Skip to main content

API permissions reference

This topic describes the permissions available for API keys and service accounts in Harness.

These permissions are used by API keys to perform various actions through Harness APIs. Subsets of these permissions are applied to API keys and tokens when you create them. You can create API keys under your own account or service accounts, and the keys and tokens inherit permissions from the associated user or service account.

Account

The following permissions allow an API key to manage a Harness account's details, settings, and license.

  • View account: core_account_view
  • Edit account: core_account_edit
  • View account settings: core_setting_view
  • Edit account settings: core_setting_edit
  • View license: core_license_view
  • Edit license: core_license_edit

core_account_view and core_account_edit are only available at the account scope. The setting and license permissions are available at any scope.

Audits

The core_audit_view permission allows an API key to view audits. It is available at any scope.

CCM

The following permissions allow an API key to interact with CCM. They are only available at the account scope.

Permission IDDescription
ccm_perspective_viewView CCM Perspective
ccm_perspective_editEdit CCM Perspective
ccm_perspective_deleteDelete CCM Perspective
ccm_budget_viewView CCM Budgets
ccm_budget_editEdit CCM Budgets
ccm_budget_deleteDelete CCM Budgets
ccm_costCategory_viewView CCM Cost Category
ccm_costCategory_editCreate/Edit CCM Cost Category
ccm_costCategory_deleteDelete CCM Cost Category
ccm_autoStoppingRule_viewView CCM Auto stopping Rules
ccm_autoStoppingRule_editCreate/Edit CCM Auto stopping Rules
ccm_autoStoppingRule_deleteDelete CCM Auto stopping Rules
ccm_folder_viewView CCM Folders
ccm_folder_editCreate/Edit CCM Folders
ccm_folder_deleteDelete CCM Folders
ccm_loadBalancer_viewView CCM Load Balancers
ccm_loadBalancer_editCreate/Edit CCM Load Balancers
ccm_loadBalancer_deleteDelete CCM Load Balancers
ccm_overview_viewView CCM Overview page

Chaos Engineering

The following permissions allow an API key to interact with Chaos Engineering. They are available at any scope.

Permission IDDescription
chaos_chaoshub_viewView Chaos Hubs
chaos_chaoshub_editEdit Chaos Hubs
chaos_chaoshub_deleteDelete Chaos Hubs
chaos_chaosinfrastructure_viewView Chaos Infrastructures
chaos_chaosinfrastructure_editEdit Chaos Infrastructures
chaos_chaosinfrastructure_deleteDelete Chaos Infrastructures
chaos_chaosexperiment_viewView Chaos Experiments
chaos_chaosexperiment_editEdit Chaos Experiments
chaos_chaosexperiment_deleteDelete Chaos Experiments
chaos_chaosgameday_viewView Chaos GameDay
chaos_chaosgameday_editEdit Chaos GameDay
chaos_chaosgameday_deleteDelete Chaos GameDay

Code Repository

Permission IDDescription
code_repository_viewView repositories
code_repository_editUpdate repository settings, such as descriptions, webhooks, and rules.
code_repository_createCreate repositories
code_repository_deleteDelete repositories
code_repository_pushRepository contributor permissions, such as committing, pushing, creating/deleting branches, creating/deleting tags.

Connectors

The following permissions allow an API key to manage connectors. They are available at any scope.

  • View connectors: core_connector_view
  • Create/edit connectors: core_connector_edit
  • Access connectors: core_connector_access
  • Delete connectors: core_connector_delete

Dashboards

The following permissions allow an API key to manage account dashboards. They are available at either the account or organization scope but not the project scope.

  • View dashboards: core_dashboards_view
  • Edit dashboards: core_dashboards_edit

Delegates

The following permissions allow an API key to manage delegates. They are available at any scope.

Permission IDDescription
core_delegate_viewView Delegates
core_delegate_editCreate or Edit Delegates
core_delegate_deleteDelete Delegates
core_delegateconfiguration_viewView Delegate Configurations
core_delegateconfiguration_editCreate/Edit Delegate Configurations
core_delegateconfiguration_deleteDelete Delegate Configurations

Deployment freeze

The following permissions allow an API key to manage deployment freezes. They are available at any scope.

  • Manage deployment freezes: core_deploymentfreeze_manage
  • Override deployment freezes: core_deploymentfreeze_override
  • Apply global deployment freeze: core_deploymentfreeze_global

Environments

The following permissions allow an API key to manage environments and environment groups. They are available at any scope.

Permission IDDescription
core_environment_viewView Environments
core_environment_editCreate/Edit Environments
core_environment_deleteDelete Environments
core_environment_accessRuntime access to Environments
core_environmentgroup_viewView Environment Groups
core_environmentgroup_editCreate/Edit Environment Groups
core_environmentgroup_deleteDelete Environment Groups
core_environmentgroup_accessRuntime access to Environment Groups

Feature Flag

The following permissions allow an API key to interact with the Feature Flag module. They are available at any scope.

Permission IDDescription
ff_featureflag_editCreate/Edit Feature Flags
ff_featureflag_deleteDelete Feature Flags
ff_featureflag_viewView Feature Flags
ff_targetgroup_viewView Target Groups
ff_targetgroup_editCreate/Edit Target Groups
ff_targetgroup_deleteDelete Target Groups
ff_environment_targetGroupEditEdit Target Groups
ff_target_viewView Targets
ff_environment_apiKeyViewView Feature Flag Environment API Keys
ff_environment_apiKeyCreateCreate Feature Flag Environment API Keys
ff_environment_apiKeyDeleteDelete Feature Flag Environment API Keys
ff_environment_editEdit Feature Flag Environment Configuration
ff_environment_viewView Feature Flag Environment Configuration
ff_featureflag_toggleToggle a Feature Flag on/off

Files

The following permissions allow an API key to manage files. They are available at any scope.

  • View files: core_file_view
  • Edit files: core_file_edit
  • Delete files: core_file_delete
  • Access files: core_file_access

GitOps

The following permissions allow an API key to interact with GitOps. They are available at any scope.

Permission IDDescription
gitops_agent_viewView GitOps Agents
gitops_agent_editEdit GitOps Agents
gitops_agent_deleteDelete GitOps Agents
gitops_application_viewView GitOps Applications
gitops_application_editEdit GitOps Applications
gitops_application_deleteDelete GitOps Applications
gitops_application_syncSyns GitOps Applications
gitops_repository_viewView GitOps Repositories
gitops_repository_editEdit GitOps Repositories
gitops_repository_deleteDelete GitOps Repositories
gitops_cluster_viewView GitOps Clusters
gitops_cluster_editEdit GitOps Clusters
gitops_cluster_deleteDelete GitOps Clusters
gitops_gpgkey_viewView GitOps GPG keys
gitops_gpgkey_editEdit GitOps GPG keys
gitops_gpgkey_deleteDelete GitOps GPG keys
gitops_cert_viewView GitOps Certificate
gitops_cert_editEdit GitOps Certificate
gitops_cert_deleteDelete GitOps Certificate

Governance Policies

The following permissions allow an API key to manage governance policies. They are available at any scope.

Permission IDDescription
core_governancePolicy_editCreate/Edit Policies
core_governancePolicy_viewView Policies
core_governancePolicy_deleteDelete Policies
core_governancePolicySets_editCreate/Edit Policy Sets
core_governancePolicySets_viewView Policy Sets
core_governancePolicySets_deleteDelete Policy Sets
core_governancePolicySets_evaluateEvaluate Policy Sets

Infrastructure as Code Management

The following permissions allow an API key to manage IACM workspaces. They are available at any scope.

Permission IDDescription
iac_workspace_viewView Infrastructure Workspace
iac_workspace_editCreate/Edit Infrastructure Workspace
iac_workspace_deleteDelete Infrastructure Workspace
iac_workspace_editvariableCreate/Edit Infrastructure Workspace Variable
iac_workspace_deletevariableDelete Infrastructure Workspace Variable
iac_workspace_approveApprove Infrastructure Workspace
iac_workspace_accessstateAccess Infrastructure Workspace State

Internal Developer Portal

The following permissions allow an API key to interact with IDP Admin resources. They are only available at the account scope.

Permission IDDescription
idp_plugin_viewView IDP custom plugins
idp_plugin_editCreate or Edit IDP custom plugins
idp_plugin_toggleEnable or Disable an IDP Plugin
idp_plugin_deleteDelete IDP custom plugins
idp_scorecard_viewView IDP Scorecards
idp_scorecard_editCreate or Edit IDP Scorecards
idp_scorecard_deleteDelete IDP Scorecards
idp_layout_viewView IDP Layout Configurations
idp_layout_editCreate or Edit IDP Layout Configurations
idp_catalogaccesspolicy_viewView IDP Catalog Access Control Policies
idp_catalogaccesspolicy_createCreate IDP Catalog Access Control Policies
idp_catalogaccesspolicy_editEdit IDP Catalog Access Control Policies
idp_catalogaccesspolicy_deleteDelete IDP Catalog Access Control Policies
idp_integration_viewView IDP Integrations
idp_integration_createCreate IDP Integrations
idp_integration_editEdit IDP Integrations
idp_integration_deleteDelete IDP Integrations
idp_advancedconfiguration_viewView IDP Advanced Configurations
idp_advancedconfiguration_editCreate or Edit IDP Advanced Configurations
idp_advancedconfiguration_deleteDelete IDP Advanced Configurations

Organizations

The following permissions allow an API key to manage organizations. They are available at either the account or organization scope but not the project scope.

  • View organizations: core_organization_view
  • Create organizations: core_organization_create
  • Edit organizations: core_organization_edit
  • Delete organizations: core_organization_delete

Pipelines

The following permissions allow an API key to manage pipelines. They are available at any scope.

  • View pipelines: core_pipeline_view
  • Create/edit pipelines: core_pipeline_edit
  • Delete pipelines: core_pipeline_delete
  • Run pipelines: core_pipeline_execute

Projects

The following permissions allow an API key to manage projects. They are available at any scope.

  • View projects: core_project_view
  • Create projects: core_project_create
  • Edit projects: core_project_edit
  • Delete projects: core_project_delete

RBAC and authorization

The following permissions allow an API key to manage RBAC and authorization related resources, such as users, user groups, resource groups, roles, and service accounts.

Authorization

Authorization settings management permissions are only available at the account scope.

  • View authorization settings: core_authsetting_view
  • Edit authorization settings: core_authsetting_edit
  • Delete authorization settings: core_authsetting_delete

Resource groups

Resource group management permissions are available at any scope.

  • View resource groups: core_resourcegroup_view
  • Create/edit resource groups: core_resourcegroup_edit
  • Delete resource groups: core_resourcegroup_delete

Roles

Role management permissions are available at any scope.

  • View roles: core_role_view
  • Create/edit roles: core_role_edit
  • Delete roles: core_role_delete

User groups

User group management permissions are available at any scope.

  • View user groups: core_usergroup_view
  • Manage user groups: core_usergroup_manage

Users

User management permissions are available at any scope.

  • Invite users: core_user_invite
  • View users: core_user_view
  • Manage users: core_user_manage

Service accounts

The following permissions allow an API key or user to manage service accounts in Harness. These permissions are only available at the account scope.

  • View service accounts: core_serviceaccount_view
  • Create/edit service accounts: core_serviceaccount_edit
  • Delete service accounts: core_serviceaccount_delete

To manage API keys for service accounts, the core_serviceaccount_manageapikey permission can be applied at any scope.

Secrets

The following permissions allow an API key to manage secrets.

  • View secrets: core_secret_view
  • Create/edit secrets: core_secret_edit
  • Access secrets: core_secret_access
  • Delete secrets: core_secret_delete

core_secret_view is only available at the account scope. All other secrets permissions are available at all scopes.

Services

The following permissions allow an API key to manage services. They are available at any scope.

  • View services: core_service_view
  • Create/edit services: core_service_edit
  • Delete services: core_service_delete
  • Access services at runtime: core_service_access

SMTP

The following permissions allow an API key to manage the SMTP configuration. These are only available at the account scope.

  • View SMTP config: core_smtp_view
  • Create/edit SMTP config: core_smtp_edit
  • Delete SMTP config: core_smtp_delete

SRM

The following permissions allow an API key to manage SRM. They are available at any scope.

Permission IDDescription
chi_monitoredservice_viewView Monitored Services
chi_monitoredservice_editCreate/Edit Monitored Services
chi_monitoredservice_deleteDelete Monitored Services
chi_monitoredservice_toggleToggle Monitored Services on/off
chi_slo_viewView SLOs
chi_slo_editCreate/Edit SLOs
chi_slo_deleteDelete SLOs

STO

The following permissions allow an API key to manage STO. They are available at any scope.

Permission IDDescription
sto_testtarget_viewView Test Targets
sto_testtarget_editEdit Test Targets
sto_exemption_viewView Exemptions
sto_exemption_createCreate Exemptions
sto_exemption_approveApprove Exemptions
sto_issue_viewView Security Issues
sto_scan_viewView Security Scans

Templates

The following permissions allow an API key to manage templates. They are available at any scope.

Permission IDDescription
core_template_viewView Templates
core_template_copyCopy Templates
core_template_editEdit Templates
core_template_deleteDelete Templates
core_template_accessAccess Templates

Variables

The following permissions allow an API key to manage variables. They are available at any scope.

  • View variables: core_variable_view
  • Create/edit variables: core_variable_edit
  • Delete variables: core_variable_delete