This article provides a description and reference for all of the RBAC Privileges available when creating custom RBAC roles. This guide also lists relevant API endpoints which are secured by each RBAC privilege.
For a guide on how to create RBAC Roles and apply them to Users and API Clients, read the Role Based Access Control (RBAC) article.
RBAC Privileges - Dashboards
Dashboards privileges control access to the overview and analytics dashboards in Cloud Control Center. Each dashboard is an independent privilege — a role can be granted access to any combination of dashboards.
Dashboards
| Privilege |
Description |
| Overview |
Grants access to the Overview dashboard. |
| Executive Summary |
Grants access to the Executive Summary dashboard. When Site Permissions are limited to specific sites, the dashboard displays data only for those sites. |
| Zero Trust Posture |
Grants access to the Zero Trust Posture dashboard. When Site Permissions are limited to specific sites, the dashboard reflects data only for those sites. |
Dashboard Snapshots
| Privilege |
Description |
| View Dashboard Snapshots |
Grants permission to view saved dashboard snapshots. |
| Create Dashboard Snapshots |
Allows users to create new dashboard snapshots. |
| Edit Dashboard Snapshots |
Enables users to modify existing dashboard snapshots. |
| Delete Dashboard Snapshots |
Permits users to remove dashboard snapshots. |
RBAC Privileges - Site Permissions
Site Permissions control access to different sites within your organization's network. Restricting access to specific sites ensures that users can only interact with the sites relevant to their roles. This restriction applies to any component of the Elisity Platform that utilizes Site Labels, including devices, Local Policy Groups, and enforcement infrastructure like Virtual Edges and Virtual Edge Nodes.
Roles with a limited number of sites do not have access to Admin Settings.
| Privilege |
Description |
API Endpoints |
| View Sites |
Allows users to view site details. By default, all sites are visible unless specific sites are selected. If limited sites are selected, users cannot create Site Labels under Virtual Edges. |
GET /api/sites |
RBAC Privileges - IdentityGraph
IdentityGraph privileges manage access to device inventory, user data, connectors, and Entra (Azure AD) integration within Cloud Control Center. These settings are directly influenced by Site Permissions — users can only access devices and connectors associated with the sites they have permission to view.
Site Label Filtering Dependency: For roles with limited Site Permissions, the View Devices privilege alone does not enable the Site Labels filter on the Devices page. To enable Site Label filtering, also enable View Site Labels under the Edge Management section.
Entra Configuration
| Privilege |
Description |
| Show Entra Configuration |
Grants access to the Entra Configuration settings in Cloud Control Center. |
Devices
| Privilege |
Description |
API Endpoints |
| View Devices |
Grants permission to view details of devices. |
GET /api/identity-graph/v1/devices
GET /api/identity-graph/v1/devices/{id}
GET /api/identity-graph/v1/devices/count
GET /api/identity-graph/v1/devices/aggregate
|
| Add Devices |
Allows users to add new devices to the network. |
POST /api/identity-graph/v1/devices |
| Edit Devices |
Enables users to modify existing device configurations. |
PUT /api/identity-graph/v1/devices/{id}
PUT /api/identity-graph/v1/devices/bulk
|
| Delete Devices |
Permits users to remove devices from the network. |
DELETE /api/identity-graph/v1/devices/{id}
DELETE /api/identity-graph/v1/devices/bulk
|
Users
| Privilege |
Description |
| View Users |
Grants permission to view users associated with connectors and Active Directory. |
Connectors
| Privilege |
Description |
API Endpoints |
| View Connectors and Agents |
Grants permission to view connectors and agents. |
GET /api/ad-connector-service/v1/connectors |
| Add Connectors and Agents |
Allows users to add new connectors and agents. |
POST /api/ad-connector-service/v1/connectors |
| Edit Connectors and Agents |
Enables users to modify existing connectors and agents. |
— |
| Delete Connectors and Agents |
Permits users to remove connectors and agents. |
DELETE /api/ad-connector-service/v1/connectors/{nodeId} |
| View Custom Connector Inventory |
Grants permission to view device records within Custom Connector instances. Users can view the Devices and Attributes table in Custom Connector details pages. |
GET /api/identity-graph/v1/custom-connector/{connectorId}/devices
GET /api/identity-graph/v1/custom-connector/{connectorId}/devices/{id}
|
| Edit Custom Connector Inventory |
Allows users to add, modify, and delete device records in Custom Connector instances. Includes Add Single Device, Add Multiple Devices (spreadsheet upload), inline editing, and deletion. This permission is independent of general Device permissions. |
POST /api/identity-graph/v1/custom-connector/{connectorId}/devices
PUT /api/identity-graph/v1/custom-connector/{connectorId}/devices/{id}
DELETE /api/identity-graph/v1/custom-connector/{connectorId}/devices/{id}
POST /api/identity-graph/v1/custom-connector/{connectorId}/devices/bulk
|
| View Entra Configuration and Status |
Grants permission to view the Entra integration configuration and its current synchronization status. |
— |
| Trigger Entra Sync |
Allows users to manually trigger an Entra directory synchronization. |
— |
| Create/Update Entra Configuration |
Enables users to create or modify the Entra integration configuration. |
— |
| Delete Entra Integration and Data |
Permits users to remove the Entra integration and its associated data. |
— |
RBAC Privileges - Policy
Policy privileges control access to policy configurations, policy groups, security profiles, policy sets, and policy group labels within Cloud Control Center.
Matrix
| Privilege |
Description |
API Endpoints |
| View Policies |
Grants permission to view policy configurations. |
GET /api/policy/v1/policy-sets/{policySetId}/policies |
| Create Policies |
Allows users to create new simulated policies. If Activate Policies is also enabled, users can create both simulated and active policies. |
POST /api/policy/v1/policy-sets/{policySetId}/policies |
| Edit Policies |
Enables users to modify existing policies, including activating simulated and deactivating active policies. |
PUT /api/policy/v1/policy-sets/{policySetId}/policies/{policyId} |
| Activate Policies |
Determines whether users can activate simulated policies or create new active policies. Without this privilege, users can only create simulated policies (assuming Create Policies is also enabled). |
— |
| Delete Policies |
Permits users to remove policies. |
DELETE /api/policy/v1/policy-sets/{policySetId}/policies/{policyId} |
| Edit Exclusion Filters |
Enables users to modify policy exclusion filters on the Policy Matrix. |
— |
Policy Groups
| Privilege |
Description |
API Endpoints |
| View Global Policy Groups |
Grants permission to view global policy groups. |
GET /api/policy/v2/policy-groups |
| Enable Global Policy Group Lock |
Allows users to enable or disable auto-locking on Global Policy Groups. |
PUT /api/policy/v2/policy-groups/{id}/lock
PUT /api/policy/v2/policy-groups/{id}/unlock
|
| Create Global Policy Groups |
Allows users to create new global policy groups. |
POST /api/policy/v2/policy-groups/dynamic
POST /api/policy/v2/policy-groups/network
|
| Edit Global Policy Groups |
Enables users to modify existing global policy groups. |
PUT /api/policy/v2/policy-groups/network/{id} |
| Delete Global Policy Groups |
Permits users to remove global policy groups. |
DELETE /api/policy/v2/policy-groups/{id} |
Security Profiles
| Privilege |
Description |
API Endpoints |
| View Security Profiles |
Grants permission to view security profiles. |
GET /api/policy/v1/security-profiles/{id} |
| Create/Duplicate Security Profiles |
Allows users to create or duplicate security profiles. |
POST /api/policy/v1/security-profiles |
| Edit Security Profiles |
Enables users to modify existing security profiles. |
PUT /api/policy/v1/security-profiles/{id} |
| Delete Security Profiles |
Permits users to remove security profiles. |
DELETE /api/policy/v1/security-profiles/{id} |
Local Policy Groups
Local Policy Group access is restricted by Site Permissions — users can only access the local policy groups associated with the sites they have permission to view.
| Privilege |
Description |
| View Local Policy Groups |
Grants permission to view local policy groups. |
| Enable Local Policy Group Lock |
Allows users to enable or disable auto-locking on Local Policy Groups. |
| Create Local Policy Groups |
Allows users to create new local policy groups. |
| Edit Local Policy Groups |
Enables users to modify existing local policy groups. |
| Delete Local Policy Groups |
Permits users to remove local policy groups. |
Policy Sets
| Privilege |
Description |
API Endpoints |
| View Policy Sets |
Grants permission to view policy sets. |
GET /api/policy/v1/policy-sets |
| Create/Duplicate Policy Sets |
Allows users to create or duplicate policy sets. |
POST /api/policy/v1/policy-sets |
| Edit Policy Sets |
Enables users to modify existing policy sets. |
PUT /api/policy/v1/policy-sets/{id} |
| Delete Policy Sets |
Permits users to remove policy sets. |
DELETE /api/policy/v1/policy-sets/{id} |
Policy Group Labels
| Privilege |
Description |
API Endpoints |
| View Policy Group Labels |
Grants permission to view policy group labels. |
GET /api/policy/v1/policy-group-label |
| Create Policy Group Labels |
Allows users to create new policy group labels. |
POST /api/policy/v1/policy-group-label |
| Edit Policy Group Labels |
Enables users to modify existing policy group labels. |
PUT /api/policy/v1/policy-group-label/{id} |
| Delete Policy Group Labels |
Permits users to remove policy group labels. |
DELETE /api/policy/v1/policy-group-label/{id} |
RBAC Privileges - Edge Management
Edge Management privileges manage access to Virtual Edges, Virtual Edge Nodes, Site Labels, Distribution Zones, and Edge Settings. Access to Virtual Edges and nodes is restricted by Site Permissions — users can only see the infrastructure associated with the sites they have permission to view.
Virtual Edges and Virtual Edge Nodes
| Privilege |
Description |
API Endpoints |
| View Virtual Edges and Nodes |
Grants permission to view Virtual Edges and their Nodes. |
GET /api/topology/v1/virtual-edges
GET /api/topology/v1/virtual-edge-nodes
|
| Create Virtual Edges and Nodes |
Allows users to create new Virtual Edges and Nodes. |
POST /api/topology/v1/virtual-edges
POST /api/topology/v1/virtual-edge-nodes
|
| Edit Virtual Edges and Nodes |
Enables users to modify existing Virtual Edges and Nodes. |
PUT /api/topology/v1/virtual-edges/{id}
PUT /api/topology/v1/virtual-edge-nodes/{id}
|
| Delete Virtual Edges and Nodes |
Permits users to remove Virtual Edges and Nodes. |
DELETE /api/topology/v1/virtual-edges/{id}
DELETE /api/topology/v1/virtual-edge-nodes/{id}
|
Site Labels
View Site Labels is also required for users with limited Site Permissions to use the Site Labels filter on the Devices page. See the IdentityGraph section above for details.
| Privilege |
Description |
| View Site Labels |
Grants permission to view site labels. |
| Create Site Labels |
Allows users to create new site labels. If the role has all Site Permissions, this also grants the ability to create Site Labels under Virtual Edges. |
| Edit Site Labels |
Enables users to modify existing site labels. |
| Delete Site Labels |
Permits users to remove site labels. |
Distribution Zones
| Privilege |
Description |
API Endpoints |
| View Distribution Zones |
Grants permission to view distribution zones. |
— |
| Create Distribution Zones |
Allows users to create new distribution zones. |
POST /api/topology/v1/distribution-zones |
| Edit Distribution Zones |
Enables users to modify existing distribution zones. |
PUT /api/topology/v1/distribution-zones |
| Delete Distribution Zones |
Permits users to remove distribution zones. |
DELETE /api/topology/v1/distribution-zones/{id} |
Edge Settings
| Privilege |
Description |
API Endpoints |
| Global Credentials |
Grants the ability to create, modify, and delete Global Credentials used by Virtual Edges. Passwords are never visible regardless of privileges. |
GET /api/topology/v1/global-credentials
POST /api/topology/v1/global-credentials
PUT /api/topology/v1/global-credentials/{id}
DELETE /api/topology/v1/global-credentials/{id}
DELETE /api/topology/v1/global-credentials/bulk/delete
|
| Flow Telemetry |
Grants access to Flow Telemetry configuration settings. |
— |
| Cloud Controllers |
Grants access to Cloud Controller configuration settings. |
— |
| Advanced Settings |
Grants access to advanced Edge configuration settings. |
— |
RBAC Privileges - Insights
Insights privileges are grouped into three sets: the base Insights access privilege, the Automations privileges that control automation rule management, and the Insight Settings privilege.
Permission Dependency: The Automations privileges require View Insights, Automations & AI Assistant to be enabled and cannot be assigned independently. Users without any Automations privilege can open the Automations tab in read-only state, but cannot create, edit, or delete rules. Automation write requests without the required privilege return HTTP 403 Forbidden.
| Group |
Privilege |
Description |
| Insights |
View Insights, Automations & AI Assistant |
Grants access to the Insights module. Users can view all insights and accept, reject, or defer individual recommendations, and can open the Automations and AI Assistant areas to view existing rules. This is the base Insights privilege required before any Automations privileges take effect. No API endpoints associated. |
| Automations |
Create Automation Rules |
Allows users to create new Insights automation rules, including auto-approval configuration. |
| Automations |
Edit Automation Rules |
Enables users to modify existing Insights automation rules. |
| Automations |
Delete Automation Rules |
Permits users to remove Insights automation rules. |
| Insight Settings |
View/Edit Insight Settings |
Grants the ability to view and edit Insight Settings, which govern how insights are generated and presented. |
RBAC Privileges - Traffic Analytics / Monitoring
| Group |
Privilege |
Description |
| Traffic Analytics |
Show Traffic Analytics |
Toggles the visibility of the Traffic Analytics section in Cloud Control Center. |
| Monitoring |
View Monitoring |
Grants access to monitoring data including Audit Logs, Events, Activity Logs, Alerts, and External Monitors. |
| Monitoring |
Add/Edit External Monitors |
Allows users to create and modify external monitor configurations. |
| Monitoring |
Delete External Monitors |
Permits users to remove external monitors. |
RBAC Privileges - Settings
Settings privileges control various administrative and system-level configurations within Cloud Control Center. Admin Settings are only available to roles with Site Permissions set to all sites.
| Group |
Privilege |
Description |
| Email |
Show Email |
Grants access to the Email section in Settings. |
| Advanced |
Show Advanced |
Grants access to the Advanced section in Settings. |
| Welcome Message |
Show Welcome Message |
Grants access to the Welcome Message configuration in Settings. |
| Admin |
View Admin Settings |
Allows users to view the administrative settings. Requires Site Permissions set to all sites. |
| Admin |
Add Admin Settings |
Permits users to add new administrative settings. Requires Site Permissions set to all sites. |
| Admin |
Edit Admin Settings |
Enables users to modify existing administrative settings. Requires Site Permissions set to all sites. |
| Admin |
Delete Admin Settings |
Allows users to delete administrative settings. Requires Site Permissions set to all sites. |
| Group |
Privilege |
Description |
| System |
Add/Modify Logo |
Allows users to change or add a new logo. |
| System |
View Email (Support Alerts) |
Grants permission to view support alert email configurations. |
| System |
Add/Modify Email (Support Alerts) |
Enables users to add or change support alert email configurations. |
| System |
View Advanced Options (Advanced) |
Provides access to view advanced system options. |
| System |
Suppression List |
Allows users to manage the suppression list. |
| System |
Add/Edit Welcome Message |
Permits the addition or modification of the welcome message displayed to users on login. |
For guidance on creating roles and assigning them to users or API clients, see the Role Based Access Control (RBAC) article.