Product logo
DocsHubBlogPricing
← Back

Turbot Guardrails Enterprise (TE) v5.50.0 - Introducing scoped Account/* permissions to help application teams manage their own accounts

Apr 02, 2025
TE

What's new?

  • Server
    • Introducing scoped Account/* permissions to help application teams manage their own accounts.
    • Notifications routing based on permissions.

Bug fixes

  • Server

    • Controls no longer crashes when there's a parsing issue in rule-based notifications. Instead, it logs the error gracefully and continues running.
    • Fixed a problem where certain operations could trigger a "callback already called" error, improving overall reliability of caching.
    • The Type Installed control now spreads events over time to reduce the likelihood of API throttling during large-scale installations or updates.
    • Guardrails now skips storing resource tags larger than 1 KB to ensure only valid tags are saved and to avoid potential issues later.
    • The osquery worker now correctly uses the TURBOT_RDS_SSL_FILE environment variable to point to the right certificate file, fixing an issue where it previously referenced the wrong path.
    • To improve reliability and performance, Guardrails prioritizes events in the order Type Installed > Policies > Scheduled Actions > Controls.
    • Resolved an issue where authenticated users without the appropriate permissions were able to access process logs.

  • UI

    • Switching between self and descendant modes no longer clears existing filter configurations — your selections will now persist as expected.

Account Permissions

Introduced a new category of permissions — Account/ — designed specifically for application teams who need limited visibility and control over resources within their own accounts. These are distinct from the Turbot/ permissions used by governance teams.

  • Account levels:

    • Account/Owner
    • Account/Admin
    • Account/Operator
    • Account/ReadOnly

  • These levels are now explained alongside Turbot/* levels, with clear usage guidance:

    • Turbot/* — for managing the Guardrails platform
    • Account/* — for managing resources and notifications within cloud accounts

Notification Routing to Guardrails Profiles

You can now route notifications to Guardrails user profiles dynamically based on resource permissions — a major upgrade from static email/webhook targeting. This allows for context-aware delivery to users like Account Owners or Admins.

  • Supported formats:
    • Specific roles like Account/Owner, Turbot/Owner
    • Wildcards like Account/*
    • Special role Account/CC for tagging-based routing
    • Use case:
      • Automatically notify account teams responsible for a resource, based on their assigned permission

Access Controls Refined for Process Logs

Access to process logs is now restricted to users with appropriate permissions, specifically those with Turbot/Metadata or higher.

Previously, any authenticated user could retrieve process logs via the API. This behavior has been corrected to align with expected permission boundaries and prevent overexposure of operational data.

Requirements

  • TEF: 1.65.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3