Role Permissions
Permission | Usage |
---|---|
sources-view | Allow viewing user and host directory configuration. |
sources-manage | Allow creating and modifying user and host directories, bringing new users and hosts to PrivX. |
roles-view | Allow viewing existing roles and role configurations. |
roles-manage | Allow creating and modifying roles. NOTE: this will give permissions to grant roles to any user, so granting this permission will be effectively the same as granting superuser permissions. |
workflows-view | Allow viewing existing workflows and permissions. |
workflows-manage | Allow creating and modifying workflows. NOTE: this can be used for granting approval access to restricted roles. Use carefully. |
workflows-requests | Allow creating role approval requests via workflows. |
workflows-requests-on-behalf | Allow creating role approval request on behalf of other user. For example, manager can ask more permissions on behalf of employee. |
users-view | Allow viewing existing users. |
users-manage | Allow modifying existing local users. Does not apply to users from third party user directories, like AD. |
hosts-view | Allow viewing existing hosts for the access group defined for the role. |
hosts-manage | Allow modifying existing hosts' configuration for the access group defined for the role. |
vault-add | Allow creating global secrets. Allow granting read/write access to user's own personal secrets to others. |
vault-manage | Allow creating and modifying existing global and personal vault secrets. |
connections-authorize | Allow API clients to fetch SSH access credentials from the Authorizer. |
connections-view | Enable connection monitoring view, show the connection metadata. Access groups are taken into account. |
connections-manage | Enable access role grant, revoke and listing for the connections. |
connections-playback | Enable connection playback and playback search Access groups are taken into account. |
connections-trail | Enable viewing connection logs. Logs reveal all user inputs some of which may not be revealed in connection playback. |
connections-terminate | Enable ongoing connection termination. |
connections-manual | Enable manual connections. |
connections-authorize | Enable fetching access credentials from authorizer REST API. API clients require this permission to be able to fetch access credentials. PrivX users can fetch access credentials also without this permission. |
access-groups-manage | Allow creating and modifying access groups. |
logs-view | Allow viewing audit event logs. |
logs-manage | Allow creating and modifying cloud log collectors. |
role-target-resources-view | Allow viewing AWS role <-> PrivX role mappings. |
role-target-resources-manage | Allow modifying AWS role <-> PrivX role mappings. |
authorized-keys-manage | Allow importing and modifying current user's authorized keys for SSH Bastion login. |
api-clients-manage | Allow creating and modifying API Clients for scripted access via REST API. |
licenses-manage | Allow modifying PrivX license. |
settings-view | Allow viewing PrivX settings |
settings-manage | Allow viewing and modifying PrivX settings |
Updated 7 months ago