Platform Hanzo KMS Internals Permissions Organization Permissions Comprehensive guide to Hanzo KMS's organization-level permissions
Hanzo KMS's organization permissions system follows a role-based access control (RBAC) model built on a subject-action-object framework. At the organization level, these permissions determine what actions users/machines can perform on various resources across the entire organization.
Each permission consists of:
Subject : The resource the permission applies to (e.g., project, members, billing)
Action : The operation that can be performed (e.g., read, create, edit, delete)
Some organization-level resources—specifically app-connections—support conditional permissions and permission inversion for more granular access control.
Below is a comprehensive list of all available organization-level subjects and their supported actions, organized by functional area.
Action Description createCreate new project
Action Description createCreate new sub-organizations under the root organization direct-accessAccess and switch into sub-organizations the user has membership in link-root-groupLink a root organization group to a sub-organization (and unlink it). Root org role only.
Action Description readView organization roles and their assigned permissions createCreate new organization roles editModify existing organization roles deleteRemove organization roles
Action Description readView organization members createAdd new members to the organization editModify member details deleteRemove members from the organization
Action Description readView organization groups createCreate new groups in the organization editModify existing groups deleteRemove groups from the organization grant-privilegesChange permission levels for organization groups add-membersAdd members to groups remove-membersRemove members from groups
Action Description readView organization identities createAdd new identities to organization editModify organization identities deleteRemove identities from organization grant-privilegesChange permission levels of organization identities revoke-authRevoke authentication for identities create-tokenCreate new authentication tokens delete-tokenDelete authentication tokens get-tokenRetrieve authentication tokens
Action Description readView secret scanning results and settings createConfigure secret scanning editModify secret scanning settings deleteRemove secret scanning configuration
Action Description readView organization settings createSetup and configure organization settings editModify organization settings deleteRemove organization settings
Action Description readView incident contacts createSet up new incident contacts editModify incident contact settings deleteRemove incident contacts
Action Description readView organization audit logs
Action Description readView Single Sign-On configurations createSet up new SSO integrations editModify existing SSO settings deleteRemove SSO configurations
Action Description readView SCIM configurations createSet up new SCIM provisioning editModify existing SCIM settings deleteRemove SCIM configurations
Action Description readView LDAP configurations createSet up new LDAP integrations editModify existing LDAP settings deleteRemove LDAP configurations
Action Description readView billing information and subscription status manage-billingManage billing details and subscription plans
Action Description readView project templates createCreate new project templates editModify existing project templates deleteRemove project templates
Supports conditions and permission inversion
Action Description readView app connection configurations createCreate new app connections editModify existing app connections deleteRemove app connections connectUse app connections
Action Description readView organization KMS configurations createSet up new KMS configurations editModify KMS settings deleteRemove KMS configurations
Action Description setupConfigure KMIP server settings proxyAct as a proxy for KMIP operations
Action Description access-all-projectsAccess all projects within the organization
Action Description manage-settingsManage secret share settings
Action Description list-gatewaysView all organization gateways create-gatewaysAdd new gateways to organization edit-gatewaysModify existing gateway settings delete-gatewaysRemove gateways from organization attach-gatewaysAttach gateways to resources
Action Description list-relaysView all organization relays create-relaysAdd new relays to organization edit-relaysModify existing relay settings delete-relaysRemove relays from organization
Action Description list-templatesView identity auth templates create-templatesCreate new identity auth templates edit-templatesModify existing identity auth templates delete-templatesRemove identity auth templates unlink-templatesUnlink identity auth templates from identities attach-templatesAttach identity auth templates to identities
How is this guide?
Last updated on