Role-Based Access Control (RBAC) Privilege Reference

This article provides a description and reference for all of the RBAC Privileges available when creating custom RBAC roles. This guide also lists relevant API endpoints which are secured by each RBAC privilege.

For a guide on how to create RBAC Roles and apply them to Users and API Clients, read the Role Based Access Control (RBAC) article.

RBAC Privileges - Dashboards

Dashboards privileges control access to the overview and analytics dashboards in Cloud Control Center. Each dashboard is an independent privilege — a role can be granted access to any combination of dashboards.

Dashboards

Privilege Description
Overview Grants access to the Overview dashboard.
Executive Summary Grants access to the Executive Summary dashboard. When Site Permissions are limited to specific sites, the dashboard displays data only for those sites.
Zero Trust Posture Grants access to the Zero Trust Posture dashboard. When Site Permissions are limited to specific sites, the dashboard reflects data only for those sites.

Dashboard Snapshots

Privilege Description
View Dashboard Snapshots Grants permission to view saved dashboard snapshots.
Create Dashboard Snapshots Allows users to create new dashboard snapshots.
Edit Dashboard Snapshots Enables users to modify existing dashboard snapshots.
Delete Dashboard Snapshots Permits users to remove dashboard snapshots.

RBAC Privileges - Site Permissions

Site Permissions control access to different sites within your organization's network. Restricting access to specific sites ensures that users can only interact with the sites relevant to their roles. This restriction applies to any component of the Elisity Platform that utilizes Site Labels, including devices, Local Policy Groups, and enforcement infrastructure like Virtual Edges and Virtual Edge Nodes.

Roles with a limited number of sites do not have access to Admin Settings.

Privilege Description API Endpoints
View Sites Allows users to view site details. By default, all sites are visible unless specific sites are selected. If limited sites are selected, users cannot create Site Labels under Virtual Edges. GET /api/sites

RBAC Privileges - IdentityGraph

IdentityGraph privileges manage access to device inventory, user data, connectors, and Entra (Azure AD) integration within Cloud Control Center. These settings are directly influenced by Site Permissions — users can only access devices and connectors associated with the sites they have permission to view.

Site Label Filtering Dependency: For roles with limited Site Permissions, the View Devices privilege alone does not enable the Site Labels filter on the Devices page. To enable Site Label filtering, also enable View Site Labels under the Edge Management section.

Entra Configuration

Privilege Description
Show Entra Configuration Grants access to the Entra Configuration settings in Cloud Control Center.

Devices

Privilege Description API Endpoints
View Devices Grants permission to view details of devices. GET /api/identity-graph/v1/devices
GET /api/identity-graph/v1/devices/{id}
GET /api/identity-graph/v1/devices/count
GET /api/identity-graph/v1/devices/aggregate
Add Devices Allows users to add new devices to the network. POST /api/identity-graph/v1/devices
Edit Devices Enables users to modify existing device configurations. PUT /api/identity-graph/v1/devices/{id}
PUT /api/identity-graph/v1/devices/bulk
Delete Devices Permits users to remove devices from the network. DELETE /api/identity-graph/v1/devices/{id}
DELETE /api/identity-graph/v1/devices/bulk

Users

Privilege Description
View Users Grants permission to view users associated with connectors and Active Directory.

Connectors

Privilege Description API Endpoints
View Connectors and Agents Grants permission to view connectors and agents. GET /api/ad-connector-service/v1/connectors
Add Connectors and Agents Allows users to add new connectors and agents. POST /api/ad-connector-service/v1/connectors
Edit Connectors and Agents Enables users to modify existing connectors and agents.
Delete Connectors and Agents Permits users to remove connectors and agents. DELETE /api/ad-connector-service/v1/connectors/{nodeId}
View Custom Connector Inventory Grants permission to view device records within Custom Connector instances. Users can view the Devices and Attributes table in Custom Connector details pages. GET /api/identity-graph/v1/custom-connector/{connectorId}/devices
GET /api/identity-graph/v1/custom-connector/{connectorId}/devices/{id}
Edit Custom Connector Inventory Allows users to add, modify, and delete device records in Custom Connector instances. Includes Add Single Device, Add Multiple Devices (spreadsheet upload), inline editing, and deletion. This permission is independent of general Device permissions. POST /api/identity-graph/v1/custom-connector/{connectorId}/devices
PUT /api/identity-graph/v1/custom-connector/{connectorId}/devices/{id}
DELETE /api/identity-graph/v1/custom-connector/{connectorId}/devices/{id}
POST /api/identity-graph/v1/custom-connector/{connectorId}/devices/bulk
View Entra Configuration and Status Grants permission to view the Entra integration configuration and its current synchronization status.
Trigger Entra Sync Allows users to manually trigger an Entra directory synchronization.
Create/Update Entra Configuration Enables users to create or modify the Entra integration configuration.
Delete Entra Integration and Data Permits users to remove the Entra integration and its associated data.

RBAC Privileges - Policy

Policy privileges control access to policy configurations, policy groups, security profiles, policy sets, and policy group labels within Cloud Control Center.

Matrix

Privilege Description API Endpoints
View Policies Grants permission to view policy configurations. GET /api/policy/v1/policy-sets/{policySetId}/policies
Create Policies Allows users to create new simulated policies. If Activate Policies is also enabled, users can create both simulated and active policies. POST /api/policy/v1/policy-sets/{policySetId}/policies
Edit Policies Enables users to modify existing policies, including activating simulated and deactivating active policies. PUT /api/policy/v1/policy-sets/{policySetId}/policies/{policyId}
Activate Policies Determines whether users can activate simulated policies or create new active policies. Without this privilege, users can only create simulated policies (assuming Create Policies is also enabled).
Delete Policies Permits users to remove policies. DELETE /api/policy/v1/policy-sets/{policySetId}/policies/{policyId}
Edit Exclusion Filters Enables users to modify policy exclusion filters on the Policy Matrix.

Policy Groups

Privilege Description API Endpoints
View Global Policy Groups Grants permission to view global policy groups. GET /api/policy/v2/policy-groups
Enable Global Policy Group Lock Allows users to enable or disable auto-locking on Global Policy Groups. PUT /api/policy/v2/policy-groups/{id}/lock
PUT /api/policy/v2/policy-groups/{id}/unlock
Create Global Policy Groups Allows users to create new global policy groups. POST /api/policy/v2/policy-groups/dynamic
POST /api/policy/v2/policy-groups/network
Edit Global Policy Groups Enables users to modify existing global policy groups. PUT /api/policy/v2/policy-groups/network/{id}
Delete Global Policy Groups Permits users to remove global policy groups. DELETE /api/policy/v2/policy-groups/{id}

Security Profiles

Privilege Description API Endpoints
View Security Profiles Grants permission to view security profiles. GET /api/policy/v1/security-profiles/{id}
Create/Duplicate Security Profiles Allows users to create or duplicate security profiles. POST /api/policy/v1/security-profiles
Edit Security Profiles Enables users to modify existing security profiles. PUT /api/policy/v1/security-profiles/{id}
Delete Security Profiles Permits users to remove security profiles. DELETE /api/policy/v1/security-profiles/{id}

Local Policy Groups

Local Policy Group access is restricted by Site Permissions — users can only access the local policy groups associated with the sites they have permission to view.

Privilege Description
View Local Policy Groups Grants permission to view local policy groups.
Enable Local Policy Group Lock Allows users to enable or disable auto-locking on Local Policy Groups.
Create Local Policy Groups Allows users to create new local policy groups.
Edit Local Policy Groups Enables users to modify existing local policy groups.
Delete Local Policy Groups Permits users to remove local policy groups.

Policy Sets

Privilege Description API Endpoints
View Policy Sets Grants permission to view policy sets. GET /api/policy/v1/policy-sets
Create/Duplicate Policy Sets Allows users to create or duplicate policy sets. POST /api/policy/v1/policy-sets
Edit Policy Sets Enables users to modify existing policy sets. PUT /api/policy/v1/policy-sets/{id}
Delete Policy Sets Permits users to remove policy sets. DELETE /api/policy/v1/policy-sets/{id}

Policy Group Labels

Privilege Description API Endpoints
View Policy Group Labels Grants permission to view policy group labels. GET /api/policy/v1/policy-group-label
Create Policy Group Labels Allows users to create new policy group labels. POST /api/policy/v1/policy-group-label
Edit Policy Group Labels Enables users to modify existing policy group labels. PUT /api/policy/v1/policy-group-label/{id}
Delete Policy Group Labels Permits users to remove policy group labels. DELETE /api/policy/v1/policy-group-label/{id}

RBAC Privileges - Edge Management

Edge Management privileges manage access to Virtual Edges, Virtual Edge Nodes, Site Labels, Distribution Zones, and Edge Settings. Access to Virtual Edges and nodes is restricted by Site Permissions — users can only see the infrastructure associated with the sites they have permission to view.

Virtual Edges and Virtual Edge Nodes

Privilege Description API Endpoints
View Virtual Edges and Nodes Grants permission to view Virtual Edges and their Nodes. GET /api/topology/v1/virtual-edges
GET /api/topology/v1/virtual-edge-nodes
Create Virtual Edges and Nodes Allows users to create new Virtual Edges and Nodes. POST /api/topology/v1/virtual-edges
POST /api/topology/v1/virtual-edge-nodes
Edit Virtual Edges and Nodes Enables users to modify existing Virtual Edges and Nodes. PUT /api/topology/v1/virtual-edges/{id}
PUT /api/topology/v1/virtual-edge-nodes/{id}
Delete Virtual Edges and Nodes Permits users to remove Virtual Edges and Nodes. DELETE /api/topology/v1/virtual-edges/{id}
DELETE /api/topology/v1/virtual-edge-nodes/{id}

Site Labels

View Site Labels is also required for users with limited Site Permissions to use the Site Labels filter on the Devices page. See the IdentityGraph section above for details.

Privilege Description
View Site Labels Grants permission to view site labels.
Create Site Labels Allows users to create new site labels. If the role has all Site Permissions, this also grants the ability to create Site Labels under Virtual Edges.
Edit Site Labels Enables users to modify existing site labels.
Delete Site Labels Permits users to remove site labels.

Distribution Zones

Privilege Description API Endpoints
View Distribution Zones Grants permission to view distribution zones.
Create Distribution Zones Allows users to create new distribution zones. POST /api/topology/v1/distribution-zones
Edit Distribution Zones Enables users to modify existing distribution zones. PUT /api/topology/v1/distribution-zones
Delete Distribution Zones Permits users to remove distribution zones. DELETE /api/topology/v1/distribution-zones/{id}

Edge Settings

Privilege Description API Endpoints
Global Credentials Grants the ability to create, modify, and delete Global Credentials used by Virtual Edges. Passwords are never visible regardless of privileges. GET /api/topology/v1/global-credentials
POST /api/topology/v1/global-credentials
PUT /api/topology/v1/global-credentials/{id}
DELETE /api/topology/v1/global-credentials/{id}
DELETE /api/topology/v1/global-credentials/bulk/delete
Flow Telemetry Grants access to Flow Telemetry configuration settings.
Cloud Controllers Grants access to Cloud Controller configuration settings.
Advanced Settings Grants access to advanced Edge configuration settings.

RBAC Privileges - Insights

Insights privileges are grouped into three sets: the base Insights access privilege, the Automations privileges that control automation rule management, and the Insight Settings privilege.

Permission Dependency: The Automations privileges require View Insights, Automations & AI Assistant to be enabled and cannot be assigned independently. Users without any Automations privilege can open the Automations tab in read-only state, but cannot create, edit, or delete rules. Automation write requests without the required privilege return HTTP 403 Forbidden.

Group Privilege Description
Insights View Insights, Automations & AI Assistant Grants access to the Insights module. Users can view all insights and accept, reject, or defer individual recommendations, and can open the Automations and AI Assistant areas to view existing rules. This is the base Insights privilege required before any Automations privileges take effect. No API endpoints associated.
Automations Create Automation Rules Allows users to create new Insights automation rules, including auto-approval configuration.
Automations Edit Automation Rules Enables users to modify existing Insights automation rules.
Automations Delete Automation Rules Permits users to remove Insights automation rules.
Insight Settings View/Edit Insight Settings Grants the ability to view and edit Insight Settings, which govern how insights are generated and presented.

RBAC Privileges - Traffic Analytics / Monitoring

Group Privilege Description
Traffic Analytics Show Traffic Analytics Toggles the visibility of the Traffic Analytics section in Cloud Control Center.
Monitoring View Monitoring Grants access to monitoring data including Audit Logs, Events, Activity Logs, Alerts, and External Monitors.
Monitoring Add/Edit External Monitors Allows users to create and modify external monitor configurations.
Monitoring Delete External Monitors Permits users to remove external monitors.

RBAC Privileges - Settings

Settings privileges control various administrative and system-level configurations within Cloud Control Center. Admin Settings are only available to roles with Site Permissions set to all sites.

Group Privilege Description
Email Show Email Grants access to the Email section in Settings.
Advanced Show Advanced Grants access to the Advanced section in Settings.
Welcome Message Show Welcome Message Grants access to the Welcome Message configuration in Settings.
Admin View Admin Settings Allows users to view the administrative settings. Requires Site Permissions set to all sites.
Admin Add Admin Settings Permits users to add new administrative settings. Requires Site Permissions set to all sites.
Admin Edit Admin Settings Enables users to modify existing administrative settings. Requires Site Permissions set to all sites.
Admin Delete Admin Settings Allows users to delete administrative settings. Requires Site Permissions set to all sites.

Group Privilege Description
System Add/Modify Logo Allows users to change or add a new logo.
System View Email (Support Alerts) Grants permission to view support alert email configurations.
System Add/Modify Email (Support Alerts) Enables users to add or change support alert email configurations.
System View Advanced Options (Advanced) Provides access to view advanced system options.
System Suppression List Allows users to manage the suppression list.
System Add/Edit Welcome Message Permits the addition or modification of the welcome message displayed to users on login.

For guidance on creating roles and assigning them to users or API clients, see the Role Based Access Control (RBAC) article.

Was this article helpful?
0 out of 0 found this helpful