Permissions list

1. Introduction

This document explains all system permissions within the Org Admin app (OAA). It is designed to help Administrators understand what actions each permission allows and how it affects the user interface (UI).

2. UI impact definitions

To understand how permissions work, it is important to distinguish between two main UI impacts:

  • Show:

    • Meaning: The UI element (such as a button, tab, or section) is only visible if the user has the required permission.

    • If permission is missing: The element is completely hidden from the UI.

  • Enable:

    • Meaning: The UI element is visible to all, but it only becomes interactive (clickable/editable) if the user has the appropriate permission.

    • If permission is missing: The element remains visible but disabled (e.g., grayed out).

3. Permissions by module

Here is a detailed list of permissions, grouped by functional module.

Module: Users

  • View internal list users & details: Allows viewing the account list and basic profile info (Tabs: General, Role, WorkSpace, Privacy).

  • Create account: Allows creating a new user with profile info and setting an initial password.

  • Edit account: Allows editing the user's General tab (e.g., name, email, phone number).

  • Lock/Unlock account: Allows temporarily disabling or re-enabling user login access.

  • Delete account: Allows permanently deleting a user account and removing all associated app/group assignments.

  • Export: Allows downloading the internal account list as a CSV file (no password or sensitive tokens included).

  • Reset password: Allows sending a reset password email or setting a new password manually for the user.

  • View Security: Allows viewing a user's security configuration (2FA/MFA status, trusted devices, session metadata).

  • Edit Security: Allows modifying user security settings (e.g., reset MFA, clear trusted devices, force logout).

  • Manage User role: Allows assigning or removing roles from individual users.

  • View Audit log: Allows viewing user activity history (logins, password changes, MFA resets, etc.).

  • View external list account: Allows viewing the list of invited guests and external users in the org.

  • Invite guest: Allows sending an invitation to an external user with temporary access.

  • Remove guest: Allows revoking an external user's access.

Module: Groups

  • View Group: Allows viewing the list of groups, group type, and number of members.

  • Create Group: Allows creating new groups, specifying type and membership rules.

  • Edit Group: Allows editing the group name, type, and membership configuration.

  • Delete Group: Allows permanently deleting a group.

  • Manage Group membership: Allows manually adding or removing user accounts to/from groups.

  • Manage Group role: Allows assigning or revoking roles applied at the group level (roles will apply to all members).

Module: Workspace management

  • View all workspaces: Allows viewing the list of all workspaces, their type, number of members, and status.

  • Create Workspace: Allows creating a new workspace. The creator is auto-assigned the "WS Admin" role for that workspace.

  • Manage Workspace: Grants full permissions to perform all management actions available in the WorkSpace App.

Module: Roles

  • View Role: Allows viewing the list of roles, their descriptions, and where they are currently assigned.

  • Create Role: Allows creating a custom role. (Note: Only Super Admin has this permission)

  • Edit Role: Allows editing a role's name, description, and its set of permissions.

  • Delete Role: Allows permanently deleting a role (only if not in use or system-protected)

Module: Applications

  • View Application: Allows viewing the list of registered applications and their status (enabled/disabled), type, and usage.

  • Manage Application: Allows creating new apps (e.g., SAML/OIDC), editing metadata (name, logo, redirect URL), or deleting them.

  • Configure App Availability: Allows controlling which workspaces are allowed to use each app.

Module: Profile

  • View Organization profile: Allows viewing organization info (name, logo, address, contact email, timezone, language).

  • Edit Organization profile: Allows editing the basic profile (name, logo, contact, default timezone/language, etc.).

Module: Domains

  • View Domain: Allows viewing all domains linked to the organization and their verification status.

  • Manage Domain: Allows adding new domains, updating records for verification, or removing domains.

Module: Security

  • View Security setting: Grants read-only access to all security configurations (2FA, password policy, session rules, etc.).

  • Manage MFA setting: Allows configuring 2FA enforcement and allowed methods.

  • Manage Password policy: Allows setting rules for password length, complexity, reuse, and expiration.

  • Manage Session policy: Allows defining max device limits, timeouts, and force logout rules.

  • Manage Location policy: Allows controlling allowed countries or IPs for login (Whitelisting).

Module: Org Unit

  • View Units: Allows viewing the OU tree structure and the detailed information for each OU.

  • Manage Org Units: Allows users to create new OUs, edit OU information (name, description), and change an OU's parent to move it in the tree.

  • Delete Unit: Allows deleting an OU from the system (requires handling members and child OUs before deletion).

4. Predefined roles

The system includes the following default roles:

  • Super Admin (Org Admin):

    • Description: Full access to all features.

    • Permissions: Full permission across all modules of the Org Admin app.

  • Group Manager:

    • Description: Manage Groups.

    • Permissions: Full permission of module: Groups.

  • Workspace Manager:

    • Permissions: Full permission of module: Workspace management.

  • Help desk:

    • Description: Limited support actions.

    • Permissions: View internal list account & details, Reset password , and Lock/Unlock accounts.

5. Default role assignment rules

  • Initial User setup: The first user who successfully registers an organization is automatically granted the Super Admin role.

  • Assigning Super Admin: Only users with the Super Admin role can assign this role to others.

  • Default invite assignment:

    • When an Org Admin invites a new member, the user will join with the Member role by default.

    • The Member role does not have access to the Org Admin app; they can only view their own profile.

    • The Admin can manually assign a different role during the invite flow if needed.

PreviousAssign role to user in OrganizationNextSCIM – Automated user and workspace provisioning

Last updated