# Built-in roles and permissions MetalSoft provides several built-in roles that cannot be edited: * Root - Highest level. * Full Admin - Similar to Root but cannot put the system into maintenance * Basic Admin - Primarily read only across all admin resources * User - Access only to infrastructures and the user interface Custom roles can also be created. In general, the permissions follow the Admin UI providing with `read` and `write` to the respective resources. For example the `workflow_read` will allow a read-only view of the *Workflows* section. Having `workflow_write` will allow you to edit the workflows. ## Built-in permissions The following are built-in permissions. Custom ones can also be created and assigned to roles. ### Users related permissions * **users_read** - Allows the read details about a user such as name * **users_write** - Allows the change details about a user such as name * **users_and_permissions_read** - Allows the read of user's role, limits and credentials access * **users_and_permissions_write** - Allows the change of a user's role, limits and credentials access * **users_2fa_disable** - Allows the disabling of a user's 2FA setting * **skip_user_limits** - Permission to be set on role when user utilization limits should not be checked by the system. * **skip_authenticator** - Permission to be set on role if 2FA authentication is optional. * **metalcloud_access** - Default permission for user role ### Network profiles * **network_profiles_read** - Allows a read operation on public network profile objects. * **network_profiles_write** - Allows a write operation on public network profile objects. * **network_profiles_allowed_for_user_read** - Allows a write operation on specific user's network profile objects. * **network_profiles_allowed_for_user_write** - Allows a write operation on specific user's network profile objects. * **network_profiles_allow_specific_vlan_ids** - Allow a specific VLAN rather than automatically allocated ones. This has security implications as it allows the use of VLANs that might be in use by other users. ## Network Fabrics ### Network Fabrics * **network_fabrics_read** - Allows reading details of network fabric objects. * **network_fabrics_write** - Allows creation, editing, and deletion of network fabric objects. ### Licenses related permissions * **Licenses read** - Allows the read of licensing details * **Licenses write** - Allows the change of licensing details such as adding a new license key. ### Firmware related permissions * **firmware_upgrade_read** - Allows the user to read firmware-related objects such as baselines. * **firmware_upgrade_read** - Allows the user to create and edit firmware-related objects such as baselines. * **firmware_baselines_read** - (not used) * **firmware_baselines_write** - (not used) ### Site related permissions * **site_read** - Site Read * **site_write** - Site Write ### Servers * **servers_read** - Allows read of server object details. * **servers_write** - Allows change and edit of server object details such as tags. * **server_types_read** - Allows read of server type object details such as tags. * **server_type_utilization_report_read** - Allows read of server type utilization report. ### Switches * **switches_read** - Allows read of switch object. * **switches_write** - Allows creation, edit and delete of switch object. ### Storage * **storage_read** - Allows read of storage objects. * **storage_write** - Allows creation,edit and delete of storage objects. ### IPAM Subnets * **subnets_read** - Allows read of subnet objects. * **subnets_write** - Allows creation, edit and delete of subnet objects. ### Infrastructures * **infrastructures_read** - Allows the read of infrastructures details of other users * **infrastructures_write** - Allows the user to delete or change other user's infrastructures. ### OS Templates * **templates_read** - Allows the creation of templates * **templates_write** - Allows the user to create, edit and delete templates ### Events & jobs * **events_read** - Allows the listing of events * **events_write** - (Not used) * **job_queue_read** - Allows the listing of jobs * **job_queue_write** - Allows operations on jobs such as resume. ### Variables * **variables_and_secrets_read** - Allows listing of variables and secrets and view of only the variables object but not that of secrets. * **variables_and_secrets_write** - Allows the creation, edit and delete of variables. ### Subscriptions * **subscriptions_read** - Allows listing of reservations of all users. * **subscriptions_write** - Allows creation, edit and delete of reservations for other users. ### Reports * **utilization_reports_read** - Allows read of other user's utilization reports ### Utility * **admin_access** - Allows access to the admin interface * **suspend_reasons_read** - Allows user to see suspend reasons * **suspend_reasons_write** - Allows user to suspend other users and add reasons * **global_configurations_write** - Global Configurations Write * **global_configurations_read** - Global Configurations Read * **maintenance_read** - Allows the user to view the user interface maintenance flag (deprecated) * **maintenance_write** - Allows the user to change the user interface maintenance flag (deprecated) * **admin_maintenance_read** - Allows the user to view the admin interface maintenance flag (deprecated) * **admin_maintenance_write** - Allows the user to view the admin interface maintenance flag (deprecated) ### Virtual Machines (VMs) * **vm_pools_read** - Allows reading details of VM pools. * **vm_pools_write** - Allows creation, editing, and deletion of VM pools. * **vm_types_read** - Allows reading details of VM types. * **vm_types_write** - Allows creation, editing, and deletion of VM types. * **vm_profiles_read** - Allows reading details of VM profiles. * **vm_profiles_write** - Allows creation, editing, and deletion of VM profiles. * **vms_read** - Allows reading details of virtual machines. * **vms_write** - Allows creation, editing, and deletion of virtual machines. ### S3 buckets (object storage) * **buckets_read** - Allows reading details of bucket objects ### Extensions * **extensions_read** - Allows reading details of extension objects. * **extensions_write** - Allows creation, editing, and deletion of extension objects.