Permissions
This section explains each permission in User Menu.
Legend
- = Active permission / Fully active section
- = Inactive permission / Fully Inactive section
- = Partially active section
note
Any category that has “Administration” is part of the Management section.
User Permissions Table
| Category | Permission | Type |
|---|---|---|
| System Settings | View system settings (overrides for deployment) | View |
| System Settings Administration | Edit (or create) system settings Delete system settings (will default to deployment file) | Edit Delete |
| User Administration | View all users in the system Edit their own and lowered-roled users' metadata Edit their lower-roled users' permissions Promote lower-roled users up to their role Demote lower-roled users to even lower role View profiles (roles/permission templates) Create and edit profiles Delete profiles Activate lower-roled users Deactivate lower-roled users Require lower-roled users to escrow their key Delete lower-roled users View all soft-deleted users in the system Reinstate soft-deleted users | View Edit Edit Edit Edit View Edit Delete Edit Edit Edit Delete View Edit |
| Basic Team Interaction | View own teams Edit own teams (depending on stature per-team) | View Edit |
| Team Administration | View all teams in the system Create teams Edit any team in the system arbitrarily Delete any team in the system arbitrarily Add users to any team arbitrarily Modify any team membership arbitrarily Remove users from any team arbitrarily | View Create Edit Delete Create Edit Delete |
| Basic Key Escrow | Escrow own key Check if own key is escrowed | Create View |
| Key Escrow Administration | View all escrowed keys in the system List escrow recovery keys Delete escrowed keys View Escrow groups View Escrow users Escrow public key View history of all Sitekey-authorized Escrow actions | View View Delete View View View |
| Basic Vault Interaction | View metadata for own files (necessary to download) View access/sharing/project history of own files Create file metadata View keys for own files (necessary to download) Share own files Unshare own files Download own files' content Upload content to own files Transfer file to Vault to VM Transfer file from VM to Vault Delete own files View directories Create directories Delete directories Create entries in directories Rename entries in directories Delete entries in directories View usage of vault for any user | View View Create View Create Delete View Edit View Edit Delete View Create Delete Create Edit Delete View |
| Basic Group Interaction | View groups they are a member of View keys for groups they are a member of Create groups Rename own groups and transfer ownership Add users to groups they are a member of Edit other members in groups they are a member of Remove other users from groups they are a member of Delete groups they are the owner of | View View Create Edit Create Edit Delete Delete |
| Basic Inbox Interaction | View own inboxes Create inboxes Delete inboxes | View Create Delete |
| Basic Project Interaction | View projects they are a member of View other members in projects they are a member of View all security requirements in the system View all security levels in the system View own security requirement certifications Classify resources with projects they are active in | View View View View View Edit |
| Project Management | Declassify resources tagged with projects they manage Create subprojects of projects they manage Edit metadata for projects they manage Delete projects they manage Add users to projects they manage Edit memberships in projects they manage Remove users from projects they manage View all security requirement certifications in the system Certify users for security requirements Edit user certifications for security requirements Delete user certifications for security requirements | Edit Create Edit Delete Create Edit Delete View Create Edit Delete |
| Project Administration | View all projects in the system Arbitrarily tag resources with any project Create security requirements Edit security requirements Delete security requirements Create security levels Edit security levels Delete security levels Create root-level projects Arbitrarily edit any project Arbitrarily delete any project View memberships for every project in the system Arbitrarily add users to any project Arbitrarily edit any project membership Arbitrarily remove users from any project | View Edit Create Edit Delete Create Edit Delete Create Edit Delete View Create Edit Delete |
| Basic VM Interaction | View drives (inconsistent, see notes) Create drives Edit drives (name and whether to disable backup) View drive keys (necessary to share/attach) Share drives Unshare drives Attach drives to VMs Detach drives from VMs Delete drives they own View hardware/image setups made available to them View own VM configs and configs shared with them Create (and edit) VM configs Spawn VMs from VM configs Stop VMs spawned from VM configs View own VM username View anyone's VM username (necessary for sharing VMs) Create sub-session for VM->Vault direct transfer View own VMs and VMs shared with them Spawn VMs(without a config) Connect to own VMs and VMs shared with them Share VMs with other users Shutdown own VMs View storage pools for any Libvirt realm Lookup individual Libvirt storage pools | Edit Delete View View Create Create Delete View View Create View Create View Create Delete View View |
| VM Administration | Delete arbitrary drives Create Libvirt storage pools Edit Libvirt storage pools Delete Libvirt storage pools View raw Libvirt volumes (images) Upload raw Libvirt volumes (images) View all VM images Create VM images (from Libvirt volumes) View all VM images Create VM images (from Libvirt volumes) Edit any VM image Delete any VM image View all hardware/image setups in the system Create hardware/image setups Edit hardware/image setups Arbitrarily delete any hardware/image setup View all VM configs in the system Arbitrarily edit any VM config Arbitrarily delete any VM config View host machines and hardware information in any Libvirt realm Create new hardware profiles (metadata) Edit any hardware profile Delete any hardware profile Register physical VM host machines in Libvirt realms Edit VM host machine info in any Libvirt realm Delete VM host machine info in any Libvirt realm View external servers Create external servers Edit external servers Delete any licensing server Modify any user's VM username Arbitrarily view logs from any VM | Delete Create Edit Delete View Create View Create Edit Delete View Create Edit Delete View Edit Delete View Create Edit Delete Create Edit Delete View Create Edit Delete Edit View |
| Miscellaneous | Transfer ownership of own files and drives | Edit |
Permissions Metadata
| Permission name | Description |
|---|---|
| System Settings | |
view:system_settings | View of system settings and custom fields subsection in management. |
override:system_settings | Add, edit, delete and preview of custom fields subsection in management. |
| System Settings Administration | |
edit_or_create:system_settings | Edit, create and save changes in system settings (login, servers, timeout, user, caching, files, notices). |
delete:system_settings_default_to_deployment_file | Delete or reset to default existing system settings changes. |
| User Administration | |
view:all_users_in_system | View all users in the system in users subsection in management. |
edit:own_role_and_lowered_roled_users | Edit role, state, metadata, refresh user info, make annoucements and bulk email export in JSON or CSV lower-roled users. |
edit:lowered_roled_users_permissions | Edit lower-roled users' permissions in manual permission management under open overlay under users in management; switch to custom profile to edit permissions when users have a set profile. |
promote:lowered_roled_users_to_own_role | Promote lower-roled users up to own role. |
demote:lower_roled_users_to_lower_role | Demote lower-roled users to even a lower role. |
view:user_profiles_roles_permission_templates | View users' profiles in open overlay and management. |
create_and_edit:user_profiles | Create, apply and edit user profiles in open overlay and management. |
delete:user_profiles | Delete user profiles permanently. |
activate:lower_roled_users | Activate lower-roled users' state. |
deactivate:lower_roled_users | Deactivate lower-roled users' state. |
require_key_escrow:lower_roled_users | Require lower-roled users to escrow their private key on next login. |
delete:lower_roled_users | Soft delete lower-roled users into deleted-users subsection in management. |
view:soft_deleted_users | View all soft-deleted users in the deleted-users subsection in management. |
reinstate:soft_deleted_users | Reinstate soft-deleted users back into the system. |
| Basic Team Interaction | |
view:own_teams | View the own teams in my profile in open user menu. |
edit:own_teams | Delete own membership from team, bulk email, export in JSON and CSV own team members in my profile in open user menu. |
| Team Administration | |
view:all_teams | View all teams in the system their name, description, basic info, quotas, members and make team annoucements in teams subsection in management. |
create:new_teams | Create new teams in teams subsection in management. |
edit:any_team_arbitrarily | Edit teams' metadata, quotas and make team announcements in teams subsection; view, bulk email and delete team memberships in team memberships subsection in management. |
delete:any_team_arbitrarily | Delete teams in teams subsection in management. |
add:users_to_team_artibtrarily | Add users to any team arbitrarily |
modify:any_team_membership_arbitrarily | Edit team memberships in team membership subsection in management. |
remove:users_from_any_team_arbitrarily | Remove users from teams in teams subsection in management. |
| Basic Key Escrow | |
escrow:own_key | Access to escrow own key if required by an admin. |
check:own_escrow_key_status | View if the key has been successfully escrowed by the escrow team. |
| Key Escrow Administration | |
view:all_escrowed_keys | View all escrowed keys in the system; bulk email escrow users and create deletion requests. |
list:escrow_recovery_keys | View escrow certificates subsection in management. |
delete:escrowed_keys | Download CSR site-key upon deletion request creation to be sent to site-key admin for approval. |
view:escrow_groups | View the escrow groups column in the escrow users subsection in management. |
view:escrow_users | View the escrow users subsection in management. |
escrow:public_key | Open to view all escrow certificates in JSON format; execute signed escrow certificates from site-key admin. |
view:all_sitekey_authorized_escrow_actions_history | View escrow certificates history data in management. |
| Basic Vault Interaction | |
view:own_files_metadata | View own file name, owner, created date and size (necessary to download). |
view:access_sharing_project_own_file_history | View the history of who accessed, shared and project-tagged own files. |
create:file_metadata | Compute disk usage; compute SHA256 hash. |
view:own_files_keys | View own files in the vault in viewing mode. (necessary to download) |
share:own_files | Share own files and directories with other users; share with limited time or restrictions. |
unshare:own_files | Unshare own files and directories with other users. |
| `download:own_files' | Download own files content locally; download full logs of own files. |
upload:own_files | Upload own files content locally. |
transfer:file_to_vault_to_vm | Transfer files and directories from vault to own vm in file transfer hub. |
transfer:file_from_vm_to_vault | Transfer files and directories from own vm to vault in file transfer hub. |
delete:own_files | Delete own files into trash directory; restore files from trash; permanetly delete files from trash. |
view:directories | View directories in vault in shared by me, shared with me or self owned. |
create:directories | Create new directories in vault. |
delete:directories | Delete existing directories in vault. |
create:directory_entries | Create new directories access in vault. |
rename:directory_entries | Rename files and directories in vault. |
delete:directory_entries | Delete files and directories access in vault. |
view:any_user_vault_usage | View the usage of vault storage for other users. |
| Basic Group Interaction | |
view:member_groups | View own membership group names and number of members in vault. |
view:member_groups_keys | View own membership groups overlay, members name, email, added,number of permissions, role and permissions in group. |
create:groups | Create new groups in vault. |
rename:own_groups_and_transfer_ownership | Rename own groups and promote manager to group owner. |
add:member_users_to_groups | Add new group members to own groups. |
edit:group_members_in_member_groups | Edit group members' permissions in own groups. |
remove:group_members_from_member_groups | Remove group members from own groups. |
delete:own_groups | Delete own groups. |
| Basic Inbox Interaction | |
view:own_inboxes | View own inbox directory in vault. |
create:inboxes | Create inbox from own directory in vault; create access points; url inbox; sftp inbox; password-protected inbox. |
delete:inboxes | Delete own inboxes back to directories in vault. |
| Basic Project Interaction | |
view:member_projects | View own membership projects in vault. |
view:members_in_member_projects | View project members from own projects in vault. |
view:all_security_requirements | View the security requirements section in management. |
view:all_security_levels | View the security levels section in management. |
view:own_security_requirement_certifications | View own security requirements certifications in my profile; bulk email own project members from my profile. |
classify:active_projects_resources | Change project for own files and directories in vault to own membership projects (classify). |
| Project Management | |
declassify:managed_projects_tagged_resources | Change project for own files and directories in vault to own membership projects (declassify). |
create:managed_projects_subprojects | Create subprojects from own top-level projects in vault. |
edit:managed_projects_metadata | Edit own top-level projects name, tag text, security level, description and optional fields in vault. |
delete:managed_projects | Delete own subproject and top-level projects in vault. |
add:users_to_managed_projects | Add users to own top-level projects and subprojects in vault. |
edit:memberships_in_managed_projects | Edit/Renew project members' memberships in user certifications in management. |
remove:users_from_managed_projects | Remove existing project members from own top-level projects or subprojects in vault. |
view:all_security_requirement_certifications | View user certifications subsection in management. |
certify:users_for_security_requirements | Certify users for security requirement from management |
edit:user_certifications_for_security_requirements | Edit user certifications expiration date in management. |
delete:user certifications for security requirements | Delete existing user certifications in management. |
| Project Administration | |
view:all_projects | View all system projects in projects subsection in management. |
tag:resources_with_projects_arbitrarily | Project-tag any resource in the system. |
create:security_requirements | Create new security requirements for any security levels in the system in management. |
edit:security_requirements | Edit security requirements name, expiration, lifespan and description in management. |
delete:security_requirements | Delete existing security requirements from management. |
create:security_levels | Create new security levels for any projects in the system in management. |
edit:security_levels | Edit security levels name, requirements and description in management. |
delete:security_levels | Delete existing security levels from management. |
create:root_level_projects | Create new top-level projects from projects subsection in management. |
edit:projects_arbitrarily | Edit any projects' name, tag, security level and optional fields in the system in management. |
delete:projects_arbitrarily | Delete any existing projects from management and vault. |
view:all_project_memberships | View project memberships and resources by project subsections in management. |
add:users_to_projects_arbitrarily | Add users to any project in the system at any time. |
edit: project_memberships_arbitrarily | Edit project memberships' expiration, role and restrictions of any project member from management. |
remove:users_from_projects_arbitrarily | Remove project memberships from any project members in management. |
| Basic VM Interaction | |
view:drives | View own drives and shared drives in the drives table in virtual machines. |
create:drives | Create new drives from scratch; create external manifest and import drives. |
edit:drives | Edit drive name and relation to team in management and virtual machines. |
view:drive_keys | View drive ID column in virtual machines. (necessary to share/attach) |
share:drives | Share existing drives with other users. |
unshare:drives | Unshare drive from users; unshare drive from everyone else. |
attach:drives_to_vms | Allow drives to mount and attach to existing VM configs. |
detach:drives_from_vms | Detach drives from VMs in management. |
delete:own_drives | Delete own drives permamently. |
view:available_hardware_image_setups | View available ISO images, NFS mounts and drives in management. |
view:own_vm_configs_and_shared_configs | View own VM configurations and shared VM configurations in VM table in virtual machines. |
create_and_edit:vm_configs | Create new VM configurations from scratch; edit existing turned off VM configurations. |
spawn:vms_from_vm_configs | Allow VM configs creation to connect to VMs in virtual machines. |
stop:vms_spawned_from_vm_configs | Disconnect and turn off VM config from connecting to VMs in virtual machines. |
view:own_vm_username | View own VM username and basic info, profile info, permissions, access directories and VM groups in virtual machines. |
view:anyones_vm_usernames | View anyones' VM usernames (necessary for sharing VMs). |
create:vm_vault_direct_transfer_sub_session | Allow direct transfer from VMs to Vault via sub-session. |
view:own_vms_and_shared_vms | View own VMs and shared VMs, past VMs and service VMs in management. |
spawn:vms_without_config | Create VMs for multiple users without requiring VM configs. |
connect:own_vms_and_shared_vms | Connect to own VMs and shared VMs in virtual machines and running VMs in managment. |
share:vms_with_other_users | Share existing VMs with other users and groups. |
shutdown:own_vms | Shut down, reset or hard-shutdown a running VM. |
view:all_libvirt_realm_storage_pools | View realms and storage pools subsections in management. |
lookup:individual_libvirt_storage_pools | View storage pools type,location and realm in management. |
| VM Administration | |
delete:drives_arbitrary | Delete error-free drives from the system. |
create:libvirt_storage_pools | Create new libvirt storage pools in management. |
edit:libvirt_storage_pools | Edit existing libvirt storage pools in management. |
delete:libvirt_storage_pools | Delete existing libvirt storage pools in manageent. |
view:raw_libvirt_volumes | View libvirt volumes subsection in management. (images) |
upload:raw_libvirt_volumes | Upload raw ISO images. |
view:all_vm_images | View VM Images subsection in management. |
create:vm_images | Create new VM images from Libvirt volumes. |
edit:all_vm_images | Edit existin VM images in management. |
delete:all_vm_images | Delete VM images from management. |
view:all_hardware_image_setups | View VM hardware setups subsection in managment. |
create:hardware_image_setups | Create new VM hardware setups from VM images and NFS mounts. |
edit:hardware_image_setups | Edit, clone and simulate allocation for VM hardware setups in management. |
delete:hardware_image_setups_arbitrarily | Delete VM hardware setups from management. |
view:all_vm_configs | View all VM configurations in the system in management. |
edit:all_vm_configs_arbitrarily | Edit and bulk email all VM configurations in management. |
delete:all_vm_configs_arbitrarily | Delete all VM configurations from management. |
view:libvirt_realm_host_machines_and_hardware_information | View information of realms, libvirt hosts and hardware profiles in management. |
create:new_hardware_profiles | Create new hardware profiles from realms. |
edit:all_hardware_profiles | Edit name, realm, parameters, devices and description of hardware profiles in management. |
delete:all_hardware_profiles | Delete hardware profiles from management. |
register:libvirt_realms_physical_vm_host_machines | Register VM hosts physically in libvirt realms. |
edit:libvirt_realm_vm_host_machine_info | Edit VM host machine metadata in libvirt realms. |
delete:libvirt_realm_vm_host_machine_info | Delete VM host machine metadata from any libvirt realm. |
view:external_servers | View external servers in management. |
create:external_servers | Create external servers from management. |
edit:external_servers | Edit existing external servers in management. |
delete:licensing_servers | Delete licencing servers. |
modify:all_user's_vm_username | Edit users's VM usernames globally. |
view:logs_from_any_VM_arbitrarily | View all logs from any VMs in the system. |
| Miscellaneous | |
transfer:own_files_and_drives_ownership | Transfer full ownership of own files and drives to other users. |
note
Some actions in the system depend strictly on the user role regardless of custom permissions. For example, Super-admin role:
- Views all ISO images in the system.
- Views Libvirt XML description of VMs.
No other role or permission can allow the above actions.