Individual permissions can grant different levels of permission. Some permissions can be implied. For example, the Manage Funding Sources permission also allows users to view OUs, because funding sources are applied to OUs.
- Request an item allows you to make requests in the application for item creation.
For example, if you are granted the Project Creation Requests permission, you can create requests for new projects.
- Browse an item allows you to see the item, but you cannot edit it, delete it, or address it.
- Browse Minimal allows you to see the name of the item and gives appropriate console access, but you cannot see other sensitive details about the item.
For example, Browse Project Minimal means you can see the project name and can access the console in accordance with your cloud access role, but you cannot see financial information for the project.
- Create an item allows you to create items of that type, but you cannot edit or delete existing items of that type.
- Manage an item allows you to see the item, edit the item, and delete the item.
- Access an item allows console access for that page.
For example, if you are granted the Access Cached Accounts permission, you can access the account console for accounts in the account cache for which you have an appropriate cloud access role.
- Address an item allows you to take action on items related to the projects or OUs where the permission is granted, as well as view the projects or OUs themselves.
For example, if you are granted the Address Project Savings Opportunities permission on Project A, you can see savings opportunities for Project A, dismiss them, and take the actions suggested by the savings opportunity.
- No Inheritance only grants permission at the level the user is directly assigned permission. They do not inherit permissions to descendant OUs, projects, or accounts just because they have access to the parent.
Some objects have more granular levels of control when permissions are used in combination.
For example, you could set both Browse Project and Manage Project Enforcements for a user, which would mean they can see the project as a whole, but can only edit or delete enforcements on the project. We also recently added support to set Browse and Manage permissions for Azure accounts and resources separately from AWS accounts and resources.