Permissions
In this section, you will find details about permissions in the StackSpot Account.
Permissions are a set of actions defined for one or more Resource Type on the platform. Resource Type represent the objects users interact with, such as Accounts, Workspaces, plug-ins, Stacks, and Applications.
The interactions with resources types are called actions and depend on their Resource Type. Resource Type Owner represents the entities from StackSpot where the resources came from. The entities are StackSpot Platform (as a whole), Account, Workspace, Studios, and Insights.
Based on that, check below some permission examples:
- Permission to create a Workspace;
- Permission to create a Plugin;
- Permission to create a Stack;
Check out the tables below to view the permissions according to Resource Type:
info
Per Resource: Permissions that apply to specific instances of resources, such as an individual Studio, Stack, or Workspace.
Account-Wide Context:Permissions applicable across the entire account without the need to specify a particular resource, such as managing members, creating groups, or viewing general reports.
Permissions labeled as "Per Resource" typically require the user to have explicit access to that specific Resource through groups or direct associations. In contrast, "Account-Wide Context" permissions apply more broadly across the entire account.
Permission Group (Resource Type Owner): StackSpot Platform
Permissions for managing the StackSpot Platform are based on roles. Therefore, Accounts, Studios, and Workspaces are categorized as resource types.
| Resource Type | Action | Description | Scope of Application |
|---|---|---|---|
| Account | create, update, activate, deactivate | Allows you to create, update, activate, or deactivate an account. | Account-Wide Context |
| Studio | create, update, delete, view, change visibility, setup, associate Workspace, disassociate Workspace, view Studio with restricted visibility | Allows you to create, delete, edit, and change the visibility of a Studio within a StackSpot Account. Also allows associating and disassociating a Workspace. | Per Resource |
| Workspace | create, update, delete, view | Allows you to create, delete, edit, and view a Workspace within a StackSpot Account. | Per Resource |
Permission Group: Account
Permissions for this resource type define what users can do with Account resources in StackSpot.
| Resource Type | Action | Description | Scope of Application |
|---|---|---|---|
| Partner | create, update, delete | Allows you to create, update, and delete a Partner Account. | Per Resource |
| APIs | associate, disassociate, grant and view access | Allows you to manage API access control and sharing with Partner Accounts. | Per Resource |
| Product | associate, disassociate | Allows you to manage API Product sharing with Partners. | Per Resource |
| Group | create, update, delete, associate, disassociate, view | Allows you to manage Groups. | Account-Wide Context |
| Role | create, update, delete, view, associate, disassociate | Allows you to create a new Role or assign a Role to a Group or user. | Account-Wide Context |
| Member | associate, create, update, view, view details | Allows you to assign roles to members, create new members, update member information, or view members. | Account-Wide Context |
| SCM | create, view, update | Allows you to configure, view, and update SCM credentials at the account level. | Account-Wide Context |
| User SCM | create, view, update | Allows you to update user-level SCM credentials. | Account-Wide Context |
| Invite | create, update, view, delete | Allows you to invite new members to the account, update pending invitations, view invitations, and revoke pending invitations. | Account-Wide Context |
| Credentials | view, create, update, delete, associate, disassociate | - | Account-Wide Context |
| Resource Type | view | Allows you to view resource types in the StackSpot Platform. | Account-Wide Context |
| Personal Access Token (PAT) | view, create | Allows you to view Personal Access Tokens and create Client ID/Client Secret Access Tokens. | Account-Wide Context |
| Resource | view | Allows you to view role and group resources. | Account-Wide Context |
| Permissions | view | Allows you to view group and role permissions in the StackSpot Platform. | Account-Wide Context |
| Knowledge Source (AI Platform Resource) | create, update, delete | Allows you to manage Knowledge Sources in the Account, including creating, updating (name, description, and Stack AI settings), and deleting Knowledge Sources in StackSpot AI. | Per Resource |
| Custom Quick Commands (AI Platform Resource) | create, update, delete | Allows you to manage Custom Quick Commands, including creating, updating (name, description, and Stack AI settings), and deleting Custom Quick Commands in StackSpot AI. | Per Resource |
| Custom Cloud Account (Cloud Sources Platform Resource) | view | - | Per Resource |
| Managed Cloud Account (Cloud Sources Platform Resource) | view | - | Per Resource |
| Finops Reports (Cloud Sources Platform Resource) | view | - | Account-Wide Context |
| Finops Billing (Cloud Sources Platform Resource) | download | - | Account-Wide Context |
| Finops Saving Plans (Cloud Sources Platform Resource) | request, cancel | - | Account-Wide Context |
| Finops Forecast (Cloud Sources Platform Resource) | view | - | Account-Wide Context |
| Support (Cloud Sources Platform Resource) | view, open, close | - | Account-Wide Context |
| Alerts (Cloud Sources Platform Resource) | acknowledge | Acknowledge Alerts in the Account | Account-Wide Context |
| Baseline (Cloud Sources Platform Resource) | view, create, update | - | Per Resource |
| Cloud Platform | view, create, update, delete, support | Allows you to create, view, update, delete, and perform support actions for the Cloud Platform. | Account-Wide Context |
| Customized Workflow | deprecate, unpublish, publish, archive | Allows you to deprecate, unpublish, publish, and archive a version of a customized Workflow. | Per Resource |
| Toolkit | grant access, edit, view, update, delete, publish, create | Allows you to edit, view, update, delete, publish, and create a Toolkit. | Per Resource |
| Catalog Schema | create, view, update, delete, activate | Allows you to create, view, update, delete, and activate a Catalog Schema. | Per Resource |
| Catalog Entry | create, view, update, delete | Allows you to create, view, update, and delete a Catalog Entry. | Per Resource |
| Rate Limit Account | view, update | Allows you to view and update a Rate Limit Account. | Account-Wide Context |
| Feature Flag | associate | Allows you to associate a Feature Flag with an Account. | Account-Wide Context |
| Rate Limit Credential | create, view, update, delete | Allows you to create, view, update, and delete a Rate Limit Credential. | Per Resource |
| Encryption | view and view all | Allows you to decrypt/view encrypted values for all users. | Account-Wide Context |
| Extension | create, update, delete | Allows you to view, create, update, and delete new or existing Extensions. | Per Resource |
| Account Variable | view, create, update, delete | Allows you to view, create, update, and delete Account variables. | Account-Wide Context |
Permission Group: Studio
Permissions for this resource type define what users can do with Studio resources.
| Resource Type | Action | Description | Scope of Application |
|---|---|---|---|
| Plugins | publish, unpublish, deprecate, download, archive | Allows you to create Plugins, publish, deprecate, and unpublish Plugins in a Studio. | Per Resource |
| Action | publish, unpublish, deprecate, download | Allows you to publish, unpublish, and deprecate an Action in a Studio. | Per Resource |
| Stacks | create, update, delete, publish, unpublish, deprecate, configure, archive | Allows you to create, update, delete, publish, unpublish, deprecate, configure, and archive a Stack in a Studio. | Per Resource |
| Starters | create | Allows you to create Starters. | Per Resource |
| Stack AI (AI Platform Resource) | create, update, delete | Allows you to manage Stack AI content in Studios, including creating, updating (name, description, and AI Stack settings), and deleting a Stack AI in StackSpot AI. | Per Resource |
| Custom Quick Commands (AI Platform Resource) | publish, unpublish | Allows you to manage Custom Quick Commands in Studios. | Per Resource |
| Static Links | create, delete | Allows you to create and delete static links in a Stack version. | Per Resource |
| Workflow | usage insights, archive | Allows you to view Workflow usage insights and archive a Workflow. | Per Resource |
Permission Group: Workspace
Permissions for this resource type define what users can do with Workspace resources.
| Resource Type | Action | Description | Scope of Application |
|---|---|---|---|
| Stack | associate, disassociate, view | Allows you to add a Stack to a Workspace and configure it. | Per Resource |
| Plugins Setup | Setup | Allows you to set inputs as mandatory in Workspace contexts. | Per Resource |
| Actions Setup | Setup | Allows you to configure an Action in the Workspace. | Per Resource |
| Dynamic Link | create, update, delete | Allows you to create, update, and delete a Dynamic Link for an Application in a Workspace. | Per Resource |
| Static Links | create, update, delete, view | Allows you to manage the creation of Static Links. | Per Resource |
| Applications | create, delete, update, view, deploy | Allows you to create, delete, update, view, and deploy an Application in a Workspace. | Per Resource |
| Infrastructure | create, delete, update, view, deploy, destroy | Allows you to create, delete, update, view, deploy, and destroy Infrastructure in a Workspace. | Per Resource |
| Connection Interfaces (Manual) | create, delete, update, view | Allows you to manually manage the creation and visibility of Connection Interfaces to share with other Workspaces. | Per Resource |
| Connection Interfaces (Automatic) | view | Allows you to manage the visibility of Connection Interfaces to share with other Workspaces. | Per Resource |
| APIs | create, update, view, publish, unpublish | Allows you to manage the creation of catalog APIs. | Per Resource |
| Products | create, update, delete, view | Allows you to create and manage the API product catalog. | Per Resource |
| Cloud Providers | create, update | Allows you to configure cloud provider accounts per Workspace environment. | Per Resource |
| Stack AI (AI Platform Resource) | associate, disassociate | Allows you to manage Stack AI content in Workspaces, including associating/disassociating a Stack AI with a Workspace in StackSpot AI. | Per Resource |
| Knowledge Source (AI Platform Resource) | associate, disassociate | Allows you to manage Knowledge Sources in the Workspace, including associating/disassociating a Knowledge Source with a Workspace in StackSpot AI. | Per Resource |
| Custom Quick Commands (AI Platform Resource) | associate, disassociate | Allows you to manage Custom Quick Commands in Workspaces, including associating/disassociating a Custom Quick Command with a Workspace in StackSpot AI. | Per Resource |
| Alerts (Cloud Sources Platform Resource) | view, acknowledge | - | Per Resource |
| Guard Rails (Cloud Sources Platform Resource) | view, enable, disable | - | Per Resource |
| Custom Cloud Account (Cloud Sources Platform Resource) | view, create, update, delete | - | Per Resource |
| Managed Cloud Account (Cloud Sources Platform Resource) | view, create, update, delete | - | Per Resource |
| Cloud Resource (Cloud Sources Platform Resource) | view | - | Per Resource |
| Workspace Context | view, update | Allows you to configure and view context in the Workspace. | Per Resource |
| Workspace Workflow | view, update | Allows you to configure and view the Stack Workflow in the Workspace. | Per Resource |
| Account Workflow | view, update | Allows you to configure and view the Stack Workflow in the Account. | Account-Wide Context |
| APIv2 | create, update, view, consume | Allows you to create, update, view, and consume an API. | Per Resource |
| Workspace Variable | create, update, view | Allows you to create, update, and view a Workspace variable. | Per Resource |
| Monitoring | view | Allows you to view metrics monitoring. | Per Resource |
| Workflow | publish, download, unpublish, approve, deprecate | Allows you to publish/unpublish, approve, deprecate, and download a Workflow. | Per Resource |
| Workspace | view, update, delete, create secrets | Allows you to view, update, delete, and create secrets in the Workspace. | Per Resource |
Permission Group: Insights
Permissions for this resource type define what users can do with Insights resources.
| Resource Type | Action | Description | Scope of Application |
|---|---|---|---|
| Report | download_studio; download_account | Allows you to download history and data reports. | Per Resource |
Permission Group: Partner Account
Permissions for this resource type define what users can do with the Partner Account.
| Resource Type | Action | Description | Scope of Application |
|---|---|---|---|
| Member | view | Allows you to view all members of the Partner Account. | Account-Wide Context |
| Invite | create, view | Allows you to invite new members and view invitations. | Account-Wide Context |
| Client Application | create, view | Allows you to create and view the client Application. | Per Resource |
| API | view | Allows you to view the API catalog. | Per Resource |
Permission Group: Cloud
Permissions for this resource type define what users can do with Cloud resources.
| Resource Type | Action | Description | Scope of Application |
|---|---|---|---|
| Runtime | view | List runtimes in the Portal. | Per Resource |
| Deployment | create, view | List deployments in the Portal. | Per Resource |
Permission Group: Cloud Foundation
Permissions for this resource type define what users can do with Cloud Foundation resources.
| Resource Type | Action | Description | Scope of Application |
|---|---|---|---|
| Foundation | create, update, delete, support | Allows you to create, update, and delete Foundations. Also allows you to support Actions in the Foundation. | Per Resource |