What are Permission Schemes?


What are Permission Schemes?

A permission scheme maps individual permissions, such as browse or manage, to a permission role, such as Developer. Permission schemes are comprised of Kion permissions, which are separate from the permissions within cloud accounts. In Kion, you can manage the following permission scheme types:

  • OU: permission schemes that can be applied to OUs.
  • Project: permission schemes that can be applied to projects.
  • Funding Source: permission schemes that can be applied to funding sources.
  • Global: a permission scheme where you can set permissions for objects other than OUs, projects, and funding sources, such as Manage Kion System Settings and Manage Cloud Rules. There is only one global permission scheme.

Permission schemes are beneficial because you can standardize the permissions each role has for OUs, projects, and funding sources, and you can allow object owners to map the users to the roles. You can also reuse permission schemes for easy permission configuration when creating new objects.

For example, the OU permission scheme below, Permission Scheme For Top Secret OUs, maps the Manage OU and Browse OU permissions to the permission roles Developer and External Contractor. By mapping users to the Developer and External Contractor roles, you can control what each user can do within any OU where you designate the Permission Scheme For Top Secret OUs as the permission scheme. Then, you can reuse the permission scheme in the future with new OUs:


To learn how to map users and user groups to permission schemes, see the Map Users to Permission Roles article. To set the permission scheme for an object, simply edit the Permission Scheme field on resource. Whenever a new OU, project, or funding source is created, you will need to assign it a permission scheme by setting the value in the Permission Scheme field.

Permission Scope

Permissions in Kion can be applied with a global scope or with an object scope (on OUs, projects, and funding sources). Any object that has an Owner attribute uses the object scope.

By design, the Kion built-in Admin user and the Kion Administrators group have full access to everything in the application. This cannot be changed. For more control over user permissions, you should create individual user accounts for each user that uses Kion and then manage each user's permissions.

Permission Types

Learn about the permission types here: Permission Types.


Was this article helpful?
0 out of 0 found this helpful