Privileges in ANT ID
Privileges are differentiated by scope:
- Platform (Admin console)
- Selfservice
- Emergency access
- Operation console
- Management console (TAC, GAC)
- Stats dashboard
- Vault
Platform privileges (mostly for Admin console) - scope: PLATFORM
Priviledge key |
Topic |
Type |
Description |
ALL_TENANT_VIEW |
TENANT, PLATFORM |
READ |
|
ALL_TENANT_CREATE |
TENANT, PLATFORM |
WRITE |
|
ALL_TENANT_UPDATE |
TENANT, PLATFORM |
WRITE |
|
ALL_TENANT_DELETE |
TENANT, PLATFORM |
WRITE |
|
USER_VIEW |
USERS, PLATFORM |
READ |
|
USER_CREATE |
USERS, PLATFORM |
WRITE |
|
USER_UPDATE |
USERS, PLATFORM |
WRITE |
|
USER_DELETE |
USERS, PLATFORM |
WRITE |
|
GROUP_VIEW |
AUTHORIZATION, PLATFORM |
READ |
|
GROUP_CREATE |
AUTHORIZATION, PLATFORM |
WRITE |
|
GROUP_UPDATE |
AUTHORIZATION, PLATFORM |
WRITE |
|
GROUP_DELETE |
AUTHORIZATION, PLATFORM |
WRITE |
|
ROLE_VIEW |
AUTHORIZATION, PLATFORM |
READ |
|
ROLE_CREATE |
AUTHORIZATION, PLATFORM |
WRITE |
|
ROLE_UPDATE |
AUTHORIZATION, PLATFORM |
WRITE |
|
ROLE_DELETE |
AUTHORIZATION, PLATFORM |
WRITE |
|
TENANT_UPDATE |
CONFIGURATION |
WRITE |
|
TENANT_USER_VIEW |
USERS |
READ |
|
TENANT_USER_CREATE |
USERS |
WRITE |
|
TENANT_USER_UPDATE |
USERS |
WRITE |
|
TENANT_USER_DELETE |
USERS |
WRITE |
|
TENANT_GROUP_VIEW |
AUTHORIZATION |
READ |
|
TENANT_GROUP_CREATE |
AUTHORIZATION |
WRITE |
|
TENANT_GROUP_UPDATE |
AUTHORIZATION |
WRITE |
|
TENANT_GROUP_DELETE |
AUTHORIZATION |
WRITE |
|
TENANT_ROLE_VIEW |
AUTHORIZATION |
READ |
|
TENANT_ROLE_CREATE |
AUTHORIZATION |
WRITE |
|
TENANT_ROLE_UPDATE |
AUTHORIZATION |
WRITE |
|
TENANT_ROLE_DELETE |
AUTHORIZATION |
WRITE |
|
GLOBAL_DASHBOARD_VIEW |
|
READ |
|
Selfservice - scope: SELFSERVICE
Priviledge key |
Topic |
Type |
Description |
PASSWORD_UPDATE |
AUTHENTICATION, USERS |
WRITE |
|
INFO_UPDATE |
USERS |
WRITE |
|
INFO_VIEW |
USERS |
READ |
|
TOKEN_ENROLL |
TOKENS, USERS |
WRITE |
|
TOKEN_DELETE |
TOKENS, USERS |
WRITE |
|
TOKEN_VIEW |
TOKENS, USERS |
READ |
|
TOKEN_TEMPLATE_VIEW |
TOKENS, USERS |
READ |
|
TOKEN_MODIFY |
TOKENS, USERS |
WRITE |
|
TOKEN_DISABLE |
TOKENS, USERS |
WRITE |
|
TOKEN_ENABLE |
TOKENS, USERS |
WRITE |
|
TOKEN_TEST |
TOKENS, USERS |
READ |
|
TOKEN_SYNC |
TOKENS, USERS |
WRITE |
|
QUESTION_MAGIC_VIEW |
USERS, AUTHENTICATION |
READ |
|
QUESTION_MAGIC_UPDATE |
USERS, AUTHENTICATION |
WRITE |
|
MY_REQUESTS_LIST |
APPROVALS |
READ |
|
MY_REQUESTS_VIEW |
APPROVALS |
READ |
|
MY_APPROVALS_LIST |
APPROVALS |
READ |
|
MY_APPROVALS_VIEW |
APPROVALS |
READ |
|
MY_APPROVALS_APPROVE |
APPROVALS |
WRITE |
|
MY_APPROVALS_DECLINE |
APPROVALS |
WRITE |
|
INVITATION_CREATE |
INVITATIONS, USERS |
WRITE |
|
INVITATION_VIEW |
INVITATIONS, USERS |
READ |
|
INVITATION_RECALL |
INVITATIONS, USERS |
WRITE |
|
INVITATION_DELETE |
INVITATIONS, USERS |
WRITE |
|
ELASTIC_SEARCH_LOG |
AUDIT |
READ |
|
SELF_SERVICE_LINK_ACCESS |
CONFIGURATION |
READ |
|
Emergency access - scope: EA
Priviledge key |
Topic |
Type |
Description |
AD_RESET |
AUTHENTICATION |
READ |
Password reset |
AD_UNLOCK |
AUTHENTICATION |
READ |
Unlock + unblock account (in AD and Safewalk) |
EMERGENCY_ACCESS |
AUTHENTICATION, TOKENS |
READ |
Create emergency access code |
VSEC_UNBLOCK |
AUTHENTICATION, DEVICES, VSEC |
READ |
unlock vSEC card |
Operational console - scope: OPERATION
Priviledge key |
Topic |
Type |
Description |
VSEC_SMART_CARD_TEMPLATE |
VSEC, DEVICES, AUTHENTICATION |
READ |
|
VSEC_SMART_CARD_SEARCH |
VSEC, DEVICES, AUTHENTICATION |
WRITE |
|
VSEC_SMART_CARD_REVOKE |
VSEC, DEVICES, AUTHENTICATION |
WRITE |
|
VSEC_SMART_CARD_DELETE |
VSEC, DEVICES, AUTHENTICATION |
WRITE |
|
VSEC_DEVICE_ISSUE |
VSEC, DEVICES, AUTHENTICATION |
WRITE |
|
VSEC_DEVICE_SEARCH |
VSEC, DEVICES, AUTHENTICATION |
READ |
|
VSEC_DEVICE_DELETE |
VSEC, DEVICES, AUTHENTICATION |
WRITE |
|
TOKEN_ON_BEHALF_TEMPLATE_VIEW |
USERS, TOKENS, AUTHENTICATION |
READ |
|
TOKEN_ON_BEHALF_VIEW |
USERS, TOKENS, AUTHENTICATION |
READ |
|
TOKEN_ON_BEHALF_ENROLL |
USERS, TOKENS |
WRITE |
|
TOKEN_ON_BEHALF_MODIFY |
USERS, TOKENS |
WRITE |
|
TOKEN_ON_BEHALF_DISABLE |
USERS, TOKENS |
WRITE |
|
TOKEN_ON_BEHALF_ENABLE |
USERS, TOKENS |
WRITE |
|
TOKEN_ON_BEHALF_DELETE |
USERS, TOKENS |
WRITE |
|
TOKEN_ON_BEHALF_TEST |
USERS, TOKENS |
READ |
|
TOKEN_ON_BEHALF_SYNC |
USERS, TOKENS |
WRITE |
|
TOKEN_HW_LIST |
TOKENS, DEVICES |
READ |
|
TOKEN_HW_VIEW |
TOKENS, DEVICES |
WRITE |
|
USER_LIST |
USERS |
WRITE |
|
USER_AUTHENTICATE |
USERS, AUTHENTICATION |
WRITE |
|
USER_TRANSACTION_LOG |
USERS, AUTHORIZATION, AUDIT |
READ |
|
USER_DELETE |
USERS |
WRITE |
|
USER_ENROLL |
USERS, ENROLLMENT |
WRITE |
|
USER_DETAILS_DISPLAY |
USERS |
READ |
|
USER_DETAILS_UPDATE |
USERS |
WRITE |
|
USER_SYNCHRONIZE |
USERS |
WRITE |
|
USER_UNLOCK |
USERS, AUTHORIZATION |
WRITE |
|
USER_LDAP_STATUS |
USERS |
READ |
|
ACCESS_EMERGENCY_CREATE |
USERS, AUTHORIZATION, TOKENS |
WRITE |
|
OPERATIONAL_CONSOLE_VIEW |
MANDATORY |
READ |
|
Management - TAC, GAC - scope: MANAGEMENT
Priviledge key |
Topic |
Type |
Description |
APPROVAL_UPDATE |
APPROVALS, MANAGEMENT |
WRITE |
create/update/delete of approval action and configuration |
APPROVAL_VIEW |
APPROVALS, MANAGEMENT |
READ |
view the approval actions and configurations |
ONBOARD_EXT_UPDATE |
INVITATIONS, MANAGEMENT |
WRITE |
create/update/delete of external/sponsoring invitations |
ONBOARD_EXT_VIEW |
INVITATIONS, MANAGEMENT |
READ |
view and list of external/sponsoring invitations |
ONBOARD_LDAP_UPDATE |
INVITATIONS, MANAGEMENT |
WRITE |
create/update/delete of LDAP invitations |
ONBOARD_LDAP_VIEW |
INVITATIONS, MANAGEMENT |
READ |
view and list of LDAP invitations |
PROFILE_UPDATE |
AAD, MANAGEMENT |
WRITE |
create/update/delete of AAD profiles |
PROFILE_VIEW |
AAD, MANAGEMENT |
READ |
view and list of AAD profiles |
NOTIFICATION_VIEW |
MANAGEMENT |
READ |
view email templates |
NOTIFICATION_UPDATE |
MANAGEMENT |
WRITE |
update email templates |
NOTIFICATION_PUBLISH |
MANAGEMENT |
WRITE |
publish email templates |
GROUP_VIEW |
MANAGEMENT, AUTHORIZATION |
READ |
view groups |
GROUP_UPDATE |
MANAGEMENT, AUTHORIZATION |
WRITE |
create/update/delete groups |
ADMIN_GROUP_VIEW |
MANAGEMENT, AUTHORIZATION, PLATFORM |
READ |
view platform groups - display in GAC section |
ADMIN_GROUP_UPDATE |
MANAGEMENT, AUTHORIZATION, PLATFORM |
WRITE |
create/update/delete platform groups - display in GAC section |
ROLE_VIEW |
MANAGEMENT, AUTHORIZATION |
READ |
view roles |
ROLE_UPDATE |
MANAGEMENT, AUTHORIZATION |
WRITE |
create/update/delete roles |
ADMIN_ROLE_VIEW |
MANAGEMENT, AUTHORIZATION, PLATFORM |
READ |
view platform roles - display in GAC section |
ADMIN_ROLE_UPDATE |
MANAGEMENT, AUTHORIZATION, PLATFORM |
WRITE |
create/update/delete platform roles - display in GAC section |
PRIVILEGE_VIEW |
MANAGEMENT, AUTHORIZATION |
READ |
view privileges |
ADMIN_PRIVILEGE_VIEW |
MANAGEMENT, AUTHORIZATION, PLATFORM |
READ |
view platform privileges - display in GAC section |
APP_CATALOGUE_VIEW |
MANAGEMENT, CONFIGURATION |
READ |
display Aplication catalogue in menu |
APP_CATALOGUE_CREATE |
MANAGEMENT, CONFIGURATION |
WRITE |
create new application |
APP_CATALOGUE_MODIFY |
MANAGEMENT, CONFIGURATION |
WRITE |
modify application |
APP_CATALOGUE_DELETE |
MANAGEMENT, CONFIGURATION |
WRITE |
delete application |
THEMES_VIEW |
MANAGEMENT, THEMES |
READ |
view themes section in TAC |
THEMES_CREATE |
MANAGEMENT, THEMES |
WRITE |
create themes |
THEMES_MODIFY |
MANAGEMENT, THEMES |
WRITE |
modify themes |
THEMES_DELETE |
MANAGEMENT, THEMES |
WRITE |
delete themes |
Stats dashboard - scope: STATS
Priviledge key |
Topic |
Type |
Description |
CLIENT_CREATE |
MANAGEMENT, PLATFORM |
WRITE |
|
CLIENT_DELETE |
MANAGEMENT, PLATFORM |
WRITE |
|
FCMS_PROVIDER_CREATE |
PROVIDERS, PLATFORM |
WRITE |
|
FCMS_PROVIDER_MODIFY |
PROVIDERS, PLATFORM |
WRITE |
|
FCMS_PROVIDER_DELETE |
PROVIDERS, PLATFORM |
WRITE |
|
LICENSE_VIEW |
LICENSES |
READ |
|
PRICES_VIEW |
LICENSES, MANAGEMENT, STATISTICS |
READ |
|
LICENSE_CREATE |
LICENSES |
WRITE |
|
LICENSE_MODIFY |
LICENSES |
WRITE |
|
LICENSE_DELETE |
LICENSES |
WRITE |
|
TASK_SCHEDULED_VIEW |
MANAGEMENT |
READ |
|
TASK_SCHEDULED_CREATE |
MANAGEMENT |
WRITE |
|
TASK_SCHEDULED_MODIFY |
MANAGEMENT |
WRITE |
|
TASK_SCHEDULED_DELETE |
MANAGEMENT |
WRITE |
|
TASK_SCHEDULED_RUN |
MANAGEMENT |
WRITE |
|
FCMS_PROVIDER_CONFIGURATION_VIEW |
PROVIDERS |
READ |
|
FCMS_PROVIDER_CONFIGURATION_CREATE |
PROVIDERS |
WRITE |
|
FCMS_PROVIDER_CONFIGURATION_MODIFY |
PROVIDERS |
WRITE |
|
FCMS_PROVIDER_CONFIGURATION_DELETE |
PROVIDERS |
WRITE |
|
TAP_PROVIDER_VIEW |
PROVIDERS |
READ |
|
TAP_PROVIDER_CREATE |
PROVIDERS |
WRITE |
|
TAP_PROVIDER_MODIFY |
PROVIDERS |
WRITE |
|
TAP_PROVIDER_DELETE |
PROVIDERS |
WRITE |
|
SMS_PROVIDER_VIEW |
PROVIDERS |
READ |
|
SMS_PROVIDER_CREATE |
PROVIDERS |
WRITE |
|
SMS_PROVIDER_MODIFY |
PROVIDERS |
WRITE |
|
SMS_PROVIDER_DELETE |
PROVIDERS |
WRITE |
|
STATISTICS_DISPLAY |
PROVIDERS |
READ |
|
SMS_STATISTICS_DISPLAY |
STATISTICS |
READ |
|
LICENSE_SMS_STATISTICS_DISPLAY |
STATISTICS |
READ |
|
TAP_STATISTICS_DISPLAY |
STATISTICS |
READ |
|
SSO_STATISTICS_DISPLAY |
STATISTICS |
READ |
|
VX_STATISTICS_DISPLAY |
STATISTICS |
READ |
|
FCMS_STATISTICS_DISPLAY |
STATISTICS |
READ |
|
LDAP_STATISTICS_DISPLAY |
STATISTICS |
READ |
|
STATIC_STATISTICS_DISPLAY |
STATISTICS |
READ |
|
COMBO_STATISTICS_DISPLAY |
STATISTICS |
READ |
|
CONFIGURATION_DISPLAY |
MANAGEMENT |
READ |
|
RETARUS_SMS_PROVIDER_VIEW |
MANAGEMENT |
READ |
|
RETARUS_SMS_PROVIDER_MODIFY |
MANAGEMENT |
WRITE |
|
PLATFORM_TASK_SCHEDULED_VIEW |
MANAGEMENT, PLATFORM |
READ |
|
PLATFORM_TASK_SCHEDULED_CREATE |
MANAGEMENT, PLATFORM |
WRITE |
|
PLATFORM_TASK_SCHEDULED_MODIFY |
MANAGEMENT, PLATFORM |
WRITE |
|
PLATFORM_TASK_SCHEDULED_DELETE |
MANAGEMENT, PLATFORM |
WRITE |
|
PLATFORM_TASK_SCHEDULED_RUN |
MANAGEMENT, PLATFORM |
WRITE |
|
Vault - scope: VAULT
Priviledge key |
Topic |
Type |
Description |
VAULT_LINK_ACCESS |
CONFIGURATION |
READ |
|
USER |
SECRETS |
WRITE |
|
CREATE_ROOT_FOLDER |
SECRETS |
WRITE |
|
CONNECTIONS |
CONNECTIONS |
WRITE |
|
CREATE_CONNECTION_ROOT_FOLDER |
CONNECTIONS |
WRITE |
|
REPORTS |
REPORTS, AUDIT |
WRITE |
|
ORPHANS_ADMIN |
SECRETS |
WRITE |
|
TEMPLATE_SUPERADMIN_MODIFY |
SECRETS, MANAGEMENT |
WRITE |
Overcome ownership - can modify any template |
TEMPLATE_SUPERADMIN_VIEW |
SECRETS, MANAGEMENT |
READ |
Overcome ownership - can see anything |
TEMPLATE_ADMIN_MODIFY |
SECRETS, MANAGEMENT |
WRITE |
Can create a new template |
TEMPLATE_ADMIN_VIEW |
SECRETS, MANAGEMENT |
READ |
Can view page with templates, can modified if owner |
PASSWORD_POLICY_ADMIN |
SECRETS, MANAGEMENT |
WRITE |
Can view and create password policy |
LAUNCHER_ADMIN |
LAUNCHERS, MANAGEMENT |
WRITE |
Can view launchers based on privileges and create a new launcher |
API |
SECRETS |
WRITE |
Old privilege - used in vault webservice |
REINDEX |
MANAGEMENT |
WRITE |
Can reindex in search engine |
INTEGRATION |
MANAGEMENT |
WRITE |
Can access to integration part of Vault settings |