Security and access control

  • Published on Jan 26, 2026
Prev Next

Inventory Manager enforces role-based access control at the inventory level and integrates with the Itential Platform secrets manager for credential management.

Role-based access control

Access to inventories, nodes, and actions is controlled through five core roles. Each inventory specifies one or more user groups, and users with appropriate roles in those groups can perform the corresponding operations.

Core roles

  • inventory:read: View inventories, nodes, and actions
  • inventory:create: Create new inventories, nodes, and actions
  • inventory:update: Modify existing resources and manage actions
  • inventory:delete: Remove inventories, nodes, and actions
  • inventory:run: Execute actions against nodes

How access control works

Inventory-level control:

  • Access is controlled at the inventory level through group membership
  • Each inventory specifies one or more groups when created
  • Users must have the appropriate role for the inventory's groups to perform operations

Example:

{
  "name": "prod-routers",
  "groups": ["network-ops", "network-admins"],
  "description": "Production router inventory"
}

Users in the network-ops or network-admins groups with the inventory:read role can view this inventory. Users with inventory:run can execute actions against its nodes.

Grant access to inventories

To grant users access to an inventory:

  1. Ensure the user is a member of at least one group assigned to the inventory
  2. Grant the appropriate Inventory Manager role to the user in that group
  3. The user can now perform operations based on their role

For details on managing users and groups, see Authorization in the Admin Essentials documentation.

Secrets management

Inventory Manager integrates with secrets manager to handle credentials securely. Credentials are never stored in Inventory Manager - only references to secrets are stored.

Store credential references

Reference credentials using the “$SECRET_path $KEY_path" format in node attributes, action config, or action parameters:

{
  "name": "core-router-1",
  "attributes": {
    "ipaddress": "10.1.1.1",
    "username": "$SECRET_path $KEY_path",
    "password": "$SECRET_path $KEY_path"
  }
}

How secret resolution works

Secrets are resolved at runtime when actions execute:

  1. Action execution begins against a node
  2. Inventory Manager identifies $SECRET references in the node attributes and action parameters
  3. Inventory Manager queries secrets manager for the actual credentials
  4. Credentials are passed to the IAG 5 service
  5. The service connects to the device using the resolved credentials

Benefits:

  • Credentials never appear in inventory data or logs
  • Safe to pass inventory data through workflows
  • Credentials are fetched fresh on each action execution