Roles determine what a user or a Service Account have the rights to do inside Itential Cloud and its licensable components. All the roles available for assignment in Itential Cloud Portal are presented below, organized by role collection and, where relevant, affected application.
To learn how Itential Cloud uses roles to govern permissions, go to Groups.
Cloud API
Roles in the Cloud API collection govern permissions related to functions of the Itential Cloud Portal UI and API.
Role
Description
clusters:read
Allows a user to view what cluster IAP instances are assigned to.
deployments:delete
Allows a user to delete IAP instances.
deployments:read
Allows a user to view and search for IAP instances.
deployments:write
Allows a user to create IAP instances.
groups:read
Allows a user to view groups.
groups:write
Allows a user to create, update, and delete groups.
organizations:read
Allows a user to retrieve license information including the current IAP instance limit. Users that do not have this role will be unable to create new IAP instances.
*organizations:write
N/A *
security:read
Allows a user to view the security information of user accounts.
security:write
Allows a user to edit the security permissions of user accounts.
users:read
Allows a user to view user accounts.
users:write
Allows a user to create, update, and delete user accounts.
⚠ Roles marked with an asterisk (*) are currently non-functional as they undergo further development.
Itential Automation Service
Roles in the Itential Automation Service collection govern permissions related to functions of the Itential Automation Service UI and API.
Role
Description
cloud-automation:read
Allows a user to view an Automation.
cloud-automation:run
Allows a user to run an Automation.
cloud-certificate:read
Allows a user to view a Certificate.
cloud-certificate:create
Allows a user to add a Certificate.
cloud-certificate:delete
Allows a user to delete a Certificate.
cloud-gateway:read
Allows a user to view a Gateway.
cloud-gateway:create
Allows a user to create a Gateway.
cloud-gateway:update
Allows a user to update a Gateway.
cloud-gateway:delete
Allows a user to delete a Gateway.
cloud-job:read
Allows a user to view a running or completed Automation.
cloud-job:delete
Allows a user to delete a completed Automation.
cloud-schedule:read
Allows a user to view a Schedule.
cloud-schedule:create
Allows a user to create a Schedule.
cloud-schedule:update
Allows a user to update a Schedule.
cloud-schedule:delete
Allows a user to delete a Schedule.
IAP
Roles in the IAP collection govern permissions related to a specific instance of IAP.
Admin Essentials
Role
Description
adapters:delete
Allows a user to delete adapters, integrations, and integration models.
adapters:read
Allows a user to view information about adapters, integrations, and integration models.
adapters:write
Allows a user to create and update adapters, integrations, and integration models.
groups:read
Allows a user to view user groups.
indexes:read
Allows a user to view information in Admin Essentials.
prebuilts:delete
Allows a user to uninstall pre-builts.
prebuilts:read
Allows a user to view installed pre-builts.
prebuits:write
Allows a user to install pre-builts.
prebuilts:repositories:delete
Allows a user to delete pre-built repositories.
prebuilts:repositories:read
Allows a user to view pre-built repositories.
prebuilts:repositories:write
Allows a user to create and edit pre-built repositories.
roles:read
Allows a user to view user roles.
tags:delete
Allows a user to delete tags.
tags:read
Allows a user to view tags.
tags:write
Allows a user to create and edit tags.
users:read
Allows a user to view user accounts.
Automation Studio
Role
Description
forms:admin
Allows a user to create, update, and delete form groups.
forms:delete
Allows a user to delete forms.
forms:read
Allows a user to view forms.
forms:write
Allows a user to create and edit forms.
mops:delete
Allows a user to delete command templates.
mops:read
Allows a user to view command templates.
mops:run
Allows a user to execute command templates.
mops:write
Allows a user to create and edit command templates.
templates:delete
Allows a user to delete templates.
templates:read
Allows a user to view templates.
templates:write
Allows a user to create and edit templates.
transformations:delete
Allows a user to delete transformations.
transformations:read
Allows a user to view transformations.
transformations:write
Allows a user to create and edit transformations.
workflows:admin
Grants a user full control of workflows.
workflows:delete
Allows a user to delete workflows.
workflows:read
Allows a user to view workflows.
workflows:write
Allows a user to create and edit workflows.
Configuration Manager
Role
Description
compliance:read
Allows a user to view device compliance reports.
compliance:run
Allows a user to run compliance checks against devices.
configurations:read
Allows a user to view current device configurations.
configurations:write
Allows a user to edit current device configurations.
configurations:golden:delete
Allows a user to delete golden configurations.
configurations:golden:read
Allows a user to view golden configurations.
configurations:golden:write
Allows a user to create and edit golden configurations.
configurations:parsers:delete
Allows a user to delete configuration parsers.
configurations:parsers:read
Allows a user to view configuration parsers.
configurations:parsers:write
Allows a user to create and edit configuration parsers.
configurations:templates:delete
Allows a user to delete configuration templates.
configurations:templates:read
Allows a user to view configuration templates.
configurations:templates:write
Allows a user to create and edit configuration templates.
devices:backups:delete
Allows a user to delete device backups.
devices:backups:read
Allows a user to view device backups.
devices:backups:write
Allows a user to create, edit, and import device backups.
devices:groups:delete
Allows a user to delete device groups.
devices:groups:read
Allows a user to view device groups.
devices:groups:write
Allows a user to create and edit device groups.
devices:read
Allows a user to view devices.
devices:write
Allows a user to edit devices.
pins:delete
Allows a user to delete pinned items.
pins:read
Allows a user to view pinned items.
pins:write
Allows a user to create and edit pinned items.
IAP Dashboard
Role
Description
bookmarks:delete
Allows a user to delete bookmarks.
bookmarks:read
Allows a user to view bookmarks.
bookmarks:write
Allows a user to create and edit bookmarks.
system:read
Allows a user to view system information about IAP.
NSO Manager
Role
Description
nso:cdb:admin
Allows a user to set items in NACM groups.
nso:cdb:read
Allows a user to execute REST queries.
nso:cdb:write
Allows a user to set leafs and execute REST actions.
nso:commitqueue:read
Allows a user to view the commit queue.
nso:commitqueue:write
Allows a user to edit the commit queue.
nso:devices:read
Allows a user to view devices.
nso:devices:write
Allows a user to run actions and commands on devices.
nso:groups:read
Allows a user to view authorization groups.
nso:neds:read
Allows a user to view NEDs.
Operations Manager & Workflow Engine
Role
Application
Description
jobs:admin
Operations Manager
Allows a user to create, view, update, and delete job groups.
jobs:delete
Operations Manager and Workflow Engine
Allows a user to cancel jobs.
jobs:read
Operations Manager and Workflow Engine
Allows a user to view jobs.
jobs:write
Operations Manager and Workflow Engine
Allows a user to create, start, and work jobs.
tasks:admin
Operations Manager
Grants a user full control of any tasks.
tasks:read
Operations Manager
Allows a user to view tasks.
tasks:work
Operations Manager
Allows a user to interact with actionable tasks.
workflows:engine:read
Workflow Engine
Allows a user to view the status of Workflow Engine.
workflows:engine:write
Workflow Engine
Allows a user to activate and deactivate Workflow Engine.
workflows:triggers:delete
Operations Manager
Allows a user to delete triggers.
workflows:triggers:read
Operations Manager
Allows a user to view triggers.
workflows:triggers:write
Operations Manager
Allows a user to create and edit triggers.
Service Catalog & Service Catalog Builder
Role
Application
Description
services:instances:delete
Service Catalog Builder
Allows a user to delete services.
services:instances:order
Service Catalog
Allows a user to create and invoke service orders.
services:instances:read
Service Catalog
Allows a user to view services.
services:instances:write
Service Catalog Builder
Allows a user to create and edit services.
services:models:delete
Service Catalog
Allows a user to delete service models.
services:models:read
Service Catalog
Allows a user to view service models.
services:models:write
Service Catalog
Allows a user to create and edit service models.
Miscellaneous Roles
Role
Application
Description
AGManager:admin
AG Manager
Allows a user to discover and interact with modules, scripts, and playbooks sourced from IAG. Users that do not have this role will not be able to view content sourced from IAG.
cloud:config:read
Itential Cloud Portal
Allows a user to view IAP roles available for assignment.
cloud:config:write
Itential Cloud Portal
Allows a user to add, remove, and update IAP roles.
cloud:directconnect:admin
Direct Connect
Allows a user to connect to IAG instances from IAP. Users that do not have this role will not be able to view content sourced from IAG.
cloud:encrypt:read
App-Encrypt
Allows a user to use encryption features in IAP.
datasets:delete
Data Sets
Allows a user to delete a data set export.
datasets:read
Data Sets
Allows a user to view and search data set exports.
datasets:write
Data Sets
Allows a user to create a data set export.
search:read
System Search
Allows a user to search for resources using the System Search feature.
tags:assign
Multiple
Allows a user to assign tags to resources.
Was this article helpful?
Thank you for your feedback! Our team will get back to you