Group Permissions
Groups have an optional list of permissions attached to them. When a user logs in, all permissions across all groups the user is a member of are aggregated
and determine what actions a user is authorized for. There are two built in groups, Administrators and All Users. The Administrators group has the Global
Admin permission while the built-in All Users group has the User permission. All users are automatically a member of the All Users group.
To configure group settings:
Log into the UI as an administrator.
Select Groups
Next to the desired group select Edit from the actions menu.
Edit Group
Select the Permissions tab to view and edit the permissions applied to the group.
Group Settings
The following table lists the permissions and descriptions of each permission.
Name |
Description |
|---|---|
User |
Default level of permissions for normal users. |
Global Admin |
Global Administrator with all permissions. |
Users View |
View users and user information. |
Users Modify |
Modify existing users. |
Users Create |
Create new users. |
Users Delete |
Delete exiting users. |
Users Modify Admin |
Modify users with Global Admin permissions. |
Users Auth Session |
Login and logout on behalf of another user. |
Groups View |
View groups, group members, and group settings. |
Groups Modify |
Modify group members and settings. |
Groups Create |
Create new groups. |
Groups Delete |
Delete existing groups. |
Groups View IfMember |
View groups you are a member of, excluding system groups. |
Groups Modify IfMember |
Modify groups you are a member of, excluding system groups. |
Groups View System |
View groups, group members and group settings of system defined groups. |
Groups Modify System |
Modify group members and settings of system groups. |
Groups Delete System |
Delete a system group. |
Agents View |
View agents and agent settings. |
Agents Modify |
Modify agent settings. |
Agents Create |
Create agents. |
Agents Delete |
Delete existing agents. |
Staging View |
View staging list and stage configuration settings. |
Staging Modify |
Modify existing staging settings. |
Staging Create |
Create new staging configurations. |
Staging Delete |
Delete existing staging configurations. |
Casting View |
View casting list and casting configuration settings. |
Casting Modify |
Modify existing casting settings. |
Casting Create |
Create new casting configurations. |
Casting Delete |
Delete existing casting configurations. |
Sessions View |
View all user sessions. |
Sessions Modify |
Perform modifications to a session of another user. |
Sessions Delete |
Delete the session of another user. |
Session Recordings View |
View user session recordings. |
Images View |
View images |
Images Modify |
Modify image configurations. |
Images Create |
Create new images. |
Images Delete |
Delete existing images. |
Images Modify Resources |
Modify image resource settings, such as CPU and Memory settings. |
DevAPI View |
View developer API list. |
DevAPI Modify |
Modify developer API configurations. |
DevAPI Create |
Create a new developer API key. |
DevAPI Delete |
Delete an existing developer API key. |
Webfilters View |
View webfilters |
Webfilters Modify |
Modify existing webfilters |
Webfilters Create |
Create a new webfilter. |
Webfilters Delete |
Delete an existing webfilter |
Brandings View |
View branding configurations. |
Brandings Modify |
Modify existing branding configurations. |
Brandings Create |
Create new branding configurations. |
Brandings Delete |
Delete existing branding configurations. |
Settings View |
View global settings. |
Settings Modify |
Modify global settings in all categories. |
Settings Modify Auth |
Modify global settings in the authentication category. |
Settings Modify Auth Captcha |
Modify global settings in the authentication captcha category. |
Settings Modify Cast |
Modify global settings in the casting category. |
Settings Modify Images |
Modify global settings in the images category. |
Settings Modify License |
Modify global settings in the license category. |
Settings Modify Logging |
Modify global settings in the logging category. |
Settings Modify Manager |
Modify global settings in the manager category. |
Settings Modify Scale |
Modify global settings in the scale category. |
Settings Modify Subscription |
Modify global settings in the subscription category. |
Settings Modify Filter |
Modify global settings in the filter category. |
Settings Modify Storage |
Modify global settings in the storage category. |
Settings Modify Connections |
Modify global settings in the connections category. |
Settings Modify Theme |
Modify global settings in the theme category. |
Auth View |
View LDAP/OIDC/SAML configurations. |
Auth Modify |
Modify LDAP/OIDC/SAML configurations. |
Auth Create |
Create LDAP/OIDC/SAML configurations. |
Auth Delete |
Delete LDAP/OIDC/SAML configurations. |
Licenses View |
View licenses. |
Licenses Create |
Add new licenses. |
Licenses Delete |
Delete licenses. |
System View |
View system information. |
System Export Schema |
Export system schema. |
System Import Data |
Import system data. |
System Export Data |
Export system data. |
Reports View |
View system reports and logging. Warning: Providing access to logs can provide a lot of potentially sensitive information. |
Managers View |
View the managers. |
Managers Modify |
Modify existing managers. |
Managers Create |
Create a new manager. |
Managers Delete |
Delete existing managers. |
Zones View |
View Zones and Zone settings. |
Zones Modify |
Modify Zone settings. |
Zones Create |
Create new Zones. |
Zones Delete |
Delete existing Zones. |
Companies View |
View companies. |
Companies Modify |
Modify existing company. |
Companies Create |
Create a new company. |
Companies Delete |
Delete an existing company. |
Connection Proxy View |
View connection proxies. |
Connection Proxy Modify |
Modify connection proxies. |
Connection Proxy Create |
Create a connection proxy. |
Connection Proxy Delete |
Delete an existing connection proxy. |
Physical Tokens View |
View physical 2FA tokens. |
Physical Tokens Modify |
Assign/Unassign physical 2FA tokens. |
Physical Tokens Create |
Import or create physical 2FA tokens. |
Physical Tokens Delete |
Delete a physical 2FA token. |
Servers View |
View servers. |
Servers Modify |
Modify existing servers. |
Servers Create |
Create new servers. |
Servers Delete |
Delete servers. |
Server Pools View |
View server pools. |
Server Pools Modify |
Modify server pools. |
Server Pools Create |
Create a new server pool. |
Server Pools Delete |
Delete a server pool. |
Autoscale View |
View auto scale configurations. |
Autoscale Modify |
Modify an existing auto scale configuration. |
Autoscale Create |
Create a new auto scale configuration. |
Autoscale Delete |
Delete auto scale configurations. |
VM Provider View |
View VM Provider configurations. |
VM Provider Modify |
Modify VM Provider configurations. |
VM Provider Create |
Create new VM Provider configurations. |
VM Provider Delete |
Delete VM Provider configurations. |
Autoscale Schedule View |
View an auto scale schedule. |
Autoscale Schedule Modify |
Modify an auto scale schedule. |
Autoscale Schedule Create |
Create an auto scale schedule. |
Autoscale Schedule Delete |
Delete an auto scale schedule. |
DNS Providers View |
View DNS provider configurations. |
DNS Providers Modify |
Modify DNS provider configurations. |
DNS Providers Create |
Create new DNS Provider configurations. |
DNS Providers Delete |
Delete DNS Provider configurations. |
Registries View |
View Workspace Registries. |
Registries Modify |
Modify existing Workspace Registries. |
Registries Create |
Add new Workspace Registries |
Registries Delete |
Delete a Workspace Registry |
Storage Providers View |
View Storage Providers. |
Storage Providers Modify |
Modify existing Storage Providers. |
Storage Providers Create |
Create new Storage Providers. |
Storage Providers Delete |
Delete an existing Storage Provider. |
Egress Providers View |
View Egress Providers. |
Egress Providers Modify |
Modify existing Egress Providers. |
Egress Providers Create |
Create new Egress Providers. |
Egress Providers Delete |
Delete an existing Egress Provider. |
Egress Gateways View |
View Egress Gateways. |
Egress Gateways Modify |
Modify existing Egress Gateways. |
Egress Gateways Create |
Create new Egress Gateways. |
Egress Gateways Delete |
Delete an existing Egress Gateway. |
Egress Credentials View |
View Egress Credentials. |
Egress Credentials Modify |
Modify existing Egress Credentials. |
Egress Credentials Create |
Create new Egress Credentials. |
Egress Credentials Delete |
Delete an existing Egress Credential. |
Permission Changes
A user’s permissions are embedded in their session token, which is generated on login. A user’s token lifetime is controlled by the Session Lifetime global setting. The UI will get a new session token every 5 minutes. The fastest way to get new permissions to apply, is to have the user log out and log back in, otherwise, the change will apply generally within 5 minutes.
Permission Dependencies
While most permissions can stand alone, there are dependencies between some permissions. Generally,
a Modify, Create, and/or Delete permission will need the corresponding View permission. The
following are additional permission dependencies, which means you will need to grant multiple
permissions to have the desired effect.
Licenses ViewrequiresSystem ViewPermissions ViewrequiresGroups ViewRegistries ViewrequiresImages View,System View, andAgents ViewAutoscale ViewrequiresServer Pools ViewAutoscale Schedule ViewrequiresServer Pools ViewDNS Providers ViewrequiresServer Pools ViewVM Providers ViewrequiresServer Pools ViewandAutoscale ViewUsers DeleterequiresSessions Deleteif the target user has running sessions andUsers ModifyUsers DeleterequiresUsers Modify Adminto delete a user that has theGlobal AdminpermissionEgress Gateways Create,Egress Gateways Modify,Egress Gateways Delete,Egress Credentials Create,Egress Credentials ModifyandEgress Credentials DeleterequireEgress Providers Modify.
There are many cases where multiple permissions are not required, however, certain UI elements will
be hidden if the user does not have the permissions to view them. For example, a user may have
permissions to View Images, however, they may not have permissions to View Servers. If the user
goes to view an individual Workspace Image that targets a Server, they will not see the drop
down to view or edit the server the image is targeting.
Special Permissions
There are more available permissions around groups, beyond the basic View, Create, Modify, and Delete.
The Groups View IfMember and Groups Modify IfMember allow a user to view or modify a group if they
are a member of that group. This does not extend to built-in system groups (All Users and Administrator).
To edit or view System groups, they will also need the Groups View/Modify System permission.
There is an additional permission that protects modification of users with the Global Admin permission.
In order to modify a Global Admin, the user requesting the modification must themselves be a
Global Admin or have the User Modify Admin permission.
There are two permissions that allow modifications to Workspace Images, Images Modify and Images Modify Resources.
The Images Modify allows modification of all Image settings except those that would modify the
physical/virtual compute resources. The following settings require the Images Modify Resources permission
to edit:
GPU Count
Cores
Memory
CPU Allocation Method
Uncompressed Image Size
Docker Registry
Docker Registry Username
Docker Registry Password
Hash
Volume Mappings
Docker Run Config Override
Docker Exec Config