Reference: User permissions and names
This reference describes the permissions granted to the five default Puppet Enterprise (PE) user roles, as well as the display name and system name for each type and permission.
Permissions vary by type. Permission scope can, sometimes, be refined by an object specification. For an explanation of these terms, refer to Structure of user permissions.
Each type and permission has a display name, which is the name you see in the PE console, and a system name, which is the name used in the RBAC API. The Permissions for default roles table uses display names. Refer to the Display names and system names table to find the corresponding system name for each display name.
Permissions for default roles
This table lists permissions granted to the default PE user roles, a description of what is allowed by each permission, any object specification or node group inheritance conditions, and which roles (if any) the permissions are assigned to by default.
| Type | Permission | Definition | Roles |
|---|---|---|---|
| Certificate request | Accept and reject | Accept and reject certificate signing requests. Object
must always be |
|
| Configuration | View and edit | View and edit configuration, such as the disclaimer message on the PE console login page. | Administrators |
| Console | View | View the PE
console. Object must always be |
|
| Directory service | View, edit, and test | View, edit, and test directory service settings. Object
must always be |
Administrators |
| Job orchestrator | Start, stop and view jobs | Start and stop jobs and tasks, view jobs and job progress, view an inventory of nodes that are connected to the PCP broker. |
|
| Node groups | Create, edit, and delete child groups | Create new child groups, delete existing child groups,
and modify every attribute of child groups except environment. This permission is inherited by all descendents of the node group. |
|
| Node groups | Edit child group rules | Edit the rules of descendents of a node group. This
does not grant the ability to edit the rules of the group in the
This permission is inherited by all descendents of the node group. |
|
| Node groups | Edit classes, parameters, and variables | Edit every attribute of a node group except its
environment and rule. This permission is inherited by all descendents of the node group. |
|
| Node groups | Edit configuration data | Edit parameterized configuration data on a node
group. This permission is inherited by all descendents of the node group. |
|
| Node groups | Edit parameters and variables | Edit the class parameters and variables of a node group's
classes. This permission is inherited by all descendents of the node group. |
|
| Node groups | Set environment | Set the environment of a node group. This permission is inherited by all descendents of the node group. |
|
| Node groups | View | See all attributes of a node group, including the values
of class parameters and variables. This permission is inherited by all descendents of the node group. |
|
| Nodes | Edit node data from PuppetDB | Edit node data imported from PuppetDB. Object must always be
|
Administrators |
| Nodes | View node data from PuppetDB | View node data imported from PuppetDB. Object must always be
|
Administrators |
| Nodes | View sensitive connection information in inventory service | View sensitive parameters stored in the inventory service
for a connection, such as user credentials. Object must always be
|
Administrators |
| Nodes | Add and delete connection information from inventory service | Add new connections to the inventory service and delete existing connections. | Administrators |
| Plans | Run plans | Run specific plans on all nodes. | Administrators |
| Projects | Deploy projects | Not used. |
|
| Projects | Run tasks and plans from projects | Not used. |
|
| Puppet agent | Run Puppet on agent nodes | Trigger a Puppet run from
the console or orchestrator. Object must always be
|
|
| Puppet environment | Deploy code | Deploy code to a specific PE environment. |
|
| Puppet Server | Compile catalogs for remote nodes | Compile a catalog for any node managed by this PE instance. This permission is required to run impact analysis tasks in Continuous Delivery. |
Administrators |
| Scheduled jobs | Delete another user's scheduled jobs | Delete scheduled jobs created by the user instance specified in the
permission. This can be granted per user. |
Administrators |
| Tasks | Run tasks | Run specific tasks on all nodes, nodes in a selected node
group, or nodes matching a PQL query. A task must be permitted to run on all nodes in order to
run on nodes that are outside of the PuppetDB (over SSH or WinRM for example).
As a result, users with such permissions can run tasks on any nodes they
have the credentials to access. |
Administrators |
| User groups | Delete | Delete a user group. This can be granted per group. |
Administrators |
| User groups | Import | Import groups from the directory service for use in
RBAC. Object must always be |
Administrators |
| User roles | Create | Create new roles. Object must always be
|
Administrators |
| User roles | Edit | Edit and delete a role. Object must always be
|
Administrators |
| User roles | Edit members | Change which users and groups a role is assigned
to. This can be granted per role. |
Administrators |
| Users | Create | Create new local users. Object must always be
This permission is for local
users. Remote users are "created" when that user authenticates for the
first time with RBAC. |
Administrators |
| Users | Edit | Edit local user data (such as names or email addresses)
and delete local or remote users from PE. This can be granted per user. |
Administrators |
| Users | Reset password | Grant password reset tokens to users who have forgotten
their passwords. Granting a password reset token also reinstates a user who has been revoked. This can be granted per user. |
Administrators |
| Users | Revoke | Revoke or disable a user, so the user can no longer
authenticate and use the console, node classifier, or RBAC API. This permission also includes the ability to revoke a user's authentication tokens. This can be granted per user. |
Administrators |
Display names and system names
Each type and permission has a display name and a system name. The display name is the name you see in the PE console. The system name is the name used with the RBAC API. This table provides the display name and system name for each type and corresponding permissions. Types are listed multiple times if there are multiple permissions associated with that type.
| Type display name | Type system name | Permission display name | Permission system name |
|---|---|---|---|
| Certificate requests | cert_requests | Accept and reject | accept_reject |
| Configuration | configuration | View | view |
| Configuration | configuration | Edit | edit |
| Console | console_page | View | view |
| Directory service | directory_service | View, edit, and test | edit |
| Job orchestrator | orchestrator | Start, stop and view jobs | view |
| Node groups | node_groups | Create, edit, and delete child groups | modify_children |
| Node groups | node_groups | Edit child group rules | edit_child_rules |
| Node groups | node_groups | Edit classes, parameters, and variables | edit_classification |
| Node groups | node_groups | Edit configuration data | edit_config_data |
| Node groups | node_groups | Edit parameters and variables | edit_params_and_vars |
| Node groups | node_groups | Set environment | set_environment |
| Node groups | node_groups | View | view |
| Nodes | nodes | Edit node data from PuppetDB | edit_data |
| Nodes | nodes | View node data from PuppetDB | view_data |
| Nodes | nodes | View sensitive connection information in inventory service | view_inventory_sensitive |
| Plans | plans | Run Plans | run |
| Puppet agent | puppet_agent | Run Puppet on agent nodes | run |
| Puppet environment | environment | Deploy code | deploy_code |
| Puppet Server | puppetserver | Compile catalogs for remote nodes | compile_catalogs |
| Tasks | tasks | Run Tasks | run |
| User groups | user_groups | Import | import |
| User roles | user_roles | Create | create |
| User roles | user_roles | Edit | edit |
| User roles | user_roles | Edit members | edit_members |
| Users | users | Create | create |
| Users | users | Edit | edit |
| Users | users | Reset password | reset_password |
| Users | users | Revoke | disable |
