Returns the caller's permissions

Prev Next
Get
/sys/v1/users/permissions

Returns the caller's permissions

Security
HTTP
Type bearer
API Key: apiKeyAuth
Header parameter nameAuthorization
Query parameters
GetUserPermissionsParams
object
with_implied
boolean

If true, implied permissions are added in the output. For example, if permission A implies permission B, and the user has permission A, the output will include both A and B if this is set to true. If this is set to false, B will only be returned if it was assigned to the user directly.

Responses
2XX

Success result

Expand All
object
account
Array of string (AccountPermissions)

User's permissions in the account.

string

MANAGE_LOGGING: Permission to manage logging integrations, and enable/disable error logging.

MANAGE_AUTH: Permission to manage SSO and password policy.

MANAGE_WORKSPACE_CSE: Permission to manage Workspace CSE configuration.

UNWRAP_WORKSPACE_CSE_PRIVILEGED: Permission required for Workspace CSE PrivilegedUnwrap API. Note that UNWRAP_WORKSPACE_CSE permission in the group where the key is stored is also required.

MANAGE_ACCOUNT_CLIENT_CONFIGS: Permission to manage account level client configurations.

MANAGE_PLUGIN_CODE_SIGNING_POLICY: Permission to manage plugin code signing policy.

CREATE_ACCOUNT_APPROVAL_POLICY: Permission to create account-level approval policy. Note that updating/deleting the approval policy is protected by the approval policy itself.

SET_APPROVAL_REQUEST_EXPIRY: Permission to set approval request expiry for all approval requests created in the account.

MANAGE_APPROVAL_REQUEST_SETTINGS: Permission to manage all approval request settings including approval request expiry. Implies SET_APPROVAL_REQUEST_EXPIRY.

UPDATE_ACCOUNT_CUSTOM_METADATA_ATTRIBUTES: Permission to update account's custom metadata attributes.

MANAGE_ACCOUNT_SUBSCRIPTION: Permission to manage account subscription (only relevant for SaaS accounts).

MANAGE_ACCOUNT_PROFILE: Permission to update account name, custom logo, and other profile information.

DELETE_ACCOUNT: Permission to delete the account.

CREATE_ADMIN_APPS: Permission to create administrative apps. Implies GET_ADMIN_APPS.

UPDATE_ADMIN_APPS: Permission to update administrative apps. Implies GET_ADMIN_APPS.

DELETE_ADMIN_APPS: Permission to delete administrative apps. Implies GET_ADMIN_APPS.

RETRIEVE_ADMIN_APP_SECRETS: Permission to retrieve administrative apps' secrets. Note that not all admin app credentials contain secrets. If an admin app's credential does not contain any secrets, GET_ADMIN_APPS permission is sufficient to call the GetAppCredential API. Implies GET_ADMIN_APPS.

MANAGE_ADMIN_APPS: Currently implies CREATE_ADMIN_APPS, UPDATE_ADMIN_APPS, DELETE_ADMIN_APPS, RETRIEVE_ADMIN_APP_SECRETS and GET_ADMIN_APPS permissions.

CREATE_CUSTOM_ROLES: Permission to create custom user roles. Implies GET_CUSTOM_ROLES.

UPDATE_CUSTOM_ROLES: Permission to update custom user roles. Implies GET_CUSTOM_ROLES.

DELETE_CUSTOM_ROLES: Permission to delete custom user roles. Implies GET_CUSTOM_ROLES.

MANAGE_CUSTOM_ROLES: Currently implies CREATE_CUSTOM_ROLES, UPDATE_CUSTOM_ROLES, DELETE_CUSTOM_ROLES and GET_CUSTOM_ROLES permissions.

INVITE_USERS_TO_ACCOUNT: Permission to invite users to the account. Implies GET_ALL_USERS.

DELETE_USERS_FROM_ACCOUNT: Permission to remove users from the account. Implies GET_ALL_USERS.

UPDATE_USERS_ACCOUNT_ROLE: Permission to change users' role in the account. Implies GET_ALL_USERS.

UPDATE_USERS_ACCOUNT_ENABLED_STATE: Permission to enable/disable users in the account. Implies GET_ALL_USERS.

MANAGE_ACCOUNT_USERS: Currently implies INVITE_USERS_TO_ACCOUNT, DELETE_USERS_FROM_ACCOUNT, UPDATE_USERS_ACCOUNT_ROLE, UPDATE_USERS_ACCOUNT_ENABLED_STATE and GET_ALL_USERS permissions.

CREATE_EXTERNAL_ROLES: Permission to create external roles. Implies GET_EXTERNAL_ROLES.

SYNC_EXTERNAL_ROLES: Permission to synchronize external roles. Implies GET_EXTERNAL_ROLES.

DELETE_EXTERNAL_ROLES: Permission to delete external roles. Implies GET_EXTERNAL_ROLES.

MANAGE_EXTERNAL_ROLES: Currently implies CREATE_EXTERNAL_ROLES, SYNC_EXTERNAL_ROLES, DELETE_EXTERNAL_ROLES and GET_EXTERNAL_ROLES permissions.

CREATE_ACCOUNT_SOBJECT_POLICIES: Permission to create various account-level security object policies including cryptographic policy, key metadata policy and key history policy.

UPDATE_ACCOUNT_SOBJECT_POLICIES: Permission to update various account-level security object policies including cryptographic policy, key metadata policy and key history policy.

DELETE_ACCOUNT_SOBJECT_POLICIES: Permission to delete various account-level security object policies including cryptographic policy, key metadata policy and key history policy.

MANAGE_ACCOUNT_SOBJECT_POLICIES: Currently implies CREATE_ACCOUNT_SOBJECT_POLICIES, UPDATE_ACCOUNT_SOBJECT_POLICIES, and DELETE_ACCOUNT_SOBJECT_POLICIES permissions.

CREATE_CHILD_ACCOUNTS: Permission to create child accounts. Note that this is only applicable to SaaS accounts with reseller subscription. Implies GET_CHILD_ACCOUNTS.

UPDATE_CHILD_ACCOUNTS: Permission to update child accounts. Note that this is only applicable to SaaS accounts with reseller subscription. Implies GET_CHILD_ACCOUNTS.

DELETE_CHILD_ACCOUNTS: Permission to delete child accounts. Note that this is only applicable to SaaS accounts with reseller subscription. Implies GET_CHILD_ACCOUNTS.

CREATE_CHILD_ACCOUNT_USERS: Permission to create users in child accounts. Note that this is only applicable to SaaS accounts with reseller subscription. Implies GET_CHILD_ACCOUNTS and GET_CHILD_ACCOUNT_USERS.

GET_CHILD_ACCOUNTS: Permission to get child accounts. Note that this is only applicable to SaaS accounts with reseller subscription.

GET_CHILD_ACCOUNT_USERS: Permission to get child account users. Note that this is only applicable to SaaS accounts with reseller subscription.

MANAGE_CHILD_ACCOUNTS: Currently implies CREATE_CHILD_ACCOUNTS, UPDATE_CHILD_ACCOUNTS, DELETE_CHILD_ACCOUNTS, CREATE_CHILD_ACCOUNT_USERS, GET_CHILD_ACCOUNTS, and GET_CHILD_ACCOUNT_USERS permissions.

CREATE_LOCAL_GROUPS: Permission to create new local groups.

CREATE_EXTERNAL_GROUPS: Permission to create new group backed by external HSM/KMS.

ALLOW_QUORUM_REVIEWER: Controls if the user can act as an approval policy reviewer.

ALLOW_KEY_CUSTODIAN: Controls if the user can act as a key custodian.

GET_ALL_APPROVAL_REQUESTS: Grants read access to all approval requests in the account. Note that there is a related group-level permission that is restricted to approval requests related to one group.

GET_ADMIN_APPS: Permission to get administrative apps.

GET_CUSTOM_ROLES: Permission to get custom user roles.

GET_EXTERNAL_ROLES: Permission to get external roles.

GET_ALL_USERS: Permission to get all users. Note that users can always get themselves.

GET_ACCOUNT_USAGE: Grants access to accounts::GetAccountUsage API.

MANAGE_KEY_EXPIRY_ALERTS: Permission to manage key expiry alert configurations.

MANAGE_REPLICATION: Permission to modify an account's purpose field (e.g., changing a replication account's settings), or to call any APIs involving replication credentials. If the account is not a replication account, this permission has no effect.

Valid values[ "MANAGE_LOGGING", "MANAGE_AUTH", "MANAGE_WORKSPACE_CSE", "UNWRAP_WORKSPACE_CSE_PRIVILEGED", "MANAGE_ACCOUNT_CLIENT_CONFIGS", "MANAGE_PLUGIN_CODE_SIGNING_POLICY", "CREATE_ACCOUNT_APPROVAL_POLICY", "SET_APPROVAL_REQUEST_EXPIRY", "MANAGE_APPROVAL_REQUEST_SETTINGS", "UPDATE_ACCOUNT_CUSTOM_METADATA_ATTRIBUTES", "MANAGE_ACCOUNT_SUBSCRIPTION", "MANAGE_ACCOUNT_PROFILE", "DELETE_ACCOUNT", "CREATE_ADMIN_APPS", "UPDATE_ADMIN_APPS", "DELETE_ADMIN_APPS", "RETRIEVE_ADMIN_APP_SECRETS", "MANAGE_ADMIN_APPS", "CREATE_CUSTOM_ROLES", "UPDATE_CUSTOM_ROLES", "DELETE_CUSTOM_ROLES", "MANAGE_CUSTOM_ROLES", "INVITE_USERS_TO_ACCOUNT", "DELETE_USERS_FROM_ACCOUNT", "UPDATE_USERS_ACCOUNT_ROLE", "UPDATE_USERS_ACCOUNT_ENABLED_STATE", "MANAGE_ACCOUNT_USERS", "CREATE_EXTERNAL_ROLES", "SYNC_EXTERNAL_ROLES", "DELETE_EXTERNAL_ROLES", "MANAGE_EXTERNAL_ROLES", "CREATE_ACCOUNT_SOBJECT_POLICIES", "UPDATE_ACCOUNT_SOBJECT_POLICIES", "DELETE_ACCOUNT_SOBJECT_POLICIES", "MANAGE_ACCOUNT_SOBJECT_POLICIES", "CREATE_CHILD_ACCOUNTS", "UPDATE_CHILD_ACCOUNTS", "DELETE_CHILD_ACCOUNTS", "CREATE_CHILD_ACCOUNT_USERS", "GET_CHILD_ACCOUNTS", "GET_CHILD_ACCOUNT_USERS", "MANAGE_CHILD_ACCOUNTS", "CREATE_LOCAL_GROUPS", "CREATE_EXTERNAL_GROUPS", "ALLOW_QUORUM_REVIEWER", "ALLOW_KEY_CUSTODIAN", "GET_ALL_APPROVAL_REQUESTS", "GET_ADMIN_APPS", "GET_CUSTOM_ROLES", "GET_EXTERNAL_ROLES", "GET_ALL_USERS", "GET_ACCOUNT_USAGE", "MANAGE_KEY_EXPIRY_ALERTS", "MANAGE_REPLICATION" ]
all_groups
Array of string (GroupPermissions) | null

User's permissions in all groups. Note that this will only be returned if the user has one or more all-groups roles.

string

CREATE_GROUP_APPROVAL_POLICY: Permission to create group-level approval policy. Note that updating/deleting the approval policy is protected by the approval policy itself. Implies GET_GROUP.

UPDATE_GROUP_EXTERNAL_LINKS: Permission to update external HSM/KMS configurations. Note that this is only useful for groups backed by external HSM/KMS. Implies GET_GROUP.

MANAGE_GROUP_CLIENT_CONFIGS: Permission to manage group-level client configurations. Implies GET_GROUP.

UPDATE_GROUP_PROFILE: Permission to update name, description and custom metadata of the group. Implies GET_GROUP.

DELETE_GROUP: Permission to delete the group. Implies GET_GROUP.

MAP_EXTERNAL_ROLES_FOR_APPS: Permission to map external roles to DSM groups for apps authorized through LDAP. Implies GET_GROUP.

MAP_EXTERNAL_ROLES_FOR_USERS: Permission to map external roles to DSM groups for users authorized through LDAP. Implies GET_GROUP.

MAP_EXTERNAL_ROLES: Currently implies MAP_EXTERNAL_ROLES_FOR_APPS, MAP_EXTERNAL_ROLES_FOR_USERS, and GET_GROUP permissions.

ADD_USERS_TO_GROUP: Permission to add users to the group.

DELETE_USERS_FROM_GROUP: Permission to remove users from the group.

UPDATE_USERS_GROUP_ROLE: Permission to change users' role in the group.

MANAGE_GROUP_USERS: Currently implies ADD_USERS_TO_GROUP, DELETE_USERS_FROM_GROUP, and UPDATE_USERS_GROUP_ROLE permissions.

CREATE_GROUP_SOBJECT_POLICIES: Permission to create various group-level security object policies including cryptographic policy, key metadata policy and key history policy. Implies GET_GROUP.

UPDATE_GROUP_SOBJECT_POLICIES: Permission to update various group-level security object policies including cryptographic policy, key metadata policy and key history policy. Implies GET_GROUP.

DELETE_GROUP_SOBJECT_POLICIES: Permission to delete various group-level security object policies including cryptographic policy, key metadata policy and key history policy. Implies GET_GROUP.

MANAGE_GROUP_SOBJECT_POLICIES: Currently implies CREATE_GROUP_SOBJECT_POLICIES, UPDATE_GROUP_SOBJECT_POLICIES, DELETE_GROUP_SOBJECT_POLICIES, and GET_GROUP permissions.

CREATE_GROUP_CUSTODIAN_POLICY: Permission to create key custodian policy for the group. Implies GET_GROUP.

UPDATE_GROUP_CUSTODIAN_POLICY: Permission to update group's key custodian policy. Implies GET_GROUP.

DELETE_GROUP_CUSTODIAN_POLICY: Permission to delete group's key custodian policy. Implies GET_GROUP.

MANAGE_GROUP_CUSTODIAN_POLICY: Currently implies CREATE_GROUP_CUSTODIAN_POLICY, UPDATE_GROUP_CUSTODIAN_POLICY, DELETE_GROUP_CUSTODIAN_POLICY, and GET_GROUP permissions.

CREATE_APPS: Permission to create cryptographic apps. Implies GET_APPS.

UPDATE_APPS: Permission to update cryptographic apps. Implies GET_APPS.

RETRIEVE_APP_SECRETS: Permission to retrieve cryptographic apps' secrets. Note that not all cryptographic app credentials contain secrets. If a cryptographic app's credential does not contain any secrets, GET_APPS permission is sufficient to call the GetAppCredential API. Implies GET_APPS.

DELETE_APPS: Permission to delete cryptographic apps. Implies GET_APPS.

MANAGE_APPS: Currently implies CREATE_APPS, UPDATE_APPS, RETRIEVE_APP_SECRETS, DELETE_APPS, and GET_APPS permissions.

CREATE_PLUGINS: Permission to create plugins. Implies GET_PLUGINS. For creating a plugin, following group permissions are also required in each group plugin is being added, to prevent privilege escalation: CREATE_SOBJECTS, EXPORT_SOBJECTS, COPY_SOBJECTS, WRAP_SOBJECTS, UNWRAP_SOBJECTS, ENCAPSULATE_SOBJECTS, DECAPSULATE_SOBJECTS, DERIVE_SOBJECTS, TRANSFORM_SOBJECTS, UPDATE_SOBJECTS_ENABLED_STATE, ROTATE_SOBJECTS, DELETE_SOBJECTS, REVOKE_SOBJECTS, ACTIVATE_SOBJECTS, MOVE_SOBJECTS, UPDATE_KEY_OPS, UPDATE_SOBJECT_POLICIES, UPDATE_SOBJECTS_PROFILE, GET_GROUP, GET_SOBJECTS, GET_APPS, GET_PLUGINS, GET_AUDIT_LOGS Following account permissions are required as well: GET_ALL_USERS

UPDATE_PLUGINS: Permission to update plugins. Implies GET_PLUGINS. For updating a plugin, following group permissions are also required in each group plugin is being added, to prevent privilege escalation: CREATE_SOBJECTS, EXPORT_SOBJECTS, COPY_SOBJECTS, WRAP_SOBJECTS, UNWRAP_SOBJECTS, ENCAPSULATE_SOBJECTS, DECAPSULATE_SOBJECTS, UPDATE_SOBJECTS_ENABLED_STATE, ROTATE_SOBJECTS, DELETE_SOBJECTS, REVOKE_SOBJECTS, ACTIVATE_SOBJECTS, MOVE_SOBJECTS, UPDATE_KEY_OPS, UPDATE_SOBJECT_POLICIES, UPDATE_SOBJECTS_PROFILE, GET_GROUP, GET_SOBJECTS, GET_APPS, GET_PLUGINS, GET_AUDIT_LOGS Following account permissions are required as well while adding new groups: GET_ALL_USERS

INVOKE_PLUGINS: Permission to invoke plugins. Implies GET_PLUGINS.

DELETE_PLUGINS: Permission to delete plugins. Implies GET_PLUGINS.

MANAGE_PLUGINS: Currently implies CREATE_PLUGINS, UPDATE_PLUGINS, INVOKE_PLUGINS, DELETE_PLUGINS, and GET_PLUGINS permissions.

CREATE_SOBJECTS: Permission to create security objects. This permission is required for APIs that result in creation of a new security object including: Generate, Import, Unwrap. Also required in destination group when moving a key to a different group or when copying a key. Implies GET_SOBJECTS.

EXPORT_SOBJECTS: Permission to export security objects. This permission is required for Export, ExportByComponents, Copy (depending on destination group), Restore, and Wrap (for wrapped security object) APIs. Implies GET_SOBJECTS.

COPY_SOBJECTS: Permission to copy security objects. This permission is required in the source group when calling the Copy API. Implies GET_SOBJECTS.

WRAP_SOBJECTS: Permission to wrap security objects. This permission is required in the wrapping security object's group. Implies GET_SOBJECTS.

UNWRAP_SOBJECTS: Permission to unwrap security objects. This permission is required in the unwrapping security object's group. Implies GET_SOBJECTS.

DERIVE_SOBJECTS: Permission to derive other security objects. Implies GET_SOBJECTS.

TRANSFORM_SOBJECTS: Permission to transform security objects. Implies GET_SOBJECTS.

UPDATE_SOBJECTS_ENABLED_STATE: Permission to enable/disable security objects. Implies GET_SOBJECTS.

ROTATE_SOBJECTS: Permission to rotate (a.k.a. "rekey") security objects. Implies GET_SOBJECTS.

DELETE_SOBJECTS: Permission to delete security objects. Implies GET_SOBJECTS.

DESTROY_SOBJECTS: Permission to destroy security objects. Implies GET_SOBJECTS.

REVOKE_SOBJECTS: Permission to revoke security objects, i.e. mark security objects as deactivated or compromised. Implies GET_SOBJECTS.

ACTIVATE_SOBJECTS: Permission to activate security objects. Implies GET_SOBJECTS.

REVERT_SOBJECTS: Permission to revert changes to security objects. Implies GET_SOBJECTS.

DELETE_KEY_MATERIAL: Permission to delete key material including removing the private key part of an asymmetric key pair and removing key material of security objects backed by external HSM/KMS. Implies GET_SOBJECTS.

MOVE_SOBJECTS: Permission to move security objects. This permission is required for changing the group of a security object in the source group. Note that changing the group of a security object also requires CREATE_SOBJECTS permission in the destination group. Implies GET_SOBJECTS.

UPDATE_KEY_OPS: Permission to update key operations of security objects. Implies GET_SOBJECTS.

UPDATE_SOBJECT_POLICIES: Permission to update individual security objects' policies. This permission allows updating RSA options, as well as Google access reason policy (for use with Google EKM APIs) defined on the security object itself. Implies GET_SOBJECTS.

UPDATE_SOBJECTS_PROFILE: Permission to update name, description, custom metadata, key links (currently only create parent link), and publish public key settings of security objects. Implies GET_SOBJECTS.

SCAN_EXTERNAL_SOBJECTS: Permission to scan for security objects in external HSM/KMS. Implies GET_SOBJECTS.

RESTORE_EXTERNAL_SOBJECTS: Permission to restore key material of security objects backed by external HSM/KMS. Note that calling the Restore API needs this permission in the destination group as well as EXPORT_SOBJECTS permission in the source group (where the object was copied from originally). Implies GET_SOBJECTS.

WRAP_WORKSPACE_CSE: Permission to call Workspace CSE Wrap API.

UNWRAP_WORKSPACE_CSE: Permission to call Workspace CSE Unwrap API.

WORKSPACE_CSE:

GET_GROUP: Permission to get information about the group.

GET_SOBJECTS: Permission to get security objects stored in the group.

GET_APPS: Permission to get cryptographic apps in the group.

GET_PLUGINS: Permission to get plugin in the group.

GET_GROUP_APPROVAL_REQUESTS: Permission to get approval requests related to the group.

GET_AUDIT_LOGS: Permission to get audit logs related to the group.

MANAGE_GROUP_WRAPPING_KEY: Permission to update or remove wrapping key of the group

ENCAPSULATE_SOBJECTS: Permission to encapsulate security objects. Implies CREATE_SOBJECTS.

DECAPSULATE_SOBJECTS: Permission to decapsulate security objects. Implies CREATE_SOBJECTS.

Valid values[ "CREATE_GROUP_APPROVAL_POLICY", "UPDATE_GROUP_EXTERNAL_LINKS", "MANAGE_GROUP_CLIENT_CONFIGS", "UPDATE_GROUP_PROFILE", "DELETE_GROUP", "MAP_EXTERNAL_ROLES_FOR_APPS", "MAP_EXTERNAL_ROLES_FOR_USERS", "MAP_EXTERNAL_ROLES", "ADD_USERS_TO_GROUP", "DELETE_USERS_FROM_GROUP", "UPDATE_USERS_GROUP_ROLE", "MANAGE_GROUP_USERS", "CREATE_GROUP_SOBJECT_POLICIES", "UPDATE_GROUP_SOBJECT_POLICIES", "DELETE_GROUP_SOBJECT_POLICIES", "MANAGE_GROUP_SOBJECT_POLICIES", "CREATE_GROUP_CUSTODIAN_POLICY", "UPDATE_GROUP_CUSTODIAN_POLICY", "DELETE_GROUP_CUSTODIAN_POLICY", "MANAGE_GROUP_CUSTODIAN_POLICY", "CREATE_APPS", "UPDATE_APPS", "RETRIEVE_APP_SECRETS", "DELETE_APPS", "MANAGE_APPS", "CREATE_PLUGINS", "UPDATE_PLUGINS", "INVOKE_PLUGINS", "DELETE_PLUGINS", "MANAGE_PLUGINS", "CREATE_SOBJECTS", "EXPORT_SOBJECTS", "COPY_SOBJECTS", "WRAP_SOBJECTS", "UNWRAP_SOBJECTS", "DERIVE_SOBJECTS", "TRANSFORM_SOBJECTS", "UPDATE_SOBJECTS_ENABLED_STATE", "ROTATE_SOBJECTS", "DELETE_SOBJECTS", "DESTROY_SOBJECTS", "REVOKE_SOBJECTS", "ACTIVATE_SOBJECTS", "REVERT_SOBJECTS", "DELETE_KEY_MATERIAL", "MOVE_SOBJECTS", "UPDATE_KEY_OPS", "UPDATE_SOBJECT_POLICIES", "UPDATE_SOBJECTS_PROFILE", "SCAN_EXTERNAL_SOBJECTS", "RESTORE_EXTERNAL_SOBJECTS", "WRAP_WORKSPACE_CSE", "UNWRAP_WORKSPACE_CSE", "WORKSPACE_CSE", "GET_GROUP", "GET_SOBJECTS", "GET_APPS", "GET_PLUGINS", "GET_GROUP_APPROVAL_REQUESTS", "GET_AUDIT_LOGS", "MANAGE_GROUP_WRAPPING_KEY", "ENCAPSULATE_SOBJECTS", "DECAPSULATE_SOBJECTS" ]
groups
object

User's permissions in groups.

property*
Array of string (GroupPermissions) additionalProperties
string

CREATE_GROUP_APPROVAL_POLICY: Permission to create group-level approval policy. Note that updating/deleting the approval policy is protected by the approval policy itself. Implies GET_GROUP.

UPDATE_GROUP_EXTERNAL_LINKS: Permission to update external HSM/KMS configurations. Note that this is only useful for groups backed by external HSM/KMS. Implies GET_GROUP.

MANAGE_GROUP_CLIENT_CONFIGS: Permission to manage group-level client configurations. Implies GET_GROUP.

UPDATE_GROUP_PROFILE: Permission to update name, description and custom metadata of the group. Implies GET_GROUP.

DELETE_GROUP: Permission to delete the group. Implies GET_GROUP.

MAP_EXTERNAL_ROLES_FOR_APPS: Permission to map external roles to DSM groups for apps authorized through LDAP. Implies GET_GROUP.

MAP_EXTERNAL_ROLES_FOR_USERS: Permission to map external roles to DSM groups for users authorized through LDAP. Implies GET_GROUP.

MAP_EXTERNAL_ROLES: Currently implies MAP_EXTERNAL_ROLES_FOR_APPS, MAP_EXTERNAL_ROLES_FOR_USERS, and GET_GROUP permissions.

ADD_USERS_TO_GROUP: Permission to add users to the group.

DELETE_USERS_FROM_GROUP: Permission to remove users from the group.

UPDATE_USERS_GROUP_ROLE: Permission to change users' role in the group.

MANAGE_GROUP_USERS: Currently implies ADD_USERS_TO_GROUP, DELETE_USERS_FROM_GROUP, and UPDATE_USERS_GROUP_ROLE permissions.

CREATE_GROUP_SOBJECT_POLICIES: Permission to create various group-level security object policies including cryptographic policy, key metadata policy and key history policy. Implies GET_GROUP.

UPDATE_GROUP_SOBJECT_POLICIES: Permission to update various group-level security object policies including cryptographic policy, key metadata policy and key history policy. Implies GET_GROUP.

DELETE_GROUP_SOBJECT_POLICIES: Permission to delete various group-level security object policies including cryptographic policy, key metadata policy and key history policy. Implies GET_GROUP.

MANAGE_GROUP_SOBJECT_POLICIES: Currently implies CREATE_GROUP_SOBJECT_POLICIES, UPDATE_GROUP_SOBJECT_POLICIES, DELETE_GROUP_SOBJECT_POLICIES, and GET_GROUP permissions.

CREATE_GROUP_CUSTODIAN_POLICY: Permission to create key custodian policy for the group. Implies GET_GROUP.

UPDATE_GROUP_CUSTODIAN_POLICY: Permission to update group's key custodian policy. Implies GET_GROUP.

DELETE_GROUP_CUSTODIAN_POLICY: Permission to delete group's key custodian policy. Implies GET_GROUP.

MANAGE_GROUP_CUSTODIAN_POLICY: Currently implies CREATE_GROUP_CUSTODIAN_POLICY, UPDATE_GROUP_CUSTODIAN_POLICY, DELETE_GROUP_CUSTODIAN_POLICY, and GET_GROUP permissions.

CREATE_APPS: Permission to create cryptographic apps. Implies GET_APPS.

UPDATE_APPS: Permission to update cryptographic apps. Implies GET_APPS.

RETRIEVE_APP_SECRETS: Permission to retrieve cryptographic apps' secrets. Note that not all cryptographic app credentials contain secrets. If a cryptographic app's credential does not contain any secrets, GET_APPS permission is sufficient to call the GetAppCredential API. Implies GET_APPS.

DELETE_APPS: Permission to delete cryptographic apps. Implies GET_APPS.

MANAGE_APPS: Currently implies CREATE_APPS, UPDATE_APPS, RETRIEVE_APP_SECRETS, DELETE_APPS, and GET_APPS permissions.

CREATE_PLUGINS: Permission to create plugins. Implies GET_PLUGINS. For creating a plugin, following group permissions are also required in each group plugin is being added, to prevent privilege escalation: CREATE_SOBJECTS, EXPORT_SOBJECTS, COPY_SOBJECTS, WRAP_SOBJECTS, UNWRAP_SOBJECTS, ENCAPSULATE_SOBJECTS, DECAPSULATE_SOBJECTS, DERIVE_SOBJECTS, TRANSFORM_SOBJECTS, UPDATE_SOBJECTS_ENABLED_STATE, ROTATE_SOBJECTS, DELETE_SOBJECTS, REVOKE_SOBJECTS, ACTIVATE_SOBJECTS, MOVE_SOBJECTS, UPDATE_KEY_OPS, UPDATE_SOBJECT_POLICIES, UPDATE_SOBJECTS_PROFILE, GET_GROUP, GET_SOBJECTS, GET_APPS, GET_PLUGINS, GET_AUDIT_LOGS Following account permissions are required as well: GET_ALL_USERS

UPDATE_PLUGINS: Permission to update plugins. Implies GET_PLUGINS. For updating a plugin, following group permissions are also required in each group plugin is being added, to prevent privilege escalation: CREATE_SOBJECTS, EXPORT_SOBJECTS, COPY_SOBJECTS, WRAP_SOBJECTS, UNWRAP_SOBJECTS, ENCAPSULATE_SOBJECTS, DECAPSULATE_SOBJECTS, UPDATE_SOBJECTS_ENABLED_STATE, ROTATE_SOBJECTS, DELETE_SOBJECTS, REVOKE_SOBJECTS, ACTIVATE_SOBJECTS, MOVE_SOBJECTS, UPDATE_KEY_OPS, UPDATE_SOBJECT_POLICIES, UPDATE_SOBJECTS_PROFILE, GET_GROUP, GET_SOBJECTS, GET_APPS, GET_PLUGINS, GET_AUDIT_LOGS Following account permissions are required as well while adding new groups: GET_ALL_USERS

INVOKE_PLUGINS: Permission to invoke plugins. Implies GET_PLUGINS.

DELETE_PLUGINS: Permission to delete plugins. Implies GET_PLUGINS.

MANAGE_PLUGINS: Currently implies CREATE_PLUGINS, UPDATE_PLUGINS, INVOKE_PLUGINS, DELETE_PLUGINS, and GET_PLUGINS permissions.

CREATE_SOBJECTS: Permission to create security objects. This permission is required for APIs that result in creation of a new security object including: Generate, Import, Unwrap. Also required in destination group when moving a key to a different group or when copying a key. Implies GET_SOBJECTS.

EXPORT_SOBJECTS: Permission to export security objects. This permission is required for Export, ExportByComponents, Copy (depending on destination group), Restore, and Wrap (for wrapped security object) APIs. Implies GET_SOBJECTS.

COPY_SOBJECTS: Permission to copy security objects. This permission is required in the source group when calling the Copy API. Implies GET_SOBJECTS.

WRAP_SOBJECTS: Permission to wrap security objects. This permission is required in the wrapping security object's group. Implies GET_SOBJECTS.

UNWRAP_SOBJECTS: Permission to unwrap security objects. This permission is required in the unwrapping security object's group. Implies GET_SOBJECTS.

DERIVE_SOBJECTS: Permission to derive other security objects. Implies GET_SOBJECTS.

TRANSFORM_SOBJECTS: Permission to transform security objects. Implies GET_SOBJECTS.

UPDATE_SOBJECTS_ENABLED_STATE: Permission to enable/disable security objects. Implies GET_SOBJECTS.

ROTATE_SOBJECTS: Permission to rotate (a.k.a. "rekey") security objects. Implies GET_SOBJECTS.

DELETE_SOBJECTS: Permission to delete security objects. Implies GET_SOBJECTS.

DESTROY_SOBJECTS: Permission to destroy security objects. Implies GET_SOBJECTS.

REVOKE_SOBJECTS: Permission to revoke security objects, i.e. mark security objects as deactivated or compromised. Implies GET_SOBJECTS.

ACTIVATE_SOBJECTS: Permission to activate security objects. Implies GET_SOBJECTS.

REVERT_SOBJECTS: Permission to revert changes to security objects. Implies GET_SOBJECTS.

DELETE_KEY_MATERIAL: Permission to delete key material including removing the private key part of an asymmetric key pair and removing key material of security objects backed by external HSM/KMS. Implies GET_SOBJECTS.

MOVE_SOBJECTS: Permission to move security objects. This permission is required for changing the group of a security object in the source group. Note that changing the group of a security object also requires CREATE_SOBJECTS permission in the destination group. Implies GET_SOBJECTS.

UPDATE_KEY_OPS: Permission to update key operations of security objects. Implies GET_SOBJECTS.

UPDATE_SOBJECT_POLICIES: Permission to update individual security objects' policies. This permission allows updating RSA options, as well as Google access reason policy (for use with Google EKM APIs) defined on the security object itself. Implies GET_SOBJECTS.

UPDATE_SOBJECTS_PROFILE: Permission to update name, description, custom metadata, key links (currently only create parent link), and publish public key settings of security objects. Implies GET_SOBJECTS.

SCAN_EXTERNAL_SOBJECTS: Permission to scan for security objects in external HSM/KMS. Implies GET_SOBJECTS.

RESTORE_EXTERNAL_SOBJECTS: Permission to restore key material of security objects backed by external HSM/KMS. Note that calling the Restore API needs this permission in the destination group as well as EXPORT_SOBJECTS permission in the source group (where the object was copied from originally). Implies GET_SOBJECTS.

WRAP_WORKSPACE_CSE: Permission to call Workspace CSE Wrap API.

UNWRAP_WORKSPACE_CSE: Permission to call Workspace CSE Unwrap API.

WORKSPACE_CSE:

GET_GROUP: Permission to get information about the group.

GET_SOBJECTS: Permission to get security objects stored in the group.

GET_APPS: Permission to get cryptographic apps in the group.

GET_PLUGINS: Permission to get plugin in the group.

GET_GROUP_APPROVAL_REQUESTS: Permission to get approval requests related to the group.

GET_AUDIT_LOGS: Permission to get audit logs related to the group.

MANAGE_GROUP_WRAPPING_KEY: Permission to update or remove wrapping key of the group

ENCAPSULATE_SOBJECTS: Permission to encapsulate security objects. Implies CREATE_SOBJECTS.

DECAPSULATE_SOBJECTS: Permission to decapsulate security objects. Implies CREATE_SOBJECTS.

Valid values[ "CREATE_GROUP_APPROVAL_POLICY", "UPDATE_GROUP_EXTERNAL_LINKS", "MANAGE_GROUP_CLIENT_CONFIGS", "UPDATE_GROUP_PROFILE", "DELETE_GROUP", "MAP_EXTERNAL_ROLES_FOR_APPS", "MAP_EXTERNAL_ROLES_FOR_USERS", "MAP_EXTERNAL_ROLES", "ADD_USERS_TO_GROUP", "DELETE_USERS_FROM_GROUP", "UPDATE_USERS_GROUP_ROLE", "MANAGE_GROUP_USERS", "CREATE_GROUP_SOBJECT_POLICIES", "UPDATE_GROUP_SOBJECT_POLICIES", "DELETE_GROUP_SOBJECT_POLICIES", "MANAGE_GROUP_SOBJECT_POLICIES", "CREATE_GROUP_CUSTODIAN_POLICY", "UPDATE_GROUP_CUSTODIAN_POLICY", "DELETE_GROUP_CUSTODIAN_POLICY", "MANAGE_GROUP_CUSTODIAN_POLICY", "CREATE_APPS", "UPDATE_APPS", "RETRIEVE_APP_SECRETS", "DELETE_APPS", "MANAGE_APPS", "CREATE_PLUGINS", "UPDATE_PLUGINS", "INVOKE_PLUGINS", "DELETE_PLUGINS", "MANAGE_PLUGINS", "CREATE_SOBJECTS", "EXPORT_SOBJECTS", "COPY_SOBJECTS", "WRAP_SOBJECTS", "UNWRAP_SOBJECTS", "DERIVE_SOBJECTS", "TRANSFORM_SOBJECTS", "UPDATE_SOBJECTS_ENABLED_STATE", "ROTATE_SOBJECTS", "DELETE_SOBJECTS", "DESTROY_SOBJECTS", "REVOKE_SOBJECTS", "ACTIVATE_SOBJECTS", "REVERT_SOBJECTS", "DELETE_KEY_MATERIAL", "MOVE_SOBJECTS", "UPDATE_KEY_OPS", "UPDATE_SOBJECT_POLICIES", "UPDATE_SOBJECTS_PROFILE", "SCAN_EXTERNAL_SOBJECTS", "RESTORE_EXTERNAL_SOBJECTS", "WRAP_WORKSPACE_CSE", "UNWRAP_WORKSPACE_CSE", "WORKSPACE_CSE", "GET_GROUP", "GET_SOBJECTS", "GET_APPS", "GET_PLUGINS", "GET_GROUP_APPROVAL_REQUESTS", "GET_AUDIT_LOGS", "MANAGE_GROUP_WRAPPING_KEY", "ENCAPSULATE_SOBJECTS", "DECAPSULATE_SOBJECTS" ]