Roles and permissions reference

Roles determine what a user or service account can do within Itential Cloud and its licensed components. All available roles are listed below, organized by product and application.

To learn how Itential Cloud uses roles to govern permissions, see Manage users and groups.

Roles marked with an asterisk (*) are currently non-functional as they undergo further development.

Cloud API

Roles in the Cloud API collection govern permissions for the Itential Cloud portal UI and API.

Role	Description
`clusters:read`	View which cluster Itential Platform instances are assigned to.
`deployments:delete`	Delete Itential Platform instances.
`groups:read`	View groups.
`groups:write`	Create, update, and delete groups.
`insights:view`	Access Insights.
`jobs:view-detail`	View job details. See Access control in Job Viewer.
`jobs:view-metadata`	View all job and task information except variables. See Access control in Job Viewer.
`organizations:read`	Retrieve license information including the current Itential Platform instance limit. Required to create new Itential Platform instances.
*`organizations:write`	N/A
`security:read`	View security information of user accounts.
`security:write`	Edit security permissions of user accounts.
`training-deployments:read`	View Itential Academy training environments. Required to launch a training environment.
`training-deployments:write`	Create and delete Itential Academy training environments. Required to launch a training environment.
`users:read`	View user accounts.
`users:write`	Create, update, and delete user accounts.

Gateway Manager

Roles in the Gateway Manager collection govern permissions for the Gateway Manager UI and API.

Role	Description
`certificate:read`	View certificates.
`certificate:create`	Add certificates to the certificate store.
`certificate:update`	Update the certificate alias.
`certificate:delete`	Delete a certificate.
`gateway:read`	View a specific gateway. Requires assignment to an authorization group with `gateway:read` that is assigned to the gateway.
`gateway:create`	Create a gateway.
`gateway:update`	Update a specific gateway. Requires assignment to an authorization group with `gateway:update` that is assigned to the gateway.
`gateway:delete`	Delete a specific gateway. Requires assignment to an authorization group with `gateway:delete` that is assigned to the gateway.
`service-group:read`	View service groups associated with a specific gateway. Requires assignment to an authorization group with `service-group:read` that is assigned to the gateway.
`service-group:create`	Create a service group associated with a specific gateway. Requires assignment to an authorization group with `service-group:create` that is assigned to the gateway.
`service-group:update`	Update service groups associated with a specific gateway. Requires assignment to an authorization group with `service-group:update` that is assigned to the gateway.
`service-group:delete`	Delete service groups associated with a specific gateway. Requires assignment to an authorization group with `service-group:delete` that is assigned to the gateway.
`service:run`	Run a service via the `runService` workflow task or API. Requires assignment to an authorization group with `service:run` assigned to the gateway or a service group.
`service:read`	View a specific service via the `runService` workflow task or API. Requires assignment to an authorization group with `service:read` assigned to the gateway or a service group.

Inventory Manager

Roles in the Inventory Manager collection govern permissions for the Inventory Manager UI and API.

Role	Description
`inventory:read`	View inventories, nodes, and actions.
`inventory:create`	Create inventories, nodes, and actions.
`inventory:update`	Modify existing inventory resources and manage actions.
`inventory:delete`	Delete inventories, nodes, and actions.
`inventory:run`	Execute actions against inventory nodes.

Itential Platform

Roles in the Itential Platform collection govern permissions for a specific Itential Platform instance.

Admin Essentials

Role	Description
`adapters:delete`	Delete adapters, integrations, and integration models.
`adapters:read`	View information about adapters, integrations, and integration models.
`adapters:write`	Create and update adapters, integrations, and integration models.
`groups:read`	View user groups.
`indexes:read`	View information in Admin Essentials.
`prebuilts:delete`	Uninstall pre-builts.
`prebuilts:read`	View installed pre-builts.
`prebuilts:write`	Install pre-builts.
`prebuilts:repositories:delete`	Delete pre-built repositories.
`prebuilts:repositories:read`	View pre-built repositories.
`prebuilts:repositories:write`	Create and edit pre-built repositories.
`roles:read`	View user roles.
`tags:delete`	Delete tags.
`tags:read`	View tags.
`tags:write`	Create and edit tags.
`users:read`	View user accounts.

Automation Studio

Role	Description
`forms:admin`	Create, update, and delete form groups.
`forms:delete`	Delete forms.
`forms:read`	View forms.
`forms:write`	Create and edit forms.
`mops:delete`	Delete command templates.
`mops:read`	View command templates.
`mops:run`	Execute command templates.
`mops:write`	Create and edit command templates.
`templates:delete`	Delete templates.
`templates:read`	View templates.
`templates:write`	Create and edit templates.
`transformations:delete`	Delete transformations.
`transformations:read`	View transformations.
`transformations:write`	Create and edit transformations.
`workflows:admin`	Full control of workflows.
`workflows:delete`	Delete workflows.
`workflows:read`	View workflows.
`workflows:write`	Create and edit workflows.

Configuration Manager

Role	Description
`compliance:read`	View device compliance reports.
`compliance:run`	Run compliance checks against devices.
`configurations:read`	View current device configurations.
`configurations:write`	Edit current device configurations.
`configurations:golden:delete`	Delete golden configurations.
`configurations:golden:read`	View golden configurations.
`configurations:golden:write`	Create and edit golden configurations.
`configurations:parsers:delete`	Delete configuration parsers.
`configurations:parsers:read`	View configuration parsers.
`configurations:parsers:write`	Create and edit configuration parsers.
`configurations:templates:delete`	Delete configuration templates.
`configurations:templates:read`	View configuration templates.
`configurations:templates:write`	Create and edit configuration templates.
`devices:backups:delete`	Delete device backups.
`devices:backups:read`	View device backups.
`devices:backups:write`	Create, edit, and import device backups.
`devices:groups:delete`	Delete device groups.
`devices:groups:read`	View device groups.
`devices:groups:write`	Create and edit device groups.
`devices:read`	View devices.
`devices:write`	Edit devices.
`pins:delete`	Delete pinned items.
`pins:read`	View pinned items.
`pins:write`	Create and edit pinned items.

Dashboard

Role	Description
`bookmarks:delete`	Delete bookmarks.
`bookmarks:read`	View bookmarks.
`bookmarks:write`	Create and edit bookmarks.
`system:read`	View system information about Itential Platform.

NSO Manager

Role	Description
`nso:cdb:admin`	Set items in NACM groups.
`nso:cdb:read`	Execute REST queries.
`nso:cdb:write`	Set leaf values and execute REST actions.
`nso:commitqueue:read`	View the commit queue.
`nso:commitqueue:write`	Edit the commit queue.
`nso:devices:read`	View devices.
`nso:devices:write`	Run actions and commands on devices.
`nso:groups:read`	View authorization groups.
`nso:neds:read`	View NEDs.

Operations Manager and Workflow Engine

Role	Application	Description
`jobs:admin`	Operations Manager	Create, view, update, and delete job groups.
`jobs:delete`	Operations Manager and Workflow Engine	Cancel jobs.
`jobs:read`	Operations Manager and Workflow Engine	View jobs.
`jobs:write`	Operations Manager and Workflow Engine	Create, start, and work jobs.
`tasks:admin`	Operations Manager	Full control of any tasks.
`tasks:read`	Operations Manager	View tasks.
`tasks:work`	Operations Manager	Interact with actionable tasks.
`workflows:engine:read`	Workflow Engine	View the status of Workflow Engine.
`workflows:engine:write`	Workflow Engine	Activate and deactivate Workflow Engine.
`workflows:triggers:delete`	Operations Manager	Delete triggers.
`workflows:triggers:read`	Operations Manager	View triggers.
`workflows:triggers:write`	Operations Manager	Create and edit triggers.

Service Catalog and Service Catalog Builder

Role	Application	Description
`services:instances:delete`	Service Catalog Builder	Delete services.
`services:instances:order`	Service Catalog	Create and invoke service orders.
`services:instances:read`	Service Catalog	View services.
`services:instances:write`	Service Catalog Builder	Create and edit services.
`services:models:delete`	Service Catalog	Delete service models.
`services:models:read`	Service Catalog	View service models.
`services:models:write`	Service Catalog	Create and edit service models.

Miscellaneous roles

Role	Application	Description
`AGManager:admin`	AG Manager	Discover and interact with modules, scripts, and playbooks sourced from IAG. Required to view IAG-sourced content.
`cloud:config:read`	Itential Cloud Portal	View Itential Platform roles available for assignment.
`cloud:config:write`	Itential Cloud Portal	Add, remove, and update Itential Platform roles.
`cloud:directconnect:admin`	Direct Connect	Connect to IAG instances from Itential Platform. Required to view IAG-sourced content.
`cloud:encrypt:read`	App-Encrypt	Use encryption features in Itential Platform.
`datasets:delete`	Data Sets	Delete a data set export.
`datasets:read`	Data Sets	View and search data set exports.
`datasets:write`	Data Sets	Create a data set export.
`search:read`	System Search	Search for resources using the System Search feature.
`tags:assign`	Multiple	Assign tags to resources.