Hub Permissions
A permission is an authorization granted to a user to perform particular operations. Permissions are granted to a user within a role, but not directly.
A role is a set of permissions which defines the level of access for a user to particular functionality and operations.
Permissions in Hub are divided in two categories:
Global permissions are granted at the global scope and do not depend on a specific project. For example, you cannot grant permission to create user accounts in a single project, you can do it only in the system-wide scope. Global permissions are marked with the globe icon (
) in the list of permissions.Per-project permissions allow actions related to a specific project. For example, a role with the Read Project Basic permission grants users and groups access to view project properties and content for a specific project. If these users don't have the Read Project Basic permission for other projects in Hub, they don't have access to them.
Permissions Updates for Hub 2018.2
In the 2018.2.10218 release, we made a few modifications to the permission scheme in Hub. The following table lists the permissions that were introduced in this update:
Permission | Description |
|---|---|
Read User Basic | Grants users the ability to view a limited amount of information from the user profile. This includes the user ID, login, name, and avatar. |
Read User Full | Provides the same level of access that was previously granted with Read User. This grants users the ability to view all properties for all registered users, including authorization details. |
Read Project Basic | Grants users the ability to view the name, description, logo, and project owner for a project. |
Read Project Full | Provides the same level of access that was previously granted with Read Project. This grants users the ability to view all properties for a project. |
The following table lists the permissions that were removed in this update:
Permission | Description |
|---|---|
Read User | Replaced with Read User Full. |
Read Project | Replaced with Read Project Full. |
Add Role in Project | Removed. To manage the roles that are assigned to users and groups in a project, you only need Read Role and Update Project permissions. |
Read Auth Module | Replaced with Low-level Admin Read. |
Create Auth Module | Replaced with Low-level Admin Write. |
The following permissions are built into Hub and regulate access to Hub administration.
Project-related Permissions
The following permissions grant access to project-related actions.
Permission | Description |
|---|---|
Create Project | Create new projects. |
Read Project Basic | View basic project properties and content. When combined with other permissions, the following access rights are granted:
|
Read Project Full | View all project properties and content. When combined with other permissions, the following access rights are granted:
|
Update Project | Edit project properties and content, manage resources. |
Delete Project | Delete projects. |
Role-related Permissions
The following permissions grant access to role-related actions. These permissions are all available at the global level.
Permission | Description |
|---|---|
Create Role | Create new roles. |
Read Role | View the list of roles and the set of permissions that are assigned to each role. When combined with other permissions, the following access rights are granted:
|
Update Role | Edit role properties. Modify the set of permissions that are assigned to a role. |
Delete Role | Delete roles. |
User-related Permissions
The following permissions grant access to user-related actions. These permissions all available at the global level.
Permission | Description |
|---|---|
Create User | Create new user accounts. Invite users to register their own accounts. |
Read User Basic | View the list of registered users and read the ID, login, name, and avatar for each user. With Update Group, users can manage group memberships. |
Read User Full | View all properties for all registered users, including authorization details. |
Update User | Edit user profile data. Ban, merge, and anonymize user accounts. |
Delete User | Delete user accounts. |
Read Self | View all properties, including authorization details for the user who is currently logged in. |
Update Self | Edit own profile data. |
Group-related Permissions
The following permissions grant access to group-related actions. User groups are used as resources in a project. These permissions are all available at the per-project level.
Permission | Description |
|---|---|
Create Group | Create new groups. |
Read Group | View the list of groups and read group properties. When combined with other permissions, the following access rights are granted:
|
Update Group | Edit group properties. When combined with other permissions, the following access rights are granted:
|
Delete Group | Delete groups. |
Service-related Permissions
The following permissions grant access to service-related actions. These permissions are all available at the global level.
Permission | Description |
|---|---|
Create Service | Register new services. |
Read Service | View the list of services and read service properties. View service resources, permissions, and default roles. |
Update Service | Edit service properties. Create, update, or delete resources, permissions, and default roles. |
Delete Service | Delete services. |
Generic Permissions
The following permissions are not related to specific entities in the system. These permissions are available at the global level.
Permission | Description |
|---|---|
Low-level Admin Write | Manage low-level administrative actions. Includes permission to integrate with third-party services and back up the database. Requires Low-level Admin Read. |
Low-level Admin Read | Read-only access to low-level administrative settings. Includes permission to view integrations with third-party services and metrics. |