | ✓ | ✓ |
Run a fleet-wide scan (scan-all) | — | — | ✓ |
| Push a policy / baseline to nodes | — | — | ✓ |
| Dispatch a remote fix | — | — | ✓ |
| Manage webhooks (Slack / Teams) | — | — | ✓ |
| Invite / change role / revoke members | — | — | ✓ |
| Issue / rotate member API tokens | — | — | ✓ |
The split that matters most: auditors can export evidence but cannot change posture, and viewers cannot even export. That is what lets you give an external auditor a credential without any risk to the fleet.
Members do not share the license key. An admin invites someone by email with a role, then issues
them a personal API token. That token is sent in the
X-WSP-Member-Token header on every request and resolves to
their role — not the owner’s. Tokens can be rotated or revoked at any moment without
disturbing anyone else.
# invite a read-only compliance auditor
curl -X POST https://api.winsentinel.ai/fleet/team \
-H "Content-Type: application/json" \
-d '{"licenseKey":"WSP-7Q2K-9F3M-X8AB","email":"auditor@acme.com","role":"auditor"}'
# issue (or rotate) that member's personal API token
curl -X POST https://api.winsentinel.ai/fleet/team/auditor@acme.com/token \
-H "Content-Type: application/json" \
-d '{"licenseKey":"WSP-7Q2K-9F3M-X8AB"}'
# => { "ok": true, "token": "wspm_..." } # shown once — store it safely# auditors can pull compliance evidence …
curl "https://api.winsentinel.ai/fleet/compliance/export?framework=soc2&format=csv" \
-H "X-WSP-Member-Token: wspm_..."
# … but a mutation is refused
curl -X POST https://api.winsentinel.ai/fleet/command \
-H "X-WSP-Member-Token: wspm_..." -d '{ "action": "scan-all" }'
# => 403 Forbidden: requires role in [admin]Confirm who a token resolves to with GET /fleet/team/me — it returns the caller’s kind (owner or member), email, and role.
RBAC decides who can; the audit log records who did. Privileged actions — policy pushes, scans, fixes, and every team change — are written to an append-only log capturing the actor’s email, their role at the time, the action, the target, and the source IP. Admins and auditors can read it; nobody can edit or delete entries.
curl "https://api.winsentinel.ai/fleet/audit?limit=50&action=team.update" \
-H "X-WSP-Member-Token: wspm_..."
# filter by who did it
curl "https://api.winsentinel.ai/fleet/audit?actor=engineer@acme.com" \
-H "X-WSP-Member-Token: wspm_..."This is the evidence an SOC 2 or HIPAA auditor asks for: a tamper-evident record of who changed your security posture and when.
403 before anything runs.The 1–3 people who own security posture and actually remediate. Keep this set small.
Compliance, GRC, and the external auditor you give read-only evidence access during a SOC 2 / HIPAA review.
Engineering managers and execs who want the posture dashboard but should never change a control.
RBAC, per-member tokens, and an immutable audit log are part of WinSentinel Pro — the control plane that turns your free agents into a managed fleet.