Skip to main content

Permissions

Hiro
Updated

Overview

The Nuclei Suite uses permissions to control what users can view, configure, and administer across the application. Permissions can be assigned directly to a user, through a role, or through a user group.

Permissions in Nuclei are pattern-based:

  • Allow permissions grant access.
  • Deny permissions override matching allow permissions.
  • Wildcards such as * can be used to grant a family of permissions, such as feed:* or user:update:*.
  • Placeholders such as {feed_id} and {user_id} indicate resource-scoped permissions that are evaluated at runtime.
  • This article covers permission strings in the Nuclei application; role capabilities are managed separately.

 

Configuration

To configure permissions in Nuclei:

  1. Log in to Nuclei.
  2. Go to Configuration > User Management > Roles.
  3. Create a new role or open an existing role.
  4. Add the permission patterns you want to allow or deny.
  5. Save the role.
  6. Assign the role to users from Configuration > User Management > Users, or assign it to a user group from Configuration > User Management > User Groups.
  7. Use direct user permissions only for one-off exceptions to your role-based model.

 

Permission Reference

Customer-facing permissions in Nuclei are grouped as follows:

Sources

  • feed:list
  • feed:create
  • feed:get:{feed_id}
  • feed:update:{feed_id}
  • feed:delete:{feed_id}
  • feed:test:{feed_id}
  • feed:update:{feed_id}:authorization:create
  • feed:update:{feed_id}:authorization:update:{feed_authorization_id}
  • feed:update:{feed_id}:authorization:delete:{feed_authorization_id}

Destinations

  • archive:list
  • archive:create
  • archive:get:{archive_id}
  • archive:update:{archive_id}
  • archive:delete:{archive_id}
  • archive:test:{archive_id}
  • archive:update:{archive_id}:authorization:create
  • archive:update:{archive_id}:authorization:update:{archive_authorization_id}
  • archive:update:{archive_id}:authorization:delete:{archive_authorization_id}
  • feed_archive_integration:create
  • feed_archive_integration:update:{feed_archive_integration_id}
  • feed_archive_integration:delete:{feed_archive_integration_id}

Integrations

  • integration:list
  • integration:create
  • integration:get:{integration_id}
  • integration:update:{integration_id}
  • integration:delete:{integration_id}
  • integration:test:{integration_id}
  • integration:update:{integration_id}:authorization:create
  • integration:update:{integration_id}:authorization:update:{integration_authorization_id}
  • integration:update:{integration_id}:authorization:delete:{integration_authorization_id}

Agents and Channels

  • agent:list
  • agent:create
  • agent:update:{agent_id}
  • agent:delete:{agent_id}
  • agent_run:list
  • agent_run:get:{agent_run_id}
  • agent_run:update:{agent_run_id}:review
  • channel:list
  • channel:create
  • channel:update:{channel_id}
  • channel:delete:{channel_id}
  • feed_agent_integration:create
  • feed_agent_integration:update:{feed_agent_integration_id}
  • feed_agent_integration:delete:{feed_agent_integration_id}
  • agent_channel_integration:list
  • agent_channel_integration:create
  • agent_channel_integration:update:{agent_channel_integration_id}
  • agent_channel_integration:delete:{agent_channel_integration_id}

Events, Activity, and Analytics

  • event:list
  • event:get:{event_id}
  • event:view-content
  • event:update_legal_hold_state:{event_id}
  • event:update_media_should_archive:{event_id}
  • activity:list
  • analytics:list

Reports and Exports

  • email_report:list
  • email_report:create
  • email_report:get:{email_report_id}
  • email_report:update:{email_report_id}
  • email_report:delete:{email_report_id}
  • email_report:test:{email_report_id}
  • email_report:run_manual:{email_report_id}
  • email_report_run:list
  • email_report_run:get:{email_report_run_id}
  • email_report_run:retry:{email_report_run_id}
  • export:list
  • export:create
  • export:get:{export_id}
  • export:download:{export_id}

Identities and Inbox

  • identity:list
  • identity:create
  • identity:update:{identity_id}
  • identity:delete:{identity_id}
  • inbox_message:list
  • inbox_message:update:{inbox_message_id}

User Management

  • user:list
  • user:create
  • user:get:{user_id}
  • user:update:{user_id}
  • user:delete:{user_id}
  • user:reset_password:{user_id}
  • user:update_permission:{user_id}
  • role:list
  • role:create
  • role:get:{role_id}
  • role:update:{role_id}
  • role:delete:{role_id}
  • user_group:list
  • user_group:create
  • user_group:get:{user_group_id}
  • user_group:update:{user_group_id}
  • user_group:delete:{user_group_id}

Organization Settings

  • account:update:impersonation
  • account:update:okta_sso_configuration:update
  • account:update:okta_sso_configuration:delete
  • account:update:supported_login_methods
  • account:update:logout_all_sessions

 

Reserved Permissions

Partner-only permissions:

  • account:list
  • account:create
  • account:update:{account_id}
  • account:impersonate:{account_id}
  • subscription:list
  • subscription:create
  • subscription:update:{subscription_id}
  • partner_report:list
  • partner_report:get:{partner_report_id}
  • partner_report:create
  • partner_report:update:{partner_report_id}
  • partner_report:delete:{partner_report_id}
  • partner_report:test:{partner_report_id}
  • partner_report:run_manual:{partner_report_id}
  • partner_report_run:list
  • partner_report_run:get:{partner_report_run_id}
  • partner_report_run:retry:{partner_report_run_id}

 

 

More Information

If you need help designing a least-privilege role set for your team, please contact Proofpoint Support or your Proofpoint sales representative.

Related articles

Comments

0 comments

Article is closed for comments.