Role Permissions

Permission	Usage
sources-view	Allow viewing user and host directory configuration.
sources-manage	Allow creating and modifying user and host directories, bringing new users and hosts to PrivX.
sources-data-push	Allow SCIM integration
roles-view	Allow viewing existing roles and role configurations.
roles-manage	Allow creating and modifying roles. NOTE: this will give permissions to grant roles to any user, so granting this permission will be effectively the same as granting superuser permissions.
workflows-view	Allow viewing existing workflows and permissions.
workflows-manage	Allow creating and modifying workflows. NOTE: this can be used for granting approval access to restricted roles. Use carefully.
workflows-requests	Allow creating role approval requests via workflows.
workflows-requests-on-behalf	Allow creating role approval request on behalf of other user. For example, manager can ask more permissions on behalf of employee.
users-view	Allow viewing existing users.
users-manage	Allow modifying existing local users. Does not apply to users from third party user directories, like AD.
hosts-view	Allow viewing existing hosts for the access group defined for the role.
hosts-manage	Allow modifying existing hosts' configuration for the access group defined for the role.
vault-add	Allow creating global secrets. Allow granting read/write access to user's own personal secrets to others.
vault-manage	Allow creating and modifying existing global and personal vault secrets.
connections-view	Enable connection monitoring view, show the connection metadata. Access groups are taken into account.
connections-manage	Enable access role grant, revoke and listing for the connections.
connections-playback	Enable connection playback and playback search Access groups are taken into account.
connections-trail	Enable viewing connection logs. Logs reveal all user inputs some of which may not be revealed in connection playback. Enable viewing transferred files in the connection. Enable viewing clipboard contents in RDP connection. Access groups are taken into account.
connections-terminate	Enable ongoing connection termination.
connections-manual	Enable manual connections.
connections-authorize	Enable fetching access credentials from authorizer REST API. API clients require this permission to be able to fetch access credentials. PrivX users can fetch access credentials also without this permission.
access-groups-manage	Allow creating and modifying access groups.
logs-view	Allow viewing audit event logs.
logs-manage	Allow creating and modifying cloud log collectors.
requests-view	Allow displaying and searching the user's requests via the PrivX API
role-target-resources-view	Allow viewing AWS role <-> PrivX role mappings.
role-target-resources-manage	Allow modifying AWS role <-> PrivX role mappings.
authorized-keys-manage	Allow importing and modifying current user's authorized keys for SSH Bastion login.
api-clients-manage	Allow creating and modifying API Clients for scripted access via REST API.
licenses-manage	Allow modifying PrivX license.
settings-view	Allow viewing PrivX settings
settings-manage	Allow viewing and modifying PrivX settings
network-targets-manage	Allow adding, editing, deleting, and viewing network targets
network-targets-view	Allow viewing network targets
idp-clients-view	Allow viewing IDP clients via the PrivX API.
idp-clients-manage	Allow managing IDP clients via the PrivX API.
ueba-view	Allow viewing UEBA configurations via the PrivX API.
ueba-manage	Allow managing UEBA configurations via the PrivX API.
webauthn-credentials-manage	Allow users to manage their own Passkeys.
mobilegw-view	Allow viewing the current Mobile Application Gateway registration status. Required for Multi-Factor Authentication with PrivX Authorizer.
mobilegw-manage	Allow registering/unregistering PrivX from Mobile Application Gateway. Multi-Factor Authentication with PrivX Authorizer