Account permissions

Each user, team, and API key has an associated set of permissions that determine the level of access to various objects and ability to perform specific actions in an NS1 Connect account.

Note: Permissions defined at the team level are inherited by the users and API keys associated with that team.

The following tables describe the permission options within each category.

Table 1. Account admin permissions
Permission	Description
Manage account settings	Ability to modify general account settings, including closing an account.
Manage API keys	Ability to view, create, edit, and delete API keys.
Manage IP allow lists	Ability to view, create, edit, and delete global IP allow lists.
Manage payment methods	This permission option is deprecated.
Manage plan	This permission option is deprecated.
Manage teams	Ability to view, create, edit, and delete teams.
Manage users	Ability to view, create, edit, and delete account users.
View activity log	Ability to view the account activity log.
View invoices	This permission option is deprecated.

Table 2. Monitoring
Permission	Description
View monitoring jobs	Ability to view all native NS1 Connect monitoring jobs.
Manage monitoring jobs	Ability to create, edit, or delete native NS1 Connect monitoring jobs based on the sub-selection. Note that enabling this option automatically enables the permission to view monitoring jobs.
Create monitoring jobs	Ability to create or clone monitoring jobs.
Edit monitoring jobs	Ability to modify monitoring jobs.
Delete monitoring jobs	Ability to delete monitoring jobs.
Manage notifier lists	Ability to view, create, edit, and delete notifier lists. Note that these lists specify the recipients for monitoring-related alerts as well as any alert configured in the Alerts center. To manage a notifier list, you must also have access to the monitoring job or the objects specified in an alert configuration associated with the notifier list.

Table 3. Data permissions
Permission	Description
Manage data feeds	Ability to view, create, edit, and delete third-party monitoring data feeds. A data feed is a specific monitoring job configured in the connected third-party data source. You must have the ability to manage data sources in order to manage their associated feeds.
Manage data sources	Ability to view, create, edit, and delete third-party monitoring data sources. A data source is an instance of a connection to a third-party tool or system where monitoring jobs are already configured.
Push to data feeds	Ability to push manual updates through a data feed. Typically, this applies to API web hooks used for monitoring integrations.

Table 4. Security
Permission	Description
Manage global 2FA	Ability to enforce two-factor authentication (2FA) for all account users.

Table 5. Redirects
Permission	Description
Manage redirects	Ability to view, create, edit, delete, import, and download URL redirect configurations, generate data sets related to URL redirects, download activity logs related to redirect configurations, and create SSL/TLS certificates for redirects over HTTPS. This permission is required in order to view, create, edit, or delete alerts for expiring SSL/TLS certificates.

Table 6. Access to DNS resources
Permission	Description
Manage zones	Ability to user to view, create, edit, and delete DNS zones. Note that the specific behavior is dependent on the "Allow by default" selection and whether access is limited to specific zones.
View zones	Ability to view existing DNS zones.
Allow by default	If selected, this setting grants some level of access to all zones by default, excluding those specified within Denied zones. If deselected, this setting denies access to all zones by default, except those specified within Allowed zones .
Allowed zones and records	If Allow by default is deselected, meaning access to zones is denied by default, then this specifies a list of zones that the user, team, or API key can access. Within each specified zone, you can specify certain record types associated with the FQDN to indicate access should only be granted to those records. You can also grant access only to a particular subdomain within the zone and specific records associated with the subdomain.
Denied zones and records	If Allow by default is selected, meaning access to zones is granted by default, then this specifies a list of zones that the user, team, or API key cannot access. Within each specified zone, you can specify certain record types associated with the FQDN to indicate access should only be denied to those records. You can also deny access only to a particular subdomain within the zone and specific records associated with the subdomain.

Table 7. IP allow list
Permission	Description
Manage IP allow list	Enter one or more IPv4 addresses or CIDR blocks containing the specific IP addresses of the devices from which the user, API key, or team can log in to the NS1 Connect account. Optionally, select the option to Apply this IP allow list exclusively to ignore any lists applied at the global account level or for any teams with which the user or API key is associated.