11.5. About Role Permissions

What each role is allowed to do is defined by what permissions it has. Not every role has every permission. Notably SuperUser has every permission and Monitor has the least.
Each permission can grant read and/or write access for a single category of resources.
The categories are: runtime state, server configuration, sensitive data, the audit log, and the access control system.
Table 11.1, “Role Permissions Matrix” summarizes the permissions of each role.

Table 11.1. Role Permissions Matrix

Monitor

Operator

Maintainer

Deployer

Auditor

Administrator

SuperUser

Read Config and State

X

X

X

X

X

X

X

Read Sensitive Data [2]

X

X

X

Modify Sensitive Data [2]

X

X

Read/Modify Audit Log

X

X

Modify Runtime State

X

X

X[1]

X

X

Modify Persistent Config

X

X[1]

X

X

Read/Modify Access Control

X

X
[1] permissions are restricted to application resources.
[2] What resources are considered to be "sensitive data" are configured using Sensitivity Constraints.