Role Permissions

Permission
Usage
sources-viewAllow viewing user and host directory configuration.
sources-manageAllow creating and modifying user and host directories, bringing new users and hosts to PrivX.
sources-data-pushAllow SCIM integration
roles-viewAllow viewing existing roles and role configurations.
roles-manageAllow creating and modifying roles. NOTE: this will give permissions to grant roles to any user, so granting this permission will be effectively the same as granting superuser permissions.
workflows-viewAllow viewing existing workflows and permissions.
workflows-manageAllow creating and modifying workflows. NOTE: this can be used for granting approval access to restricted roles. Use carefully.
workflows-requestsAllow creating role approval requests via workflows.
workflows-requests-on-behalfAllow creating role approval request on behalf of other user. For example, manager can ask more permissions on behalf of employee.
users-viewAllow viewing existing users.
users-manageAllow modifying existing local users. Does not apply to users from third party user directories, like AD.
hosts-viewAllow viewing existing hosts for the access group defined for the role.
hosts-manageAllow modifying existing hosts' configuration for the access group defined for the role.
vault-addAllow creating global secrets. Allow granting read/write access to user's own personal secrets to others.
vault-manageAllow creating and modifying existing global and personal vault secrets.
connections-viewEnable connection monitoring view, show the connection metadata. Access groups are taken into account.
connections-manageEnable access role grant, revoke and listing for the connections.
connections-playbackEnable connection playback and playback search Access groups are taken into account.
connections-trailEnable viewing connection logs. Logs reveal all user inputs some of which may not be revealed in connection playback. Enable viewing transferred files in the connection. Enable viewing clipboard contents in RDP connection. Access groups are taken into account.
connections-terminateEnable ongoing connection termination.
connections-manualEnable manual connections.
connections-authorizeEnable fetching access credentials from authorizer REST API. API clients require this permission to be able to fetch access credentials. PrivX users can fetch access credentials also without this permission.
access-groups-manageAllow creating and modifying access groups.
logs-viewAllow viewing audit event logs.
logs-manageAllow creating and modifying cloud log collectors.
requests-viewAllow displaying and searching the user's requests via the PrivX API
role-target-resources-viewAllow viewing AWS role - PrivX role mappings.
role-target-resources-manageAllow modifying AWS role - PrivX role mappings.
authorized-keys-manageAllow importing and modifying current user's authorized keys for SSH Bastion login.
api-clients-manageAllow creating and modifying API Clients for scripted access via REST API.
licenses-manageAllow modifying PrivX license.
settings-viewAllow viewing PrivX settings
settings-manageAllow viewing and modifying PrivX settings
network-targets-manageAllow adding, editing, deleting, and viewing network targets
network-targets-viewAllow viewing network targets
idp-clients-viewAllow viewing IDP clients via the PrivX API.
idp-clients-manageAllow managing IDP clients via the PrivX API.
ueba-viewAllow viewing UEBA configurations via the PrivX API.
ueba-manageAllow managing UEBA configurations via the PrivX API.
webauthn-credentials-manageAllow users to manage their own Passkeys.
mobilegw-viewAllow viewing the current Mobile Application Gateway registration status. Required for Multi-Factor Authentication with PrivX Authorizer.
mobilegw-manageAllow registering/unregistering PrivX from Mobile Application Gateway. Multi-Factor Authentication with PrivX Authorizer
target-domains-viewAllows viewing target-domain data. NOTE: Also required for modifying target domains in host settings.
target-domains-manageAllows managing target domains.

Was this page helpful?