Role Permissions
Permission | Usage | Scope |
|---|---|---|
| access-groups-manage | Allow creating and modifying access groups. | Global |
| access-roles-manage | Allow creating and editing access roles within the specified access group. | Access group |
| api-clients-manage | Allow creating and modifying API Clients for scripted access via REST API. | Global |
| api-targets-manage | Allow adding, editing, deleting, and viewing api targets | Access group |
| api-targets-view | Allow viewing API targets | Access group |
| authorized-keys-manage | Allow importing and modifying current user's authorized keys for SSH Bastion login. | Global |
| connections-authorize | Enable fetching access credentials from authorizer REST API. API clients require this permission to be able to fetch access credentials. PrivX users can fetch access credentials also without this permission. | Global |
| connections-manage | Enable access-role grant, revoke and listing for the connections. | Global |
| connections-manual | Enable manual connections. | Global |
| connections-playback | Enable connection playback and playback search Access groups are taken into account. | Access group |
| connections-terminate | Enable ongoing connection termination. | Access group |
| connections-trail | Enable viewing connection logs. Logs reveal all user inputs some of which may not be revealed in connection playback. Enable viewing transferred files in the connection. Enable viewing clipboard contents in RDP connection. Access groups are taken into account. | Access group |
| connections-view | Enable connection monitoring view, show the connection metadata. Access groups are taken into account. | Access group |
| hosts-manage | Allow modifying existing hosts' configuration for the access group defined for the role. | Access group |
| hosts-view | Allow viewing existing hosts for the access group defined for the role. | Access group |
| idp-clients-manage | Allow managing IDP clients via the PrivX API. | Global |
| idp-clients-view | Allow viewing IDP clients via the PrivX API. | Global |
| licenses-manage | Allow modifying PrivX license. | Global |
| logs-manage | Allow creating and modifying cloud log collectors. | Global |
| logs-view | Allow viewing audit event logs. | Global |
| mobilegw-manage | Allow registering/unregistering PrivX from Mobile Application Gateway. Multi-Factor Authentication with PrivX Authorizer | Global |
| mobilegw-view | Allow viewing the current Mobile Application Gateway registration status. Required for Multi-Factor Authentication with PrivX Authorizer. | Global |
| network-targets-manage | Allow adding, editing, deleting, and viewing network targets | Global |
| network-targets-view | Allow viewing network targets | Global |
| requests-view | Allow displaying and searching the user's requests via the PrivX API | Global |
| role-target-resources-manage | Allow modifying AWS role - PrivX role mappings. | Global |
| role-target-resources-view | Allow viewing AWS role - PrivX role mappings. | Global |
| roles-manage | Allow creating and modifying roles. NOTE: this will give permissions to grant roles to any user, so granting this permission will be effectively the same as granting superuser permissions. | Global |
| roles-view | Allow viewing existing roles and role configurations. | Global |
| settings-manage | Allow viewing and modifying PrivX settings | Global |
| settings-view | Allow viewing PrivX settings | Global |
| sources-data-push | Allow SCIM integration | Global |
| sources-manage | Allow creating and modifying user and host directories, bringing new users and hosts to PrivX. | Global |
| sources-view | Allow viewing user and host directory configuration. | Global |
| target-domains-manage | Allows managing target domains. | Global |
| target-domains-view | Allows viewing target-domain data. NOTE: Also required for modifying target domains in host settings. | Global |
| ueba-manage | Allow managing UEBA configurations via the PrivX API. | Global |
| ueba-view | Allow viewing UEBA configurations via the PrivX API. | Global |
| users-manage | Allow modifying existing local users. Does not apply to users from third party user directories, like AD. | Global |
| users-view | Allow viewing existing users. | Global |
| vault-add | Allow creating global secrets. Allow granting read/write access to user's own personal secrets to others. | Global |
| vault-manage | Allow creating and modifying existing global and personal vault secrets. | |
| webauthn-credentials-manage | Allow users to manage their own Passkeys. | Global |
| workflows-manage | Allow creating and modifying workflows. NOTE: this can be used for granting approval access to restricted roles. Use carefully. | Global |
| workflows-requests-on-behalf | Allow creating role approval request on behalf of other user. For example, manager can ask more permissions on behalf of employee. | Global |
| workflows-requests | Allow creating role approval requests via workflows. | Global |
| workflows-view | Allow viewing existing workflows and permissions. | Global |