# Role-Based Access Control (RBAC) Reference Role-Based Access Control (RBAC) provides a structured approach to managing permissions within the Apono UI. By aligning access rights with specific job responsibilities, RBAC prevents unauthorized or conflicting administrative actions. RBAC is especially powerful for enabling collaboration across multiple teams and professionals with different objectives. Each team member receives precisely the access they need to perform their specific tasks. At the same time, RBAC maintains overall system security and operational integrity. {% hint style="info" %} To learn more about managing user roles in Apono, click [here](https://docs.apono.io/docs/user-administration/manage-identities#edit-an-identity). {% endhint %} *** ### Role Overview You can assign any of the following roles to each user.

Role	Description
Admin	Full access to all features and functionalities Usage: Only role authorized to create, delete, and assign roles to users
Space Owner	Management of membership and access objects within a specific space, with view-only access outside that space Usage: Invites members, assigns member roles, and manages access objects
Space Manager	Management of access objects within a specific space, with view-only access outside that space Usage: Handles day-to-day management of access objects within a specific space
Power User	Access to most features except some user and account settings Usage: Manages daily administrative tasks
Deployment	Permissions focused on infrastructure and deployment management Usage: Ensures seamless deployment and infrastructure integrity
Viewer	Read-only access to reports and auditing functionalities Usage: Monitors compliance and administrative activity without modifying resources
Grantee	(Portal UI only) Permissions focused on requesting and accessing resources Usage: Requests resources and connects to granted resources

*** ### Permissions The following tables detail the permissions available to each role within the Apono UI. #### Overview Dashboard

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View	✅	✅	✅	✅		✅

Right Sizing *Ensures your access flows grant the least-privileged access to users.* [*Learn more*](https://docs.apono.io/docs/access-flows/manage-access-flows/right-sizing)*.*

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View	✅	✅	✅	✅		✅
Filter	✅	✅	✅	✅		✅

Access Graph *Visualizes how access is granted to resources, whether JIT, via group membership or with standing access*

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View	✅	✅	✅	✅		✅
Filter	✅	✅	✅	✅		✅

Anomalies *Safeguards against potential risky access to your tools.* [*Learn more*](https://docs.apono.io/docs/architecture-and-security/anomalies)*.*

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View	✅	✅	✅	✅		✅
Filter	✅	✅	✅	✅		✅

Access Discovery *Assesses and remediated standing access to improve your cloud security posture.* [*Learn more*](https://docs.apono.io/docs/getting-started/access-discovery)*.*

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
Explore	✅	✅	✅	✅		✅
Revoke Standing Access	✅			✅

#### Access Management Access Flows *Enables creating automated, dynamic permission workflows that define access to sets of resources.* [*Learn more*](https://docs.apono.io/docs/access-flows/access-flows)*.*

Action	Admin	Space Owner	Space Manager	Power User	Viewer
View the access flow list	✅	✅	✅	✅	✅
Filter the access flow list	✅	✅	✅	✅	✅
Get an access flow	✅	✅	✅	✅	✅
Create an access flow	✅	✅	✅	✅
Edit an access flow	✅	✅	✅	✅
Enable an access flow	✅	✅	✅	✅
Disable an access flow	✅	✅	✅	✅
Delete an access flow	✅	✅	✅	✅

Bundles *Manages access to integrations, roles, and resources by grouping them together.* [*Learn more*](https://docs.apono.io/docs/access-flows/create-bundles)*.*

Action	Admin	Space Owner	Space Manager	Power User	Viewer
View the bundles list	✅	✅	✅	✅	✅
Get a bundle	✅	✅	✅	✅	✅
Create a bundle	✅	✅	✅	✅
Edit a bundle	✅	✅	✅	✅
Delete a bundle	✅	✅	✅	✅

#### Environment Integrations

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View the integration list	✅	✅	✅	✅	✅	✅
Get an integration	✅	✅	✅	✅	✅	✅
View the catalog	✅	✅	✅	✅	✅	✅
Connect an integration	✅			✅	✅
Edit an integration	✅			✅	✅
Refresh an integration	✅	✅	✅	✅	✅
Delete an integration	✅			✅	✅

Connectors

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View the connector list	✅	✅	✅	✅	✅	✅
Connect a connector	✅			✅	✅
Edit a connector	✅			✅	✅
Delete a connector	✅			✅	✅

Identities *Allows restricting resource access by creating specified, authenticated users or groups.* [*Learn more*](https://docs.apono.io/docs/user-administration/create-identities)*.*

Action	Admin	Space Owner	Space Manager	Power User	Viewer
View users	✅	✅	✅	✅	✅
Add a user	✅
Create a group	✅			✅
Edit a group	✅			✅
Delete a group	✅			✅

Inventory *Enables creating and managing queries of dynamic, reusable groups of resources.* [*Learn more*](https://docs.apono.io/docs/inventory/access-scopes)*.*

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View the access scope list	✅	✅	✅	✅	✅	✅
Filter the access scope list	✅	✅	✅	✅
Create an access scope	✅	✅	✅	✅
Edit an access scope	✅	✅	✅	✅
Delete an access scope	✅	✅	✅	✅

#### Administration Activity

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View the activity list	✅	✅	✅	✅	✅	✅
Filter the activity list	✅	✅	✅	✅	✅	✅
Revoke access in drawer	✅			✅
Revoke all	✅			✅

Reports

Action	Admin	Space Owner	Space Manager	Power User	Viewer
View the report list	✅	✅	✅	✅	✅
Get a report	✅	✅	✅	✅	✅
Create a report	✅	✅	✅	✅	✅
Edit a report	✅	✅	✅	✅	✅
Export a report	✅	✅	✅	✅	✅
Schedule a report	✅	✅	✅	✅	✅
Delete a report	✅	✅	✅	✅	✅

Session Audit

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View a session audit	✅	✅	✅	✅	✅	✅

Audit Log (Syslog) *Tracks system changes with a clear, chronological audit log for accountability and quick investigation.*

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View the audit log list	✅	✅	✅	✅	✅	✅
Filter the audit log list	✅	✅	✅	✅	✅	✅
Click the audit log drawer	✅	✅	✅	✅	✅	✅
Export the audit log	✅	✅	✅	✅	✅	✅

Webhooks *Sends Apono access request data to your internal systems with event-triggered HTTP messages.* [*Learn more*](https://docs.apono.io/docs/webhook-integrations/intro-to-apono-outbound-webhooks)*.*

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View the webhook list	✅	✅	✅	✅	✅	✅
View webhook history	✅	✅	✅	✅	✅	✅
Create a webhook	✅			✅	✅
Edit a webhook	✅			✅	✅
Enable a webhook	✅			✅	✅
Disable a webhook	✅			✅	✅
Delete a webhook	✅			✅	✅

#### Identity and Access Management (IAM) Administration General (Settings)

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View settings	✅			✅		✅
Manage settings	✅			✅

Profile

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
Edit profile (individual)	✅			✅	✅	✅

Privacy & Security

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
Enable MFA (individual)	✅			✅	✅	✅

Account Details

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View account details	✅			✅	✅	✅
Edit account details	✅

Users

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View users list	✅	✅	✅	✅	✅	✅
Resend invitation email	✅			✅	✅	✅
Invite users	✅
Edit roles of users	✅
Log out user sessions	✅
Disable user	✅
Delete user	✅

#### API Tokens Personal API Tokens

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
View an API token	✅	✅	✅	✅	✅	✅
Create an API token	✅	✅	✅	✅	✅	✅
Delete an API token	✅	✅	✅	✅	✅	✅

Service Account API Tokens

Action	Admin	Space Owner	Space Manager	Power User	Deployment	Viewer
List API tokens	✅	✅	✅	✅	✅	✅
Create an API token	✅
Edit an API token	✅
Delete an API token	✅

^*1**A user with a Power User, Deployment, or Viewer role can view a service account token only if the token is explicitly scoped to that role.* #### Portal

Action	Admin	Power User	Deployment	Viewer	Grantee
Request access	✅	✅	✅	✅	✅
Access granted resources	✅	✅	✅	✅	✅