Permissions Reference
The granular permission system described here is part of Advanced RBAC and requires Fides Plus.
Permissions in the Advanced RBAC system follow a resource_type:action naming convention. Each permission controls access to a specific operation on a specific type of resource.
Viewing all permissions
From the UI
Navigate to Settings > Role Management and click on any role. The permission matrix displays all available permissions grouped by resource type.
From the API
# List all available permissions
curl https://your-fides-instance/api/v1/plus/rbac/permissions \
-H "Authorization: Bearer $TOKEN"
# Filter by resource type
curl "https://your-fides-instance/api/v1/plus/rbac/permissions?resource_type=system" \
-H "Authorization: Bearer $TOKEN"Permission structure
Each permission has the following attributes:
| Field | Description |
|---|---|
code | The unique permission identifier (e.g., system:read) |
description | A human-readable explanation of what the permission grants |
resource_type | The category of resource this permission applies to (e.g., system, privacy-request) |
Permissions by resource type
The tables below list the core permission groups. The full set of permissions is seeded from the Fides scope registry and may include additional permissions specific to your deployment.
System permissions
| Permission | Description |
|---|---|
system:create | Create new systems |
system:read | View system configurations |
system:update | Modify system configurations |
system:delete | Remove systems |
Privacy request permissions
| Permission | Description |
|---|---|
privacy-request:create | Submit new privacy requests |
privacy-request:read | View privacy requests and their status |
privacy-request:review | Approve or deny privacy requests |
privacy-request:delete | Remove privacy requests |
privacy-request:upload_data | Upload data for manual processing steps |
privacy-request:resume | Resume paused privacy requests |
privacy-request:transfer | Transfer privacy request ownership |
User management permissions
| Permission | Description |
|---|---|
user:create | Create new users |
user:read | View user accounts |
user:update | Modify user accounts |
user:delete | Remove user accounts |
user-permission:read | View user permission assignments |
user-permission:create | Assign permissions to users |
user-permission:update | Modify user permission assignments |
RBAC management permissions
| Permission | Description |
|---|---|
rbac_role:create | Create new roles |
rbac_role:read | View role definitions and permissions |
rbac_role:update | Modify role details and permissions |
rbac_role:delete | Remove roles |
rbac_permission:read | View available permissions |
rbac_user_role:create | Assign roles to users |
rbac_user_role:read | View user role assignments |
rbac_user_role:delete | Remove user role assignments |
rbac_constraint:create | Create separation of duties constraints |
rbac_constraint:read | View constraints |
rbac_constraint:delete | Remove constraints |
rbac:evaluate | Evaluate user permissions |
Connection and integration permissions
| Permission | Description |
|---|---|
connection:create_or_update | Create or update integration connections |
connection:read | View connections |
connection:delete | Remove connections |
connection:authorize | Authorize third-party connections (e.g., OAuth) |
connection_type:read | View available connection types |
saas_config:create_or_update | Create or update SaaS configurations |
saas_config:read | View SaaS configurations |
saas_config:delete | Remove SaaS configurations |
dataset:create_or_update | Create or update datasets |
dataset:read | View datasets |
dataset:delete | Remove datasets |
Consent permissions
| Permission | Description |
|---|---|
consent:read | View consent settings |
privacy-notice:create | Create privacy notices |
privacy-notice:read | View privacy notices |
privacy-notice:update | Modify privacy notices |
privacy-experience:create | Create privacy experiences |
privacy-experience:read | View privacy experiences |
privacy-experience:update | Modify privacy experiences |
Configuration permissions
| Permission | Description |
|---|---|
config:read | View application configuration |
config:update | Modify application configuration |
organization:create | Create organizations |
organization:read | View organization details |
organization:update | Modify organization settings |
storage:create_or_update | Configure storage destinations |
storage:read | View storage configurations |
storage:delete | Remove storage configurations |
messaging:create_or_update | Configure messaging providers |
messaging:read | View messaging configurations |
messaging:delete | Remove messaging configurations |
System role permission mappings
The built-in system roles have the following permission profiles:
| Role | Permission scope |
|---|---|
| Owner | All permissions |
| Contributor | All permissions except organization-level configuration and owner user management |
| Viewer + Approver | All read permissions, plus privacy request review and approval |
| Approver | Privacy request creation, review, and management only |
| Viewer | All read permissions |
| Internal Respondent | Privacy request read and manual task completion |
| External Respondent | Manual task completion only (no UI access) |
System role permissions are fixed and cannot be modified. To customize permissions beyond what system roles offer, create a custom role.