Role Permissions
| Permission | Usage |
|---|---|
| sources-view | Allow viewing user and host directory configuration. |
| sources-manage | Allow creating and modifying user and host directories, bringing new users and hosts to PrivX. |
| roles-view | Allow viewing existing roles and role configurations. |
| roles-manage | Allow creating and modifying roles. NOTE: this will give permissions to grant roles to any user, so granting this permission will be effectively the same as granting superuser permissions. |
| workflows-view | Allow viewing existing workflows and permissions. |
| workflows-manage | Allow creating and modifying workflows. NOTE: this can be used for granting approval access to restricted roles. Use carefully. |
| workflows-requests | Allow creating role approval requests via workflows. |
| workflows-requests-on-behalf | Allow creating role approval request on behalf of other user. For example, manager can ask more permissions on behalf of employee. |
| users-view | Allow viewing existing users. |
| users-manage | Allow modifying existing local users. Does not apply to users from third party user directories, like AD. |
| hosts-view | Allow viewing existing hosts for the access group defined for the role. |
| hosts-manage | Allow modifying existing hosts' configuration for the access group defined for the role. |
| vault-add | Allow creating global secrets. Allow granting read/write access to user's own personal secrets to others. |
| vault-manage | Allow creating and modifying existing global and personal vault secrets. |
| connections-authorize | Allow API clients to fetch SSH access credentials from the Authorizer. |
| connections-view | Enable connection monitoring view, show the connection metadata. Access groups are taken into account. |
| connections-manage | Enable access role grant, revoke and listing for the connections. |
| connections-playback | Enable connection playback and playback search Access groups are taken into account. |
| connections-trail | Enable viewing connection logs. Logs reveal all user inputs some of which may not be revealed in connection playback. Enable viewing transferred files in the connection. Enable viewing clipboard contents in RDP connection. Access groups are taken into account. |
| connections-terminate | Enable ongoing connection termination. |
| connections-manual | Enable manual connections. |
| connections-authorize | Enable fetching access credentials from authorizer REST API. API clients require this permission to be able to fetch access credentials. PrivX users can fetch access credentials also without this permission. |
| access-groups-manage | Allow creating and modifying access groups. |
| logs-view | Allow viewing audit event logs. |
| logs-manage | Allow creating and modifying cloud log collectors. |
| role-target-resources-view | Allow viewing AWS role <-> PrivX role mappings. |
| role-target-resources-manage | Allow modifying AWS role <-> PrivX role mappings. |
| authorized-keys-manage | Allow importing and modifying current user's authorized keys for SSH Bastion login. |
| api-clients-manage | Allow creating and modifying API Clients for scripted access via REST API. |
| licenses-manage | Allow modifying PrivX license. |
| settings-view | Allow viewing PrivX settings |
| settings-manage | Allow viewing and modifying PrivX settings |
Updated over 2 years ago