Role Permissions
Permission | Usage |
---|---|
sources-view | Allow viewing user and host directory configuration. |
sources-manage | Allow creating and modifying user and host directories, bringing new users and hosts to PrivX. |
sources-data-push | Allow SCIM integration |
roles-view | Allow viewing existing roles and role configurations. |
roles-manage | Allow creating and modifying roles. NOTE: this will give permissions to grant roles to any user, so granting this permission will be effectively the same as granting superuser permissions. |
workflows-view | Allow viewing existing workflows and permissions. |
workflows-manage | Allow creating and modifying workflows. NOTE: this can be used for granting approval access to restricted roles. Use carefully. |
workflows-requests | Allow creating role approval requests via workflows. |
workflows-requests-on-behalf | Allow creating role approval request on behalf of other user. For example, manager can ask more permissions on behalf of employee. |
users-view | Allow viewing existing users. |
users-manage | Allow modifying existing local users. Does not apply to users from third party user directories, like AD. |
hosts-view | Allow viewing existing hosts for the access group defined for the role. |
hosts-manage | Allow modifying existing hosts' configuration for the access group defined for the role. |
vault-add | Allow creating global secrets. Allow granting read/write access to user's own personal secrets to others. |
vault-manage | Allow creating and modifying existing global and personal vault secrets. |
connections-view | Enable connection monitoring view, show the connection metadata. Access groups are taken into account. |
connections-manage | Enable access role grant, revoke and listing for the connections. |
connections-playback | Enable connection playback and playback search Access groups are taken into account. |
connections-trail | Enable viewing connection logs. Logs reveal all user inputs some of which may not be revealed in connection playback. Enable viewing transferred files in the connection. Enable viewing clipboard contents in RDP connection. Access groups are taken into account. |
connections-terminate | Enable ongoing connection termination. |
connections-manual | Enable manual connections. |
connections-authorize | Enable fetching access credentials from authorizer REST API. API clients require this permission to be able to fetch access credentials. PrivX users can fetch access credentials also without this permission. |
access-groups-manage | Allow creating and modifying access groups. |
logs-view | Allow viewing audit event logs. |
logs-manage | Allow creating and modifying cloud log collectors. |
requests-view | Allow displaying and searching the user's requests via the PrivX API |
role-target-resources-view | Allow viewing AWS role - PrivX role mappings. |
role-target-resources-manage | Allow modifying AWS role - PrivX role mappings. |
authorized-keys-manage | Allow importing and modifying current user's authorized keys for SSH Bastion login. |
api-clients-manage | Allow creating and modifying API Clients for scripted access via REST API. |
licenses-manage | Allow modifying PrivX license. |
settings-view | Allow viewing PrivX settings |
settings-manage | Allow viewing and modifying PrivX settings |
network-targets-manage | Allow adding, editing, deleting, and viewing network targets |
network-targets-view | Allow viewing network targets |
idp-clients-view | Allow viewing IDP clients via the PrivX API. |
idp-clients-manage | Allow managing IDP clients via the PrivX API. |
ueba-view | Allow viewing UEBA configurations via the PrivX API. |
ueba-manage | Allow managing UEBA configurations via the PrivX API. |
webauthn-credentials-manage | Allow users to manage their own Passkeys. |
mobilegw-view | Allow viewing the current Mobile Application Gateway registration status. Required for Multi-Factor Authentication with PrivX Authorizer. |
mobilegw-manage | Allow registering/unregistering PrivX from Mobile Application Gateway. Multi-Factor Authentication with PrivX Authorizer |
target-domains-view | Allows viewing target-domain data. NOTE: Also required for modifying target domains in host settings. |
target-domains-manage | Allows managing target domains. |