Permissions can be set within a permission scheme or at the global level. This article gives more details on what capabilities each permission grants. For more information about assigning permissions and grouping permissions into permission schemes, see the following articles:
What Permissions Can Be Granted in Kion?
The following rules of thumb applies for objects in Kion:
- Request an item allows you to make requests in the application for item creation. For example, giving a user the Project Creation Requests permission means they can create a request for a new project to be created.
- Browse an item allows you to see the item, but you cannot edit it, delete it, or address it.
- Browse Minimal allows you to see the name of the item and gives appropriate console access, but you cannot see other sensitive details about the item (for example, Browse Project Minimal means the user can see the project name and can access the console in accordance with their cloud access role, but they cannot see financial information for the project, etc.)
- Create an item allows you to create that item, but you cannot edit or delete existing items of that type. You will find this global permission on objects that take owners, as only the owner can edit or delete those items. For more information about this, see the Ownership of Objects article.
- Manage an item allows you to see the item, edit the item, and delete the item.
- Access an item allows console access for that page. For example, giving a user the Access Cached Accounts permission means they can access the account console for accounts in the account cache for which they have the appropriate cloud access role (users who are given this permission but not given a cloud access role will not be able to access account consoles).
- Address an item allows you to take action on items related to the project(s) or OU(s) where the permission is granted, as well as view the project(s) or OU(s) themselves. For example, if you are granted the Address Project Savings Opportunities permission on Project ABC, you will be able to see Project ABC's project page, and will be able to see savings opportunities for Project ABC, dismiss them, mark them as applied, and, if you have enabled it in the Savings Opportunities Settings, stop or terminate a resource for Project ABC.
Some objects have more granular levels of control when permissions are used in combination with each other. For example, you can set both Browse Project and Manage Project Enforcements for a user, which would mean they can see the project as a whole, but can only edit or delete enforcements on the project. Kion also recently added support to set Browse and Manage permissions for Azure accounts and resources separately from AWS accounts and resources.