6.5. About Role Permissions
What each role is allowed to do is defined by what permissions it has. Not every role has every permission. Notably SuperUser has every permission and Monitor has the least.
Each permission can grant read and/or write access for a single category of resources.
The categories are: runtime state, server configuration, sensitive data, the audit log, and the access control system.
Table 6.1, “Role Permissions Matrix” summarizes the permissions of each role.
|
Monitor
|
Operator
|
Maintainer
|
Deployer
|
Auditor
|
Administrator
|
SuperUser
| |
|
Read Config and State
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
|
Read Sensitive Data [2]
|
X
|
X
|
X
| ||||
|
Modify Sensitive Data [2]
|
X
|
X
| |||||
|
Read/Modify Audit Log
|
X
|
X
| |||||
|
Modify Runtime State
|
X
|
X
|
X[1]
|
X
|
X
| ||
|
Modify Persistent Config
|
X
|
X[1]
|
X
|
X
| |||
|
Read/Modify Access Control
|
X
|
X
|
[1] permissions are restricted to application resources.
[2] What resources are considered to be "sensitive data" are configured using Sensitivity Constraints.
