Role Permissions

Permission

Usage

sources-view

Allow viewing user and host directory configuration.

sources-manage

Allow creating and modifying user and host directories, bringing new users and hosts to PrivX.

roles-view

Allow viewing existing roles and role configurations.

roles-manage

Allow creating and modifying roles. NOTE: this will give permissions to grant roles to any user, so granting this permission will be effectively the same as granting superuser permissions.

workflows-view

Allow viewing existing workflows and permissions.

workflows-manage

Allow creating and modifying workflows. NOTE: this can be used for granting approval access to restricted roles. Use carefully.

workflows-requests

Allow creating role approval requests via workflows.

workflows-requests-on-behalf

Allow creating role approval request on behalf of other user. For example, manager can ask more permissions on behalf of employee.

users-view

Allow viewing existing users.

users-manage

Allow modifying existing local users. Does not apply to users from third party user directories, like AD.

hosts-view

Allow viewing existing hosts for the access group defined for the role.

hosts-manage

Allow modifying existing hosts' configuration for the access group defined for the role.

vault-add

Allow creating vault secrets.

vault-manage

Allow creating and modifying existing vault secrets.

connections-authorize

Allow API clients to fetch SSH access credentials from the Authorizer.

connections-view

Enable connection monitoring view, show the connection metadata. Access groups are taken into account.

connections-manage

Enable access role grant, revoke and listing for the connections.

connections-playback

Enable connection playback and playback search Access groups are taken into account.

connections-trail

Enable viewing connection logs. Logs reveal all user inputs some of which may not be revealed in connection playback.
Enable viewing transferred files in the connection.
Enable viewing clipboard contents in RDP connection.
Access groups are taken into account.

connections-terminate

Enable ongoing connection termination.

connections-manual

Enable manual connections.

connections-authorize

Enable fetching access credentials from authorizer REST API. API clients require this permission to be able to fetch access credentials. PrivX users can fetch access credentials also without this permission.

access-groups-manage

Allow creating and modifying access groups.

logs-view

Allow viewing audit event logs.

logs-manage

Allow creating and modifying cloud log collectors.

role-target-resources-view

Allow viewing AWS role <-> PrivX role mappings.

role-target-resources-manage

Allow modifying AWS role <-> PrivX role mappings.

authorized-keys-manage

Allow importing and modifying current user's authorized keys for SSH Bastion login.

api-clients-manage

Allow creating and modifying API Clients for scripted access via REST API.

licenses-manage

Allow modifying PrivX license.

settings-view

Allow viewing PrivX settings

settings-manage

Allow viewing and modifying PrivX settings


Did this page help you?