Skip to main content

Permissions Reference

Overview

ASCEND implements 23+ granular permissions organized into 8 categories. Permissions are assigned to roles at specific access levels, creating a hierarchical permission model where higher levels inherit permissions from lower levels.

Why It Matters

Granular permissions enable:

  • Precise Access Control: Grant exactly the access needed for each function
  • Audit Compliance: Track specific actions, not just general access
  • Custom Roles: Build custom permission sets for specific use cases
  • Separation of Duties: Enforce different permissions for different operations

Permission Categories

Category Overview

CategoryPermission CountDescription
Dashboard2Dashboard viewing and export
Analytics3Analytics features and reports
Alerts4Alert management and triage
Rules4Smart rule configuration
Authorization6Action approval workflow
Users6User management
Audit3Audit log access
System3System administration
Total31

Dashboard Permissions

dashboard.view

Permission String: dashboard.view

PropertyValue
CategoryDashboard
Minimum LevelBASIC (1)
DescriptionView the main dashboard
RiskLow

Grants Access To:

  • View dashboard widgets
  • View agent status summaries
  • View alert counts
  • View policy status

API Endpoints:

GET /v1/dashboard
GET /v1/dashboard/summary
GET /v1/dashboard/widgets

dashboard.export

Permission String: dashboard.export

PropertyValue
CategoryDashboard
Minimum LevelPOWER (2)
DescriptionExport dashboard data
RiskLow

Grants Access To:

  • Export dashboard as PDF
  • Export dashboard data as CSV
  • Schedule dashboard reports

API Endpoints:

GET /v1/dashboard/export
POST /v1/dashboard/export/pdf
POST /v1/dashboard/export/csv

Analytics Permissions

analytics.view

Permission String: analytics.view

PropertyValue
CategoryAnalytics
Minimum LevelPOWER (2)
DescriptionView analytics data
RiskLow

Grants Access To:

  • View analytics charts
  • View trend data
  • View agent performance metrics

API Endpoints:

GET /v1/analytics
GET /v1/analytics/trends
GET /v1/analytics/agents

analytics.reports

Permission String: analytics.reports

PropertyValue
CategoryAnalytics
Minimum LevelMANAGER (3)
DescriptionGenerate analytics reports
RiskMedium

Grants Access To:

  • Generate compliance reports
  • Generate risk assessment reports
  • Access executive dashboard
  • Schedule recurring reports

API Endpoints:

GET /v1/analytics/reports
POST /v1/analytics/reports/generate
POST /v1/analytics/reports/schedule
GET /v1/executive/dashboard

analytics.export

Permission String: analytics.export

PropertyValue
CategoryAnalytics
Minimum LevelMANAGER (3)
DescriptionExport analytics data
RiskMedium

Grants Access To:

  • Export raw analytics data
  • Export reports as PDF/CSV
  • Access data for external tools

API Endpoints:

GET /v1/analytics/export
POST /v1/analytics/export/csv
POST /v1/analytics/export/json

Alert Permissions

alerts.view

Permission String: alerts.view

PropertyValue
CategoryAlerts
Minimum LevelPOWER (2)
DescriptionView security alerts
RiskLow

Grants Access To:

  • View alert list
  • View alert details
  • View alert history
  • Filter and search alerts

API Endpoints:

GET /v1/alerts
GET /v1/alerts/{id}
GET /v1/alerts/history

alerts.acknowledge

Permission String: alerts.acknowledge

PropertyValue
CategoryAlerts
Minimum LevelPOWER (2)
DescriptionAcknowledge alerts
RiskLow

Grants Access To:

  • Mark alerts as acknowledged
  • Add acknowledgment notes
  • Assign alerts to users

API Endpoints:

POST /v1/alerts/{id}/acknowledge
PUT /v1/alerts/{id}/assign

alerts.correlate

Permission String: alerts.correlate

PropertyValue
CategoryAlerts
Minimum LevelMANAGER (3)
DescriptionCorrelate related alerts
RiskMedium

Grants Access To:

  • Link related alerts
  • Create alert groups
  • View correlation analysis
  • Run correlation rules

API Endpoints:

POST /v1/alerts/correlate
POST /v1/alerts/groups
GET /v1/alerts/correlation

alerts.dismiss

Permission String: alerts.dismiss

PropertyValue
CategoryAlerts
Minimum LevelADMIN (4)
DescriptionDismiss/close alerts
RiskHigh

Grants Access To:

  • Dismiss alerts (mark as false positive)
  • Close alerts
  • Bulk dismiss alerts

API Endpoints:

POST /v1/alerts/{id}/dismiss
POST /v1/alerts/bulk-dismiss
DELETE /v1/alerts/{id}

Rules Permissions

rules.view

Permission String: rules.view

PropertyValue
CategoryRules
Minimum LevelADMIN (4)
DescriptionView smart rules
RiskLow

Grants Access To:

  • View rule configurations
  • View rule status
  • View rule history

API Endpoints:

GET /v1/rules
GET /v1/rules/{id}
GET /v1/rules/{id}/history

rules.create

Permission String: rules.create

PropertyValue
CategoryRules
Minimum LevelADMIN (4)
DescriptionCreate new rules
RiskHigh

Grants Access To:

  • Create new smart rules
  • Clone existing rules
  • Import rule templates

API Endpoints:

POST /v1/rules
POST /v1/rules/clone/{id}
POST /v1/rules/import

rules.modify

Permission String: rules.modify

PropertyValue
CategoryRules
Minimum LevelADMIN (4)
DescriptionModify existing rules
RiskHigh

Grants Access To:

  • Edit rule conditions
  • Enable/disable rules
  • Update rule priorities

API Endpoints:

PUT /v1/rules/{id}
PATCH /v1/rules/{id}/status
PUT /v1/rules/{id}/priority

rules.delete

Permission String: rules.delete

PropertyValue
CategoryRules
Minimum LevelADMIN (4)
DescriptionDelete rules
RiskHigh

Grants Access To:

  • Delete rules
  • Archive rules
  • Bulk delete rules

API Endpoints:

DELETE /v1/rules/{id}
POST /v1/rules/{id}/archive
DELETE /v1/rules/bulk

Authorization Permissions

auth.view_pending

Permission String: auth.view_pending

PropertyValue
CategoryAuthorization
Minimum LevelMANAGER (3)
DescriptionView pending approvals
RiskLow

Grants Access To:

  • View pending action queue
  • View approval history
  • View action details

API Endpoints:

GET /v1/authorizations/pending
GET /v1/authorizations/history
GET /v1/actions/{id}

auth.approve_low

Permission String: auth.approve_low

PropertyValue
CategoryAuthorization
Minimum LevelMANAGER (3)
DescriptionApprove low-risk actions (0-49)
RiskMedium

Grants Access To:

  • Approve actions with risk score 0-49
  • Add approval notes
  • Request additional review

API Endpoints:

POST /v1/actions/{id}/approve  # risk_score < 50
POST /v1/actions/{id}/request-review

auth.approve_medium

Permission String: auth.approve_medium

PropertyValue
CategoryAuthorization
Minimum LevelMANAGER (3)
DescriptionApprove medium-risk actions (50-69)
RiskMedium

Grants Access To:

  • Approve actions with risk score 50-69
  • Escalate to higher level
  • Request additional information

API Endpoints:

POST /v1/actions/{id}/approve  # 50 <= risk_score < 70
POST /v1/actions/{id}/escalate

auth.approve_high

Permission String: auth.approve_high

PropertyValue
CategoryAuthorization
Minimum LevelADMIN (4)
DescriptionApprove high-risk actions (70-89)
RiskHigh

Grants Access To:

  • Approve actions with risk score 70-89
  • Provide first approval for SoD
  • Request executive review

API Endpoints:

POST /v1/actions/{id}/approve  # 70 <= risk_score < 90

Note: High-risk actions require dual approval (Separation of Duties).

auth.approve_critical

Permission String: auth.approve_critical

PropertyValue
CategoryAuthorization
Minimum LevelEXECUTIVE (5)
DescriptionApprove critical-risk actions (90-100)
RiskCritical

Grants Access To:

  • Approve actions with risk score 90-100
  • Provide second approval for critical SoD
  • Override blocked actions (with justification)

API Endpoints:

POST /v1/actions/{id}/approve  # risk_score >= 90

Note: Critical actions require dual EXECUTIVE approval from different departments.

auth.emergency_override

Permission String: auth.emergency_override

PropertyValue
CategoryAuthorization
Minimum LevelEXECUTIVE (5)
DescriptionEmergency override capability
RiskCritical

Grants Access To:

  • Override blocked actions in emergencies
  • Bypass normal approval workflow
  • Immediate action execution

API Endpoints:

POST /v1/actions/{id}/emergency-override

Requirements:

  • Dual EXECUTIVE approval required
  • Written justification mandatory
  • Immediate audit notification
  • 24-hour review requirement

User Permissions

users.view

Permission String: users.view

PropertyValue
CategoryUsers
Minimum LevelADMIN (4)
DescriptionView user information
RiskLow

Grants Access To:

  • View user list
  • View user details
  • View user activity

API Endpoints:

GET /v1/users
GET /v1/users/{id}
GET /v1/users/{id}/activity

users.create

Permission String: users.create

PropertyValue
CategoryUsers
Minimum LevelADMIN (4)
DescriptionCreate new users
RiskHigh

Grants Access To:

  • Create new user accounts
  • Send invitations
  • Bulk import users

API Endpoints:

POST /v1/users
POST /v1/users/invite
POST /v1/users/import

users.modify

Permission String: users.modify

PropertyValue
CategoryUsers
Minimum LevelADMIN (4)
DescriptionModify user information
RiskHigh

Grants Access To:

  • Update user profile
  • Change user status
  • Update user settings

API Endpoints:

PUT /v1/users/{id}
PATCH /v1/users/{id}/status
PUT /v1/users/{id}/settings

users.delete

Permission String: users.delete

PropertyValue
CategoryUsers
Minimum LevelEXECUTIVE (5)
DescriptionDelete users
RiskCritical

Grants Access To:

  • Delete user accounts
  • Deactivate users permanently
  • Remove user data

API Endpoints:

DELETE /v1/users/{id}
POST /v1/users/{id}/deactivate

users.reset_password

Permission String: users.reset_password

PropertyValue
CategoryUsers
Minimum LevelADMIN (4)
DescriptionReset user passwords
RiskHigh

Grants Access To:

  • Trigger password reset
  • Force password change
  • Unlock locked accounts

API Endpoints:

POST /v1/users/{id}/reset-password
POST /v1/users/{id}/force-password-change
POST /v1/users/{id}/unlock

users.manage_roles

Permission String: users.manage_roles

PropertyValue
CategoryUsers
Minimum LevelEXECUTIVE (5)
DescriptionManage user roles
RiskCritical

Grants Access To:

  • Change user roles
  • Assign custom permissions
  • Manage role templates

API Endpoints:

PUT /v1/users/{id}/role
POST /v1/users/{id}/permissions
GET /v1/roles

Note: Role changes require Separation of Duties (MANAGER + ADMIN approval).

Audit Permissions

audit.view

Permission String: audit.view

PropertyValue
CategoryAudit
Minimum LevelMANAGER (3)
DescriptionView audit logs
RiskMedium

Grants Access To:

  • View audit log entries
  • Search audit history
  • View compliance reports

API Endpoints:

GET /v1/audit
GET /v1/audit/search
GET /v1/audit/compliance

audit.export

Permission String: audit.export

PropertyValue
CategoryAudit
Minimum LevelADMIN (4)
DescriptionExport audit logs
RiskHigh

Grants Access To:

  • Export audit logs as CSV/JSON
  • Generate audit reports
  • Download compliance evidence

API Endpoints:

GET /v1/audit/export
POST /v1/audit/export/csv
POST /v1/audit/export/report

audit.delete

Permission String: audit.delete

PropertyValue
CategoryAudit
Minimum LevelEXECUTIVE (5)
DescriptionDelete audit logs
RiskCritical

Grants Access To:

  • Delete audit entries (with justification)
  • Archive old logs
  • Manage retention policies

API Endpoints:

DELETE /v1/audit/{id}  # Requires justification
POST /v1/audit/archive
PUT /v1/audit/retention

Warning: Audit log deletion is heavily restricted and logged. Most compliance frameworks prohibit deletion during retention period.

System Permissions

system.config

Permission String: system.config

PropertyValue
CategorySystem
Minimum LevelADMIN (4)
DescriptionSystem configuration
RiskHigh

Grants Access To:

  • Modify system settings
  • Configure integrations
  • Manage organization settings

API Endpoints:

GET /v1/settings
PUT /v1/settings
GET /v1/integrations
PUT /v1/integrations/{id}

system.backup

Permission String: system.backup

PropertyValue
CategorySystem
Minimum LevelEXECUTIVE (5)
DescriptionSystem backup operations
RiskCritical

Grants Access To:

  • Trigger manual backups
  • Configure backup schedules
  • Restore from backup

API Endpoints:

POST /v1/system/backup
GET /v1/system/backups
POST /v1/system/restore

system.maintenance

Permission String: system.maintenance

PropertyValue
CategorySystem
Minimum LevelEXECUTIVE (5)
DescriptionSystem maintenance
RiskCritical

Grants Access To:

  • Enable maintenance mode
  • Run system diagnostics
  • Perform database maintenance

API Endpoints:

POST /v1/system/maintenance/enable
POST /v1/system/maintenance/disable
POST /v1/system/diagnostics

Permission Matrix by Role

PermissionRESTRICTEDBASICPOWERMANAGERADMINEXECUTIVE
dashboard.view-XXXXX
dashboard.export--XXXX
analytics.view--XXXX
analytics.reports---XXX
analytics.export---XXX
alerts.view--XXXX
alerts.acknowledge--XXXX
alerts.correlate---XXX
alerts.dismiss----XX
rules.view----XX
rules.create----XX
rules.modify----XX
rules.delete----XX
auth.view_pending---XXX
auth.approve_low---XXX
auth.approve_medium---XXX
auth.approve_high----XX
auth.approve_critical-----X
auth.emergency_override-----X
users.view----XX
users.create----XX
users.modify----XX
users.delete-----X
users.reset_password----XX
users.manage_roles-----X
audit.view---XXX
audit.export----XX
audit.delete-----X
system.config----XX
system.backup-----X
system.maintenance-----X

Compliance Mapping

FrameworkControlRelated Permissions
SOC 2CC6.1All permission categories
HIPAA164.312(a)(1)users.*, audit.view
PCI-DSSReq 7.1All authorization permissions
PCI-DSSReq 10.1audit.*
NIST 800-53AC-3All permissions
NIST 800-53AU-9audit.delete (restricted)

Next Steps