Required Roles and Permissions
The Protegrity Agent uses role-based access control (RBAC) to govern access to its features. The Protegrity Policy Cloud gateway enforces all permissions through JSON Web Token (JWT) authentication. The Agent API does not perform permission checks internally.
Roles
The following table lists the permissions assigned to the roles.
| Roles | Description | Permissions |
|---|---|---|
| agent_admin | Grants full read-write access to policy, packages, and Insight | proagent_conversations_permission , proagent_responses_permission, proagent_health_permission, proagent_readiness_permission, proagent_liveness_permission, proagent_version_permission, proagent_ui_permission, proagent_doc_permission, proagent_log_permission, workbench_policy_view, workbench_policy_manage, workbench_certificate_export, workbench_package_export_dynamic, workbench_package_export_encrypted, insight_viewer, insight_admin, can_create_token, workbench_management_policy_read, workbench_management_policy_write |
| agent_reader | Restricts access to read-only operations | proagent_conversations_permission, proagent_responses_permission, proagent_health_permission, proagent_readiness_permission, proagent_liveness_permission, proagent_version_permission, proagent_ui_permission, proagent_doc_permission, proagent_log_permission, workbench_policy_view, insight_viewer, can_create_token, workbench_management_policy_read |
For more information about creating the role, refer to Working with Roles.
Permissions
Protegrity Agent API Permissions
These permissions control access to the core Agent endpoints. All endpoints are authenticated using the jwt_token method.
| Permission | Description | Protected Endpoint | HTTP Methods |
|---|---|---|---|
proagent_ui_permission | Access the Agent web dashboard interface | /pty/proagent/v1.0/ui, /pty/proagent/v1.0/ui* | GET, POST |
proagent_conversations_permission | Access conversation management endpoints | /pty/proagent/v1.0/conversations, /pty/proagent/v1.0/conversations* | GET, POST, DELETE |
proagent_responses_permission | Access response generation endpoints | /pty/proagent/v1.0/responses | POST |
proagent_doc_permission | Access the Agent documentation endpoints | /pty/proagent/v1.0/doc | GET |
proagent_log_permission | Access the Agent log endpoints | /pty/proagent/v1.0/log | GET, POST |
proagent_health_permission | Access health check endpoints | /pty/proagent/v1.0/health | GET |
proagent_readiness_permission | Access readiness probe endpoints | /pty/proagent/v1.0/ready | GET |
proagent_liveness_permission | Access liveness probe endpoints | /pty/proagent/v1.0/live | GET |
proagent_version_permission | Access version information endpoints | /pty/proagent/v1.0/version | GET |
Workbench Permissions
These permissions control access to Workbench features such as policy management and package distribution.
| Permission | Description |
|---|---|
workbench_policy_view | View policies and configurations |
workbench_policy_manage | Create, update, and delete policies and configurations |
workbench_certificate_export | Export certificates used by protectors for dynamic Resilient Packages |
workbench_package_export_dynamic | Distribute Resilient Packages dynamically |
workbench_package_export_encrypted | Export encrypted Resilient Packages |
workbench_management_policy_read | View policies and configurations in the Policy Workbench (official platform permission) |
workbench_management_policy_write | Manage policies and configurations in the Policy Workbench (official platform permission) |
Note: The
workbench_policy_viewandworkbench_management_policy_readare different permissions. The former are registered by the Agent product, while the latter are required for direct PIM/Workbench access. Both permission types must be included in roles.
Insight Permissions
These permissions control access to the Insight dashboard.
| Permission | Description |
|---|---|
insight_viewer | View the Insight dashboard |
insight_admin | Manage the Insight dashboard, including configuration and settings |
Administrative Permissions
These permissions control token creation and user management.
| Permission | Description |
|---|---|
can_create_token | Create authentication tokens for Agent access |
user_manager_admin | Manage user accounts and retrieve user token and profile information |
Feedback
Was this page helpful?