User guides
User management
Permissions list

Permissions list

Be aware of the available permissions in the SiteBox ecosystem and what they are responsible for

Company level

Allow creating projects in the company

The "Allow creating projects" in the company permission grants users the authority to create new projects within a specified company. Upon creating a project, the user is automatically granted all project-level permissions as an owner, allowing them to manage, modify, and delegate responsibilities within the project. However, this permission does not extend to visibility of all projects in the company context, ensuring that users can only access projects they have created or have been granted access to by other project owners.

  • It gives authority to create new projects within a specified company,
  • The permission does not extend to visibility of all projects in the company context.

Allow managing company

The "Allow managing company" permission empowers users with the ability to access and manage the settings page of a company. However, it is important to note that the removal of a company is a reserved action, exclusive to administrators only. This limitation ensures that only users with the appropriate administrative authority can perform such a critical action, safeguarding the integrity and continuity of the company's digital assets.

  • It gives authority to manage settings of a company,
  • The permission does not extend to deletion of a company from the Platform. This functionality is restricted to administrators only.

Allow managing company users

The "Allow managing company" users permission allows users to add or remove other users to and from the company. However, this permission does not grant the ability to manage permissions at the company level, as this functionality is reserved exclusively for administrators. The management of project-level permissions is instead governed by the "Allow managing project users" permission applied at the project level. Additionally, it is important to note that users with the "Allow managing company users" permission cannot delete an administrator, ensuring that administrative control and oversight are maintained within the company.

  • It gives authority to add, or remove a user within a company context,
  • The permission does not extend to role, or permission assignment on a company level,
  • Permissions to a new user can be assigned on a project level by users with proper access to the project ("Allow managing project users")
  • The permission does not allow for deletion of an administrator.
  • It gives authority to add, or remove users to or from groups,
  • Groups contain a set of project, or environment oriented properties. They can not contain company-wide permissions,
  • Project level permissions are can be granted by users with proper access to the project ("Allow managing project users")
  • The permission does not extend to managing groups (adding, or removing) as this is reserved for administrators only.

Allow managing company billings

The "Allow managing company billings" permission grants users the ability to access and review usage details and invoices for a company within a specific platform or system. This permission is designed to facilitate transparency in billing and resource consumption by allowing designated users to monitor and track financial aspects of the company's account. However, the "Allow managing company billings" permission does not extend to viewing or modifying payment details, as this sensitive information is protected and reserved exclusively for administrators. This restriction ensures that payment data remains secure and that changes to payment methods are controlled by individuals with the appropriate level of authority.

Allow viewing compliance

The "Allow viewing compliance" permission grants users access to the company's compliance log which presents all events that occurred within the company. Compliance permission allows to viewing of logs from all projects regardless of other permissions.

Project level

Allow reading project

Permission grants users the ability to view a specific project within the SiteBox Dashboard, offering a high-level overview of the project, its environments, and obtain direct links to the associated website and WordPress dashboard. This permission is particularly useful for team members who need visibility into the project's workings but may not require extensive control or management capabilities.

  • User with this permission can see a project tile in the dashboard,
  • User is capable of seeing environments associated with the project,
  • User can't see any detailed data of either project or environments,
  • User is basically capable of seeing links to WordPress website and WordPress dashboard.

Allow managing project

Permission grants users the authority to manage project settings. It is important to note that the "Allow managing project" permission does not include the ability to delete a project; this action necessitates the "Allow deleting project" capability.

  • User with this permission can modify project settings,
  • User with this permission can not delete a project.

Allow deleting project

The "Allow deleting project" permission grants users the authority to permanently delete a project, including all of its environments and associated resources. This permission should be used with extreme caution, as the deletion process is irreversible, and any data or configurations within the project will be lost.

  • User with this permission can permanently delete a project, including all environments and resources.

Allow viewing project analytics

The "Allow viewing project analytics" permission grants users the ability to access and view the analytics page of a project, providing valuable insights into various project-related metrics. These metrics include visits, requests, storage, transfer, CPU, and memory consumption, offering a comprehensive overview of the project's performance and resource utilization. Additionally, this permission enables users to generate reports in CSV or PDF formats, facilitating easy sharing and presentation of the analyzed data. In the wider context, the "Allow viewing project analytics" permission is instrumental for users who need to monitor project performance, identify trends, and make data-driven decisions.

  • Actions possible with "Allow viewing project analytics" permission
    • Access and view project analytics page
    • Review metrics such as visits, requests, storage, transfer, CPU, and memory consumption
    • Generate and export reports in CSV or PDF formats

Allow creating project environment

The "Allow creating project environments" permission grants users the ability to manage project environments, including the addition and removal of environments. Permissions within environments are granted through a separate datasets, which are prefixed with either "Regular environments" or "Protected environments" to ensure appropriate access and control over specific environment-related actions.

  • Actions possible with "Allow creating project environments" permission:
    • Add and remove project environments
  • Actions NOT possible with "Allow creating project environments" permission (assuming no additional permissions are granted):
    • Perform actions within an environment without the relevant "Regular environments" or "Protected environments" permissions

Allow managing project environment protection

The "Allow managing project environments protection" permission grants users to promote a regular environment to a protected one or demote a protected environment to a regular one, providing greater flexibility in managing the various stages of a project's lifecycle. This permission is tailored for individuals who are authorized to work with production-grade environments, ensuring that sensitive configurations and resources are managed securely.

  • Actions possible with "Allow managing project environments protection" permission:
    • Promote a regular environment to a protected environment
    • Demote a protected environment to a regular environment
  • Actions NOT possible with "Allow managing project environments protection" permission (assuming no additional permissions are granted):
    • Perform actions within an environment without the relevant protected: permissions
    • Manage non-protected environments (requires "Allow creating project environments" permission)

Allow managing project users

The "Allow managing project users" permission grants users the ability to assign other users or groups to a project, with the option to assign project or environment-grade permissions. Furthermore, the "Allow managing project users" permission allows users to self-manage their permissions, granting them the flexibility to extend their own capabilities at the project or environment level as needed.

  • Actions possible with project:users permission:
    • Assign users or groups to a project
    • Assign project or environment-grade permissions to users or groups
    • Self-manage permissions to extend own capabilities at project or environment level
  • Actions NOT possible with project:users permission (assuming no additional permissions are granted):
    • Manage company-wide user groups or roles (requires "Allow managing company users" and permissions)

Allow managing project domains

The "Allow managing project domains" permission grants users the ability to manage custom domains associated with a project. This includes adding, or removing. As this permission allows users to work with production-grade domains, it should be used with caution to avoid unintentional disruptions or misconfigurations.

  • Actions possible with "Allow managing project domains" permission:
    • Add, or remove custom domains for a project
    • Work with production-grade domains

Environment level

Environment-oriented permissions play a crucial role in managing access and control within various environments of a project. These permissions are shared across all environments, with the exception of protected environments, which require elevated permissions to perform actions. The ability to differentiate between regular and protected environments allows organizations to implement a tiered approach to managing their projects and resources.

One common use case for this approach is to safeguard production-grade environments, ensuring that only the most trusted employees have the necessary permissions to perform actions within these critical environments. This added layer of security helps to minimize the risk of unintentional disruptions or misconfigurations.

Another practical application of environment-oriented permissions is the separation of environments for external contractors and in-house employees. By assigning regular environments to external contractors and protected environments to in-house employees, organizations can maintain tighter control over their internal resources while still granting necessary access to external collaborators.

In summary, environment-oriented permissions provide a flexible and robust framework for managing access to various project environments, allowing organizations to implement tailored security measures that suit their specific needs and operational structures.

A consistent naming convention for environmental-grade permissions is essential for maintaining a clear and organized permission structure. Permissions related to regular environments are prefixed with "Regular environments", while those associated with protected environments use the "Protected environments" prefix. This distinction ensures that the appropriate permissions are applied to their corresponding environment types and simplifies the management of access control.

In addition to these prefixed permissions, it is also possible to assign all permissions within a specific context using the "Regular environments" or "Protected environments" properties. Granting the "Regular environments" permission provides a user with access to all available permissions within regular environments, whereas the "Protected environments" permission grants all permissions within the context of protected environments.

Allow reading environment

The "Allow reading regular environments" permission allows users to view the environment dashboard within a project. Although environments are visible as a table for anyone with the project:read permission, this level of access alone is not sufficient for displaying the detailed dashboards associated with each environment. With the "Allow reading regular environments" permission, users gain the ability to monitor environment-specific information, such as resource usage, configurations, and other essential data. This permission is particularly useful for team members who need to keep track of environment performance and stay informed about ongoing activities within each environment.

  • Actions possible with "Allow reading regular environments" permission:
    • View environment dashboards within a project
    • Access environment-specific information, such as resource usage and configurations
  • Actions NOT possible with envs:read permission (assuming no additional permissions are granted):
    • Modify environment configurations or settings (requires "Allow managing regular environments or "Allow managing protected environments" permissions)
    • Access protected environments (requires "Allow reading project" permission)

Allow managing environment

The "Allow managing regular environments" permission empowers users to apply configuration settings to an environment within a project. This capability enables team members to make essential adjustments, such as changing the GitHub handle, updating PHP or WordPress versions, and modifying other environment-specific configurations. The "Allow managing regular environments" permission is particularly useful for developers or project administrators who need to maintain up-to-date configurations and ensure the smooth operation of their environments.

However, it is important to note that the "Allow managing regular environments" permission does not grant the ability to delete an environment. This action requires the separate "Allow deleting regular environments" permission, ensuring that environments are only removed by authorized users with the appropriate level of access.

Actions possible with "Allow managing regular environments" permission:

  • Apply configuration settings to an environment
  • Change GitHub handle
  • Update PHP or WordPress versions
  • Modify other environment-specific configurations

Actions NOT possible with "Allow managing regular environments" permission (assuming no additional permissions are granted):

  • Delete an environment (requires "Allow deleting regular environments" permission)

Allow deleting environment

The "Allow deleting regular environments" permission grants users the ability to delete environments attached to a project. This powerful permission should be used with caution, as deleting an environment may result in the loss of critical data and resources. The "Allow deleting regular environments" permission is typically reserved for project administrators or other trusted team members who are responsible for managing the lifecycle of environments within a project.

Given the potential for destructive consequences, it is crucial to ensure that only authorized users are granted this permission, minimizing the risk of accidental or unauthorized environment deletions.

Allows managing regular environments users permissions

The "Allows managing regular environments users permissions" permission enables users to manage the SiteBox Identity service within a project's environments. This includes activating and deactivating the add-on, managing the users who can view the website, and modifying access rules for WordPress instances. The "Allows managing regular environments users permissions" permission is particularly important for project administrators or other team members responsible for managing access control and user roles within the WordPress dashboard.

However, it is crucial to use this permission with caution, as it also allows users to change the roles of other users attached to the project within the WordPress instance. This level of control can impact the overall security and functionality of the project, so it is essential to grant this permission only to trusted team members who have a clear understanding of its implications.

Actions possible with "Allows managing regular environments users permissions" permission:

  • Enable and disable the SiteBox Identity service add-on
  • Manage users who can view the website
  • Modify access rules for WordPress instances
  • Change user roles within the WordPress instance

Allow managing environment enclave settings

The "Allow managing regular environments enclave settings" permission grants users the ability to manage the SiteBox Enclave service within a project's environments. This permission includes activating and deactivating the add-on and managing its settings. The "Allow managing regular environments enclave settings" permission is particularly relevant for project administrators or other team members responsible for ensuring the security and functionality of the project's environments.

However, it is essential to use this permission with caution, as improper configuration may result in locking out visitors from accessing the website. To avoid unintended consequences, only trusted team members with a clear understanding of the SiteBox Enclave service and its potential impact should be granted this permission.

Allow managing environment deployments

The "Allow managing regular environments deployments" permission allows users to initiate an environment deployment, effectively updating the website currently displayed within the environment. This permission is essential for developers or other team members responsible for implementing changes to the website or application, ensuring that updates are promptly applied to the live environment.

While the "Allow managing regular environments deployments" permission provides the ability to deploy changes, it should be granted judiciously to prevent unauthorized or unintended updates. It is crucial to ensure that only trusted team members with a clear understanding of the deployment process and its potential impact have this permission.

Allow managing environment cache

The "Allow managing regular environments cache" permission grants users the ability to purge all caches associated with a specific environment. This permission is particularly useful for developers, content managers, or other team members who need to ensure that the most up-to-date version of the website or application is displayed to visitors after making changes or updates. Purging caches helps eliminate stale or outdated content from being served to users.

Allow managing environment backups

The "Allow managing regular environments backups" permission grants users the ability to manage backups for a specific environment, including changing the backup frequency or adding/removing encryption keys. This permission is particularly important for team members responsible for maintaining the integrity and security of the project's data. It is crucial to grant this permission to trusted team members who understand the importance of proper backup management.

The permission grants users the ability to download backups for a specific environment through any of the available tunnels, such as the user interface (UI) or command-line interface (CLI). This permission is essential for users responsible for restoring the project's data in case of data loss or corruption.

Allow viewing environment analytics

The "Allow viewing regular environments analytics" permission grants users the ability to view environment-specific analytics within a project. This permission is useful for team members who need to monitor and analyze the performance and usage metrics of individual environments. It enables them to make data-driven decisions when optimizing performance or troubleshooting issues.

Users with this permission can gain insights into various aspects of the environment, such as the number of visits, requests, storage, transfer, CPU, and memory consumption. This information is invaluable for project managers, developers, and other stakeholders responsible for maintaining the performance and stability of the project's environments.

Allow managing environment redirects

The "Allow managing regular environments redirects" permission grants users the ability to manage redirection rules for a specific environment within a project. This permission is particularly useful for team members responsible for ensuring a smooth user experience, maintaining the website's SEO, and handling URL changes.

Users with this permission can create, modify, and delete redirection rules for the environment, helping to prevent broken links, maintain search engine rankings, and direct users to the correct content. This capability is essential for web developers, SEO specialists, and content managers who need to manage URL changes and ensure that users are always directed to the correct resources.

In the context of various use-cases, the "Allow managing regular environments redirects" permission is particularly valuable when migrating content, restructuring a website, or implementing changes that impact URLs. It helps ensure that users and search engines can easily find and access the updated content.

Allow managing environment variables

The "Allow managing regular environments variables" permission grants users the ability to manage environment variables. Environment variables are essential for configuring and customizing the behavior of applications and scripts running in different environments. This permission is particularly useful for developers and DevOps professionals who need to manage sensitive data, configure application settings, or control feature flags across various environments.

In the context of various use-cases, the "Allow managing regular environments variables" permission is especially valuable when deploying applications that rely on sensitive data, like API keys or database credentials. By managing environment variables, users can keep sensitive data secure and separate from the application code.

Permission dependencies

Permission dependencies play a crucial role in ensuring a logical and secure user experience within the system. One such dependency is that any permission prefixed with "Regular environments" requires "Allow reading regular environments" to be granted in the first place. This is because most environmental actions must be initiated within the Environment dashboard, which is accessible only to users with the "Allow reading regular environments" permission. By establishing this dependency, the system ensures that users have the necessary context to carry out environment-specific actions.

Another important dependency is that the "Allow reading regular environments permission necessitates the "Allow reading project" permission. This means that a user must first have access to view the parent project before being able to see its associated environments. By implementing this hierarchical dependency, the system maintains a consistent and intuitive user experience. Users are able to navigate from the project level down to individual environments, allowing for a clear understanding of the organizational structure and the relationships between projects and their environments.

TeamsOverview