What roles and permissions are available?
Short answer
Section titled “Short answer”Every user carries one of four base roles — Viewer, Technician, Manager, or Administrator — each bringing a fixed bundle of permissions. A user’s actual permissions are the union of the permissions from their base role and all custom roles assigned to them. A super admin implicitly holds all permissions.
Requirements
Section titled “Requirements”Role management is included in all plans.
The four base roles
Section titled “The four base roles”Notory has four base roles that build on one another. Each higher role includes the permissions of the one below it:
| Permission (area) | Viewer | Technician | Manager | Administrator |
|---|---|---|---|---|
| Read — assets, network, software, certificates, compliance, discovery, maintenance, operations, provisioning, reports | ✓ | ✓ | ✓ | ✓ |
| Write technical — edit assets/network/maintenance, start discovery | — | ✓ | ✓ | ✓ |
| Write functional — edit software/certificates/compliance/operations/provisioning, delete assets | — | — | ✓ | ✓ |
| Administration — admin area, manage users, manage roles, instance settings, manage API tokens, read audit log | — | — | — | ✓ |
| Manage tenants (create/delete) | super admin only |
The corresponding internal permission codes (also shown under those names in the
role editor) include: assets.read, assets.write, assets.delete,
network.read/write, software.read/write, certificates.read/write,
compliance.read/write, discovery.read, discovery.run, maintenance.read/write,
operations.read/write, provisioning.read/write, reports.read, as well as the
admin permissions access_admin, users.manage, roles.manage, tenants.manage,
instance.manage, apitokens.manage, and audit.read.
admin-benutzer-06 Roles tab in administration, with base roles and the permissions overview Assigning roles
Section titled “Assigning roles”-
Open a user. Administration → User Management → click a user. Change the base role directly in the Role field.
-
Assign custom roles. Using “Assign roles”, you can additionally select one or more custom roles that give the user further permissions. These add to the base role — they never take anything away.
The permission catalog (all assignable codes) is returned by:
curl -H "Authorization: Bearer inv_dein_token" \ https://demo.notory.io/api/v1/roles/permissionsYou list existing roles (global + your tenant’s) with GET /api/v1/roles. You replace
a user’s assigned custom roles entirely:
curl -X PUT https://demo.notory.io/api/v1/roles/assignments/018f9b2c-6a41-7e02-9d3b-2c1a4f7e0055 \ -H "Authorization: Bearer inv_dein_token" \ -H "Content-Type: application/json" \ -d '{ "role_ids": ["018f9b40-1c2d-7a11-8e3f-9b0a1c2d3e4f"] }'You change the base role (role) via the user endpoint
(PUT /api/v1/users/{id} with {"role": "manager"}).
Possible errors: 403 (not an administrator, or an attempt to assign a role from a
different tenant), 404 (unknown role ID).
What happens behind the scenes?
Section titled “What happens behind the scenes?”- Effective permissions = base role ∪ custom roles. For every check, Notory forms the union of the base role’s standard permissions and the permissions of all assigned custom roles. This lets you add permissions, but a custom role can never take any away — for that, choose a lower base role.
- A super admin trumps everything. A super admin implicitly holds every permission and completely bypasses the role check (they also see all data across tenants).
- Access to the admin area. The admin area only appears for users with the
access_adminpermission — the Administrator base role includes it, or you can grant it specifically via a custom role. - Global vs. tenant-bound. Roles are either global (for all tenants, manageable only by a super admin) or bound to your tenant. A role from a different tenant can never be assigned.
- System roles are protected. Built-in roles (
is_system) can be edited but not deleted.