Assigning Roles and Permissions
  • 08 Nov 2024
  • Dark
    Light
  • PDF

Assigning Roles and Permissions

  • Dark
    Light
  • PDF

Article summary

Roles determine what a user or a Service Account have the rights to do inside Itential Cloud and its licensable components. All the roles available for assignment in Itential Cloud Portal are presented below, organized by role collection and, where relevant, affected application.

To learn how Itential Cloud uses roles to govern permissions, go to Groups.

Cloud API

Roles in the Cloud API collection govern permissions related to functions of the Itential Cloud Portal UI and API.

Role Description
clusters:read Allows a user to view what cluster IAP instances are assigned to.
deployments:delete Allows a user to delete IAP instances.
deployments:read Allows a user to view and search for IAP instances.
deployments:write Allows a user to create IAP instances.
groups:read Allows a user to view groups.
groups:write Allows a user to create, update, and delete groups.
organizations:read Allows a user to retrieve license information including the current IAP instance limit. Users that do not have this role will be unable to create new IAP instances.
*organizations:write N/A *
security:read Allows a user to view the security information of user accounts.
security:write Allows a user to edit the security permissions of user accounts.
users:read Allows a user to view user accounts.
users:write Allows a user to create, update, and delete user accounts.

Roles marked with an asterisk (*) are currently non-functional as they undergo further development.

Itential Automation Service

Roles in the Itential Automation Service collection govern permissions related to functions of the Itential Automation Service UI and API.

Role Description
cloud-automation:read Allows a user to view an Automation.
cloud-automation:run Allows a user to run an Automation.
cloud-certificate:read Allows a user to view a Certificate.
cloud-certificate:create Allows a user to add a Certificate.
cloud-certificate:delete Allows a user to delete a Certificate.
cloud-gateway:read Allows a user to view a Gateway.
cloud-gateway:create Allows a user to create a Gateway.
cloud-gateway:update Allows a user to update a Gateway.
cloud-gateway:delete Allows a user to delete a Gateway.
cloud-job:read Allows a user to view a running or completed Automation.
cloud-job:delete Allows a user to delete a completed Automation.
cloud-schedule:read Allows a user to view a Schedule.
cloud-schedule:create Allows a user to create a Schedule.
cloud-schedule:update Allows a user to update a Schedule.
cloud-schedule:delete Allows a user to delete a Schedule.

IAP

Roles in the IAP collection govern permissions related to a specific instance of IAP.

Admin Essentials

Role Description
adapters:delete Allows a user to delete adapters, integrations, and integration models.
adapters:read Allows a user to view information about adapters, integrations, and integration models.
adapters:write Allows a user to create and update adapters, integrations, and integration models.
groups:read Allows a user to view user groups.
indexes:read Allows a user to view information in Admin Essentials.
prebuilts:delete Allows a user to uninstall pre-builts.
prebuilts:read Allows a user to view installed pre-builts.
prebuits:write Allows a user to install pre-builts.
prebuilts:repositories:delete Allows a user to delete pre-built repositories.
prebuilts:repositories:read Allows a user to view pre-built repositories.
prebuilts:repositories:write Allows a user to create and edit pre-built repositories.
roles:read Allows a user to view user roles.
tags:delete Allows a user to delete tags.
tags:read Allows a user to view tags.
tags:write Allows a user to create and edit tags.
users:read Allows a user to view user accounts.

Automation Studio

Role Description
forms:admin Allows a user to create, update, and delete form groups.
forms:delete Allows a user to delete forms.
forms:read Allows a user to view forms.
forms:write Allows a user to create and edit forms.
mops:delete Allows a user to delete command templates.
mops:read Allows a user to view command templates.
mops:run Allows a user to execute command templates.
mops:write Allows a user to create and edit command templates.
templates:delete Allows a user to delete templates.
templates:read Allows a user to view templates.
templates:write Allows a user to create and edit templates.
transformations:delete Allows a user to delete transformations.
transformations:read Allows a user to view transformations.
transformations:write Allows a user to create and edit transformations.
workflows:admin Grants a user full control of workflows.
workflows:delete Allows a user to delete workflows.
workflows:read Allows a user to view workflows.
workflows:write Allows a user to create and edit workflows.

Configuration Manager

Role Description
compliance:read Allows a user to view device compliance reports.
compliance:run Allows a user to run compliance checks against devices.
configurations:read Allows a user to view current device configurations.
configurations:write Allows a user to edit current device configurations.
configurations:golden:delete Allows a user to delete golden configurations.
configurations:golden:read Allows a user to view golden configurations.
configurations:golden:write Allows a user to create and edit golden configurations.
configurations:parsers:delete Allows a user to delete configuration parsers.
configurations:parsers:read Allows a user to view configuration parsers.
configurations:parsers:write Allows a user to create and edit configuration parsers.
configurations:templates:delete Allows a user to delete configuration templates.
configurations:templates:read Allows a user to view configuration templates.
configurations:templates:write Allows a user to create and edit configuration templates.
devices:backups:delete Allows a user to delete device backups.
devices:backups:read Allows a user to view device backups.
devices:backups:write Allows a user to create, edit, and import device backups.
devices:groups:delete Allows a user to delete device groups.
devices:groups:read Allows a user to view device groups.
devices:groups:write Allows a user to create and edit device groups.
devices:read Allows a user to view devices.
devices:write Allows a user to edit devices.
pins:delete Allows a user to delete pinned items.
pins:read Allows a user to view pinned items.
pins:write Allows a user to create and edit pinned items.

IAP Dashboard

Role Description
bookmarks:delete Allows a user to delete bookmarks.
bookmarks:read Allows a user to view bookmarks.
bookmarks:write Allows a user to create and edit bookmarks.
system:read Allows a user to view system information about IAP.

NSO Manager

Role Description
nso:cdb:admin Allows a user to set items in NACM groups.
nso:cdb:read Allows a user to execute REST queries.
nso:cdb:write Allows a user to set leafs and execute REST actions.
nso:commitqueue:read Allows a user to view the commit queue.
nso:commitqueue:write Allows a user to edit the commit queue.
nso:devices:read Allows a user to view devices.
nso:devices:write Allows a user to run actions and commands on devices.
nso:groups:read Allows a user to view authorization groups.
nso:neds:read Allows a user to view NEDs.

Operations Manager & Workflow Engine

Role Application Description
jobs:admin Operations Manager Allows a user to create, view, update, and delete job groups.
jobs:delete Operations Manager and Workflow Engine Allows a user to cancel jobs.
jobs:read Operations Manager and Workflow Engine Allows a user to view jobs.
jobs:write Operations Manager and Workflow Engine Allows a user to create, start, and work jobs.
tasks:admin Operations Manager Grants a user full control of any tasks.
tasks:read Operations Manager Allows a user to view tasks.
tasks:work Operations Manager Allows a user to interact with actionable tasks.
workflows:engine:read Workflow Engine Allows a user to view the status of Workflow Engine.
workflows:engine:write Workflow Engine Allows a user to activate and deactivate Workflow Engine.
workflows:triggers:delete Operations Manager Allows a user to delete triggers.
workflows:triggers:read Operations Manager Allows a user to view triggers.
workflows:triggers:write Operations Manager Allows a user to create and edit triggers.

Service Catalog & Service Catalog Builder

Role Application Description
services:instances:delete Service Catalog Builder Allows a user to delete services.
services:instances:order Service Catalog Allows a user to create and invoke service orders.
services:instances:read Service Catalog Allows a user to view services.
services:instances:write Service Catalog Builder Allows a user to create and edit services.
services:models:delete Service Catalog Allows a user to delete service models.
services:models:read Service Catalog Allows a user to view service models.
services:models:write Service Catalog Allows a user to create and edit service models.

Miscellaneous Roles

Role Application Description
AGManager:admin AG Manager Allows a user to discover and interact with modules, scripts, and playbooks sourced from IAG. Users that do not have this role will not be able to view content sourced from IAG.
cloud:config:read Itential Cloud Portal Allows a user to view IAP roles available for assignment.
cloud:config:write Itential Cloud Portal Allows a user to add, remove, and update IAP roles.
cloud:directconnect:admin Direct Connect Allows a user to connect to IAG instances from IAP. Users that do not have this role will not be able to view content sourced from IAG.
cloud:encrypt:read App-Encrypt Allows a user to use encryption features in IAP.
datasets:delete Data Sets Allows a user to delete a data set export.
datasets:read Data Sets Allows a user to view and search data set exports.
datasets:write Data Sets Allows a user to create a data set export.
search:read System Search Allows a user to search for resources using the System Search feature.
tags:assign Multiple Allows a user to assign tags to resources.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.