## Permissions table

This table applies to both SAML and OIDC connections.

| **Category** | **Name** | **Description** | **Key** |
|  --- | --- | --- | --- |
| User management | Create invitation | Create and edit account invitation link for signup/login | `fe.secure.write.tenantInvites` |
| User management | Delete users from sub-accounts | Delete users from sub-accounts | `fe.secure.delete.userSubTenants` |
| User management | Delete users | Delete users from account | `fe.secure.delete.users` |
| User management | Revoke user sessions | Revoke all user sessions | `fe.secure.delete.sessions` |
| User management | Write disable/enable | Disable/enable users from this account | `fe.secure.write.enableDisable` |
| User management | Invite users to sub-accounts | Invite users to sub-accounts | `fe.secure.write.userSubTenants` |
| User management | Update users | Update other users | `fe.secure.write.updateUser` |
| User management | Delete roles from users | Delete roles from users in account | `fe.secure.delete.usersRoles` |
| User management | Delete account invitations | Delete account invitations | `fe.secure.delete.tenantInvites` |
| User management | Read users | View all users in an account | `fe.secure.read.users` |
| User management | Write users | Add users to account | `fe.secure.write.users` |
| User management | Resend activation emails | Resend activation emails to non-verified users | `fe.secure.write.resendActivationEmail` |
| User management | Assign roles to users | Add roles to users | `fe.secure.write.usersRoles` |
| Account Hierarchy | Write sub-account management | Update sub-accounts to allow sub-account management | `fe.account-hierarchy.write.subAccountManagement` |
| Account Hierarchy | Read sub-accounts | View sub-accounts | `fe.account-hierarchy.read.subAccount` |
| Account Hierarchy | Delete sub-accounts | Delete sub-accounts | `fe.account-hierarchy.delete.subAccount` |
| Account Hierarchy | Give access to sub-accounts | Give a user access to sub-accounts | `fe.account-hierarchy.write.subAccountAccess` |
| Account Hierarchy | Create or update sub-accounts | Create or update sub-accounts | `fe.account-hierarchy.write.subAccount` |
| Applications | Assign user to applications | Assign any application to users | `fe.secure.write.appsUsers` |
| Applications | Remove user from applications | Remove any application from users | `fe.secure.delete.appsUsers` |
| Events | Read events | View connectivity events (used only for legacy integrations) | `fe.connectivity.read.events` |
| Events | Trigger events | Trigger events that run integrations (used only for legacy integrations) | `fe.connectivity.write.triggerEvent` |
| Events | Read event categories | View connectivity event categories (used only for legacy integrations) | `fe.connectivity.read.eventCategories` |
| Email integration | Write email configuration | Create email integration configurations (used only for legacy integrations) | `fe.connectivity.write.emailConfig` |
| Email integration | Delete email configurations | Delete email integration configurations (used only for legacy integrations) | `fe.connectivity.delete.emailConfig` |
| Email integration | Read email configuration | Read email integration configurations (used only for legacy integrations) | `fe.connectivity.read.emailConfig` |
| Webpush integration | Create webpushes | Create webpush notifications (used only for legacy integrations) | `fe.connectivity.write.sendWebpushNotification` |
| Webpush integration | Subscribe to webpushes | Subscribe to webpush notifications (used only for legacy integrations) | `fe.connectivity.write.subscribeWebpush` |
| Bell notifications integration | Read bell notifications | View user bell notifications (used only for legacy integrations) | `fe.connectivity.read.userBellNotifications` |
| Bell notifications integration | Update bell notifications | Update bell notifications (used only for legacy integrations) | `fe.connectivity.write.updateUserBellNotification` |
| Bell notifications integration | Delete user bell notification | Delete user bell notifications (used only for legacy integrations) | `fe.connectivity.delete.bellNotifications` |
| Connectivity | Connectivity general | All connectivity permissions (used only for legacy integrations) | `fe.connectivity.*` |
| Connectivity | Connectivity delete | All connectivity delete permissions (used only for legacy integrations) | `fe.connectivity.delete.*` |
| Connectivity | Connectivity write | All connectivity write permissions (used only for legacy integrations) | `fe.connectivity.write.*` |
| Connectivity | Connectivity read | All connectivity read permissions (used only for legacy integrations) | `fe.connectivity.read.*` |
| Slack integration | Read Slack applications | Read Slack application configurations (used only for legacy integrations) | `fe.connectivity.read.slackApp` |
| Slack integration | Delete Slack application registrations | Delete Slack app registration (used only for legacy integrations) | `fe.connectivity.delete.slackAppRegistration` |
| Slack integration | Read Slack subscriptions | View Slack event subscriptions (used only for legacy integrations) | `fe.connectivity.read.slackSubscriptions` |
| Slack integration | Read Slack channels | View registered Slack workspace channels (used only for legacy integrations) | `fe.connectivity.read.slackChannels` |
| Slack integration | Update Slack subscriptions | Update Slack subscriptions (used only for legacy integrations) | `fe.connectivity.write.updateSlackSubscription` |
| Slack integration | Delete events from Slack subscriptions | Delete events from Slack subscription (used only for legacy integrations) | `fe.connectivity.delete.slackSubscriptionEvent` |
| Slack integration | Delete Slack subscriptions | Delete Slack subscriptions to events (used only for legacy integrations) | `fe.connectivity.delete.slackSubscriptions` |
| Slack integration | Create Slack subscriptions | Create Slack subscriptions to events (used only for legacy integrations) | `fe.connectivity.write.slackSubscriptions` |
| Slack integration | Register Slack applications | Register Slack application (used only for legacy integrations) | `fe.connectivity.write.slackAppRegistration` |
| Slack integration | Read Slack users | View registered Slack workspace users (used only for legacy integrations) | `fe.connectivity.read.slackUsers` |
| SMS integration | Read SMS configurations | View SMS integration configurations (used only for legacy integrations) | `fe.connectivity.read.smsConfig` |
| SMS integration | Write SMS configurations | Create SMS integration configurations (used only for legacy integrations) | `fe.connectivity.write.smsConfig ` |
| SMS integration | Delete SMS configurations | Delete SMS integration configurations (used only for legacy integrations) | `fe.connectivity.delete.smsConfig` |
| Account settings | Write account settings | Create or update account settings | `fe.secure.write.accountSettings` |
| Account settings | Read security policies | View account settings | `fe.secure.read.accountSettings` |
| Account settings | Delete account | Delete my account | `fe.account-settings.delete.account` |
| Account settings | Edit custom login settings | Write account custom login box styling | `fe.account-settings.write.custom-login-box` |
| Account settings | Read application | View all applications in the account | `fe.account-settings.read.app` |
| Security policies | Delete security policies | Delete security policies | `fe.secure.delete.securityPolicy` |
| Security policies | Write security policies | Create or update security policies | `fe.secure.write.securityPolicy` |
| Security policies | Read security policies | View security policies | `fe.secure.read.securityPolicy` |
| Security policies | Create new IP restrictions | Create new IP restriction and modify configuration | `fe.secure.write.ipRestrictions` |
| Security policies | Delete IP restrictions | Delete IP restrictions | `fe.secure.delete.ipRestrictions` |
| Security policies | Read email domain restrictions | View domain restrictions and configuration | `fe.secure.read.emailDomainRestrictions` |
| Security policies | Read IP restrictions | View IP restrictions and configuration | `fe.secure.read.ipRestrictions` |
| Security policies | Create new email domain restrictions | Create new email domain restrictions and edit configuration | `fe.secure.write.emailDomainRestrictions` |
| Security policies | Delete email domain restriction | Delete email domain restrictions | `fe.secure.delete.emailDomainRestrictions` |
| Security policies | Delete provisioning configuration | Delete provisioning configurations | `fe.secure.delete.provisioningConfiguration` |
| Security policies | Read provisioning configurations | View provisioning configurations | `fe.secure.read.provisioningConfiguration` |
| Security policies | Create new provisioning configurations | Create new provisioning configurations | `fe.secure.write.provisioningConfiguration` |
| Security policies | Create or revoke actor tokens | Create new or revoke existing actor tokens | `fe.secure.write.actorToken` |
| Security policies | Delegation | Act on behalf of another user | `fe.secure.write.delegation` |
| Secure access | Secure general | All secure access permissions | `fe.secure.*` |
| Secure access | Secure read | All secure access read permissions | `fe.secure.read.*` |
| Secure access | Secure delete | All secure access delete permissions | `fe.secure.delete.*` |
| Secure access | Secure write | All secure access write permissions | `fe.secure.write.*` |
| Groups | Create or update groups | Create or update any group | `fe.secure.write.groups` |
| Groups | Read groups | View all groups | `fe.secure.read.groups` |
| Groups | Edit group roles | Edit roles of any group | `fe.secure.write.groupsRoles` |
| Groups | Add users to groups | Add users to any group | `fe.secure.write.groupsUsers` |
| Groups | Delete groups | Delete any group | `fe.secure.delete.groups` |
| Groups | Remove users from groups | Remove users from any group | `fe.secure.delete.groupsUsers` |
| SAML / OIDC | Write SAML / OIDC default roles | Write SAML / OIDC default roles | `fe.secure.write.samlDefaultRoles` |
| SAML / OIDC | Read SAML / OIDC configurations | View vendor and tenant SAML / OIDC configuration | `fe.secure.read.samlConfiguration` |
| SAML / OIDC | Write SAML / OIDC configurations | Create and update account SAML / OIDC configurations | `fe.secure.write.samlConfiguration` |
| SAML / OIDC | Delete SAML / OIDC configuration | Delete account SAML / OIDC configuration | `fe.secure.delete.samlConfiguration` |
| SAML / OIDC | Read SAML / OIDC default roles | View SAML / OIDC default role configuration | `fe.secure.read.samlDefaultRoles` |
| Webhooks integration | Read webhooks | View webhook configurations | `fe.connectivity.read.webhooks` |
| Webhooks integration | Read webhook logs | View webhook logs | `fe.connectivity.read.webhookLogs` |
| Webhooks integration | Write webhooks | Create and update webhook configuration | `fe.connectivity.write.webhook` |
| Webhooks integration | Delete webhooks | Delete webhook configurations | `fe.connectivity.delete.webhook` |
| API tokens | Delete tenant API tokens | Delete account API tokens | `fe.secure.delete.tenantApiTokens` |
| API tokens | Read account API tokens | View all account API tokens | `fe.secure.read.tenantApiTokens` |
| API tokens | Read user API tokens | View own API tokens | `fe.secure.read.userApiTokens` |
| API tokens | Write user API tokens | Create and update own API tokens | `fe.secure.write.userApiTokens` |
| API tokens | Delete user API tokens | Delete own API tokens | `fe.secure.delete.userApiTokens` |
| API tokens | Write account API tokens | Create or update account API tokens | `fe.secure.write.tenantApiTokens` |
| Subscriptions | Subscriptions write | All subscriptions write permissions (used only for legacy integrations) | `fe.subscriptions.write.*` |
| Subscriptions | Subscriptions general | All subscription permissions (used only for legacy integrations) | `fe.subscriptions.*` |
| Subscriptions | Subscriptions read | All subscription read permissions (used only for legacy integrations) | `fe.subscriptions.read.*` |
| Roles and permissions | Read roles | View vendor and account roles | `fe.secure.read.roles` |
| Roles and permissions | Read permissions | View permissions | `fe.secure.read.permissions` |
| Roles and permissions | Write roles | Create account roles | `fe.secure.write.roles` |
| Roles and permissions | Delete roles | Delete account roles | `fe.secure.delete.role` |
| Roles and permissions | Update roles | Update account roles | `fe.secure.write.updateRole` |
| Audits | Read audits | View audit logs | `fe.secure.read.audits` |