Permissions
Permissions control specific actions on Infuse resources. Roles bundle permissions into access patterns that can be assigned to users, groups, and API-key principals.
When granting access, start with the narrowest role that allows the workflow to succeed. Broaden access only when the caller genuinely needs it.
Review Role Permissions
Use Access > Roles to inspect the permissions included in an organisation role.
The role detail page shows:
- the permission identifier,
- the human-readable permission name,
- the module and feature the permission belongs to,
- the action the permission allows.
The tenant console does not edit role permission definitions.
Permission Catalogue
The IAM API exposes a permissions catalogue for integrations and tooling that need to inspect available permissions.
GET /iam/permissions
Supported filters include module, namespace, feature, preview status, and search text.
Each permission includes:
ididentifiermodulefeatureactionnamedescriptionisPreview
Resource Types
Some permissions can be scoped to resource types. The IAM API exposes the resource-type catalogue:
GET /iam/resource-types
Supported filters include module, type, organisation-scope support, hierarchical-scope support, and search text.
Each resource type includes:
ididentifiermoduletypedescription- whether organisation scope is supported
- whether hierarchical scopes are supported
Direct Grants
Roles should be the default way to grant access. The IAM API also supports direct permission grants for cases where an integration needs a specific permission assignment rather than a role assignment.
Use direct grants sparingly. They are harder to review than role assignments because the permission is attached directly to a principal.