Default roles and permissions

The default installation of IBM® Cloud Pak for Network Automation comes with default roles and permissions or privileges.

Default roles

The following roles are provided by default:

Read Only
A user with this role has view permission for the following items:
  • Assembly descriptors
  • Assembly instances
  • Behavior scenario descriptors
  • Behavior scenario executions
  • Deployment locations
  • Infrastructure keys
  • Managed object instances
  • Resource descriptors
  • Resource instances
  • Resource drivers
Portal
Includes the permissions for the Read Only role, and the following ones:
  • Assembly instances: Add, delete
  • Assembly instance states: Update
  • Behavior scenario descriptors: Add, update, delete
  • Behavior scenario executions: Update, delete
  • Behavior scenarios: Run
  • Managed object instances: Add, update, delete
  • Resource drivers: Add, delete
  • Resource packages: Onboard, delete
SLMAdmin
Includes the permissions for the Read Only and Portal roles, and the following ones:
  • Assembly descriptors: Add, update, delete
  • Assembly instances: Heal, scale
  • Deployment locations: Add, update, delete
  • Lifecycle management subscriptions: View, add, update
  • Network service descriptor subscriptions: View, add, update
  • Object groups: View, add, update, delete
  • Resource descriptors: Add, delete
  • Secrets: Read, write
  • System administration: Update, view
  • Virtual network function subscriptions: View, add, update
RootSecAdmin
A user with the RootSecAdmin role can add, update, delete, and view role definitions and other security credentials. A user with this role only cannot perform any other operations within the network automation software.
Network Automation Tenant Admin
A user with the Network Automation Tenant Admin role can add, update, delete, and view tenants.
SPView
A user with the SPView role can view all Site Planner objects. Site Planner objects include sites, devices, circuits, and more.
SPEditor
Includes the permissions for the SPView role and can add, update, and delete all Site Planner objects.
SPAdmin
A user with the SPAdmin role has the same permissions as the SPView and SPEditor roles, and can also access the Site Planner Admin location to view installed plug-ins and other internal settings.

Available permissions

The permissions that you can assign to a role are the following:
Assembly Descriptors
Add, update, delete, and view assembly descriptors.
Permission codes: NSDESMGT_READ, NSDESMGT_WRITE
Assembly Instances
Add, update, delete, and view assembly instances.
Permission codes: NSINSTSMGT_READ, NSINSTSMGT_WRITE
Behavior Scenario Descriptors
Add, update, delete, and view behavior scenario descriptors.
Permission codes: BEHVRSCENDES_READ, BEHVRSCENDES_WRITE
Behavior Scenario Execution
Update, delete, and view behavior scenario executions, and execute behavior scenarios.
Permission codes: BEHVRSCENEXEC_READ, BEHVRSCENEXEC_WRITE, BEHVRSCENEXEC_EXECUTE
Deployment Location Management
Create and view deployment locations.
Permission codes: DEPLOYLOCMGT_READ, DEPLOYLOCMGT_WRITE
Infrastructure Keys
View infrastructure keys.
Permission codes: RMDRVRKEYS_READ
Intent Requests
Run intents relating to management of assemblies; for example, create, delete or upgrade. Run intents relating to health operations on an assembly; for example, scale or heal. Also, permission to cancel, retry, or roll back processes that result from intent requests.
Permission code for assembly management: INTENTREQSLMGT_EXECUTE
Permission code for assembly operations: INTENTREQSOPS_EXECUTE
Lifecycle management subscriptions
Add, update, and view all lifecycle management (LCM) subscriptions.
Permission codes: SUBSCRIPTION_LCM_READ, SUBSCRIPTION_LCM_WRITE
Network Automation Tenant Administration
Add, update, delete, and view all tenants.
Permission codes: TENANT_READ, TENANT_WRITE
Network Resource
Add, update, delete, and view managed object instances.
Network service descriptor subscriptions
Add, update, and view all network service descriptor (NSD) subscriptions.
Permission codes: SUBSCRIPTION_NSD_READ, SUBSCRIPTION_NSD_WRITE
Object Group Administration
Add, update, delete, and view all object groups.
Permission codes: OBJECTGROUP_READ, OBJECTGROUP_WRITE
Resource Descriptors
Add, delete, and view resource descriptors.
Permission codes: VNFDESMGT_READ, VNFDESMGT_WRITE
Resource Instances
View resource instances.
Permission codes: VNFINSTSMGT_READ
Resource Manager Drivers
Add, delete, and view resource drivers.
Permission codes: RMDRVR_READ, RMDRVR_WRITE
Resource Packages
Onboard and delete resource packages that work with resource drivers.
Permission codes: RESOURCEPKG_WRITE
Security Administration
Add, update, delete, and view secrets.
Permission codes: SECADMIN_READ, SECADMIN_WRITE
Site Planner Administration
Complete administration tasks for the Site Planner component.
Site Planner Editing
Add, update, delete, and view all Site Planner objects.
Site Planner Viewing
View all Site Planner objects.
Site Planner Automation Contexts
Update and view all Site Planner automation contexts, and triggers automation build or teardown requests on infrastructure objects.
Permission codes: SPINFAUTO_READ, SPINFAUTO_WRITE
Site Planner Infrastructure
Update and view all Site Planner infrastructure objects.
Permission codes: SPINF_READ, SPINF_WRITE
Site Planner Managed Entities
Update and view all Site Planner managed entities, and triggers automation build or teardown requests on managed entities.
Permission codes: SPMNGDENT_READ, SPMNGDENT_WRITE
System Administration
Update and view assembly instances, resource managers, deployment locations, credentials, and subscriptions objects. Access and monitor operational metrics in the Grafana UI.
Permission codes: SLMADMIN_READ, SLMADMIN_WRITE
Virtual network function subscriptions
Add, update, and view all virtual network function (VNF) subscriptions.
Permission codes: SUBSCRIPTION_VNF_READ, SUBSCRIPTION_VNF_WRITE