Roles & permissions
User permissions to view, manage, or trigger actions on applications and environments in the VIP Dashboard are controlled by an access control list. Access permissions for users are defined by the Org roles and App roles assigned to them via user access management in the VIP Dashboard.
Users can have different levels of App roles and Org Roles (e.g., an App write role and an Org guest role).
App roles
App roles are assigned to users with an Org guest role on a per-application basis within an organization. There are three supported App roles, in order of fewest privileges to most: read, write, and admin.
List of permissions
| Permission | App read | App write | App admin |
|---|---|---|---|
| View software version information for an app | Y | Y | Y |
| View the Health Dashboard | Y | Y | Y |
| View details for a WP-CLI command | Y | Y | Y |
| View a list of WP-CLI commands that can be run | Y | Y | Y |
| View the IP Allow List | Y | Y | Y |
| View Basic Authentication | Y | Y | Y |
| Can perform data syncs | Y | Y | |
| View a list of database backups | Y | Y | |
| View a list of environments | Y | Y | |
| View a list of domains for an environment | Y | Y | |
| Add domains to an environment | Y | Y | |
| Deactivate a domain | Y | Y | |
| Activate a Let’s Encrypt certificate for a domain | Y | Y | |
| Install and activate custom TLS certificates for a domain | Y | Y | |
| Run WP-CLI commands | Y | Y | |
| Launch a site | Y | Y | |
| Set a domain as the primary domain | Y | Y | |
| Create a pre-signed URL for self-service imports | Y | Y | |
| Start a self-service import | Y | Y | |
| Download a site’s database backup | Y | ||
| Add a new user to Basic Authentication | Y | ||
| Edit user credentials for Basic Authentication | Y | ||
| Delete a user in Basic Authentication | Y | ||
| Configure, update, and delete Log Shipping credentials | Y | ||
| Enable and disable Log Shipping | Y | ||
| Configure, update, and delete Backup Shipping credentials | Y | ||
| Enable and disable Backup Shipping | Y | ||
| Delete an IP in the IP Allow List | Y | ||
| Add an IP to the IP Allow List | Y |
Org roles
There are three supported Org roles, in order of fewest privileges to most: guest, member, and admin.
Guest
- Users that are assigned App roles of any level to one or more of an organization’s applications, are automatically assigned an Org guest role.
Member
- Intended for users that need to see more information than basic organization data, but do not necessarily need admin privileges, such as business users for an organization
- Inherits all guest permissions
Admin*
- This Org role is typically assigned to an organization’s account owner.
- Inherits all guest and member permissions
List of permissions
Note
If an organization currently has no users with the Org Admin role, and existing users are unable to view certain features such as the organization’s Usage Plan Details, contact VIP Support for assistance.
| Permission | Org guest | Org member | Org admin |
|---|---|---|---|
| View apps from an organization that the user was granted access to | Y | Y | Y |
| Query for a list of all organizations the user has access to | Y | Y | Y |
| View an organization’s contacts | Y | Y | Y |
| View a list of apps | Y | Y | |
| View a list of users for the organization | Y | Y | |
| View the Organization’s Usage – Monthly Platform Requests for Total Requests of an organization | Y | Y | |
| View the Organization’s Usage – Monthly Platform Requests for Application Usage of an Organization’s production apps | Y | Y | |
| All permissions that apply to the App write and App admin role* | Y | ||
| Can view an Organization’s Usage Plan Details, including Code Review level, Ticket SLA, Add-ons, etc. This is separate from the Organization’s Usage Monthly Platform Requests | Y | ||
| Can set user Org roles for users in their organization | Y | ||
| Can view their own Org roles and Org roles of other users in their organization | Y |
Create a pre-signed URL for self-service imports permission