Hub Permissions
A permission is an authorization granted to a user to perform particular operations. Permissions are granted to a user within a role, but not directly.
A role is a set of permissions which defines the level of access for a user to particular functionality and operations.
Permissions for the Hub application are divided in two categories:
Global permissions are granted at the global scope and do not depend on a specific project. For example, you cannot grant permission to create user accounts in a single project, you can do it only in the system-wide scope. Global permissions are marked with the globe icon (
) in the list of permissions.Per-project permissions allow actions related to a specific project. Read Project or Read User Group are examples of such permissions.
The following permissions are used by the built-in Hub service to regulate access to administrative actions.
Generic Permissions
The following permissions are not related to specific entities in the system. These permissions are available at the global level.
Permission | Description |
|---|---|
Low-level Administration | Manage low-level administrative actions. Includes permission to integrate with third-party services and back up the database. |
Low-level Read Administration | Read-only access to low-level administrative settings. Includes permission to view integrations with third-party services and metrics. |
Authentication Module
The following permissions grant access to authentication module-related actions. These permissions are all available at the global level.
Permission | Description |
|---|---|
Create Auth Module | Add and enable a new authentication module. |
Delete Auth Module | Delete authentication modules. |
Read Auth Module | View the list of authentication modules. View the properties of an authentication module. |
Update Auth Module | Modify the properties of an authentication module. |
Project
The following permissions grant access to project-related actions.
Permission | Description |
|---|---|
Create Project | Create a new project. |
Delete Project | Delete projects. |
Read Project | View project properties and content. List project resources. This permission is required (with Read Role) to read the project roles of a user, group, or service. |
Update Project | Edit the properties and content of a project. Add and remove resources. |
Project Role
The following permissions grant access to actions that link projects and roles. These permissions are all available at the per-project level.
Permission | Description |
|---|---|
Add Role in Project | Assign a role to a user, group, or service the role in the project. |
Remove Role in project | Remove the role assignment from a user, group, or service in the project. |
Role
The following permissions grant access to role-related actions. These permissions are all available at the global level.
Permission | Description |
|---|---|
Create Role | Create a new role. |
Delete Role | Delete roles. |
Read Role | View the list of roles. View the set of permissions assigned to a role. This permission is required (with Read Project) to read the project roles of user, group, or service. |
Update Role | Modify the properties of and set of permissions assigned to a role. |
Service
The following permissions grant access to service-related actions. These permissions are all available at the global level.
Permission | Description |
|---|---|
Create Service | Register a new service. |
Delete Service | Delete services. |
Read Service | View the list of services. View the properties of a service. View service resources, permissions, and default roles. |
Update Service | Modify the properties of a service. Create, update, or delete the resources, permissions, and default roles for a service. |
User
The following permissions grant access to user-related actions. These permissions all available at the global level.
Permission | Description |
|---|---|
Create User | Register new users. Invite new users. |
Delete User | Delete user accounts. |
Read Self | Same as Read User, but only for the current user account. |
Read User | View the list of registered user accounts. Read user authorization details. This permission is required (with Update Group) to modify group membership for another user account. |
Update Self | Same as Update User, but only for the current user account. |
Update User | Edit the user name. Edit, create, or delete user profile data. Ban and merge user accounts. |
User Group
The following permissions grant access to group-related actions. User groups are used as resources in a project. These permissions are all available at the per-project level.
Permission | Description |
|---|---|
Create User Group | Create new user groups. |
Delete User Group | Delete user groups. |
Read User Group | View the list of user groups. View group properties. This permission is required (with Read User Group permission for the subgroup) to view subgroups. Required in combination with Read User to view the members of a group. |
Update User Group | Modify the properties of a user group. Required in combination with Update User Group for parent and child groups to add or remove subgroups. Required in combination with Read User to modify group memberships. |