TantoC2 implements a four-tier role-based access control system with dynamic collector grants.
Roles#
| Role | Description |
|---|---|
| Admin | Full system access. Manages users, engagements, and system configuration. Implicit access to all engagements. |
| Operator | Manages agents, executes modules, manages listeners, builds agents, manages credentials. Requires per-engagement access grants. |
| Spectator | Read-only access. Views agents, results, credentials, audit logs, and listeners. Cannot execute any actions. |
| Collector | Same baseline as Spectator. Can receive dynamic, time-limited grants for specific actions scoped to specific agents. |
Permissions Matrix#
| Capability | Admin | Operator | Spectator | Collector |
|---|---|---|---|---|
| Manage users | Yes | — | — | — |
| Manage engagements | Yes | — | — | — |
| Manage system config | Yes | — | — | — |
| Manage agents | Yes | Yes | — | Grant |
| Execute modules | Yes | Yes | — | Grant |
| Manage listeners | Yes | Yes | — | — |
| Build agents | Yes | Yes | — | — |
| Manage credentials | Yes | Yes | — | — |
| View agents | Yes | Yes | Yes | Yes |
| View results | Yes | Yes | Yes | Yes |
| View credentials | Yes | Yes | Yes | Yes |
| View audit log | Yes | Yes | Yes | Yes |
| View listeners | Yes | Yes | Yes | Yes |
| Grant collector perms | Yes | Yes | — | — |
“Grant” indicates the capability is available only when a dynamic grant has been issued.
Engagement-Scoped Access#
Non-admin operators must be explicitly granted access to each engagement:
| |
Admins have implicit access to all engagements.
Collector Dynamic Grants#
Collectors can receive temporary, scoped permissions from Operators or Admins:
| |
Grants can be:
- Agent-scoped: Limited to specific agents (
agent_idslist) or all agents (agent_ids: null) - Time-limited: Expires at a specific time (
expires_at) or permanent (expires_at: null)
Revoke a grant:
| |
Web UI Behavior#
The web UI adapts based on role:
- Spectators: Action buttons (create, execute, start, stop, kill) are hidden or disabled
- Collectors: Same as spectators, plus any dynamically granted actions
- Operators: Full action controls for granted engagements
- Admins: Everything, including Admin and Engagements management pages
Protection Rules#
- The last admin cannot be demoted, deactivated, or deleted
- Force-logout invalidates all tokens for an operator immediately
- All actions are logged in the audit log with role and principal attribution