Permissions Reference#
Squirro uses two independent permission layers that both apply on every API request.
Server-level permissions — determined by the user’s tenant role (
admin,user,reader). They control what the account can do across the tenant, such as creating projects or accessing the Server space.Project-level permissions — determined by the project role the account holds in a given project (
admin,member,reader). They control what the account can do within that project, such as reading items or managing sources.
When using a service account token with project_permissions scoped on new_grant(),
a third layer applies: the token permissions act as an additional restriction on top of the
project-level permissions. The effective permissions are the intersection of all three layers.
See Create a Service Account for a practical guide.
Permission strings use dot-notation with glob-style wildcards. For example, items.*
matches any permission starting with items., while items.read.* matches only
read operations on items.
Project Role Permissions#
Admin and Owner roles are granted *, giving them full access to all project
resources with no restrictions.
The table below lists the permissions granted to the Member and Reader project roles.
These are also the strings you can use in the project_permissions parameter of
new_grant() to scope a service token to a subset of operations.
Permission |
Description |
Member |
Reader |
|---|---|---|---|
|
Full access to collections (create, read, modify, delete) |
✓ |
✓ |
|
Subscribe and unsubscribe from communities |
✓ |
✓ |
|
Delete community types |
✓ |
|
|
Read community types |
✓ |
✓ |
|
Create and modify community types |
✓ |
|
|
Delete communities |
✓ |
|
|
Read communities |
✓ |
✓ |
|
Create and modify communities |
✓ |
|
|
Full access to dashboards |
✓ |
|
|
Read dashboards |
✓ |
|
|
Read DSS feedback |
✓ |
✓ |
|
Create and modify DSS feedback |
✓ |
✓ |
|
Delete enrichments |
✓ |
|
|
Read enrichments |
✓ |
|
|
Create and modify enrichments |
✓ |
|
|
Read facets |
✓ |
✓ |
|
Read guide files |
✓ |
✓ |
|
Read ingester status and configuration |
✓ |
|
|
Trigger ingester operations |
✓ |
|
|
Full access to items |
✓ |
|
|
Read items |
✓ |
|
|
Mark items as read or unread |
✓ |
|
|
Bookmark items |
✓ |
|
|
Full access to machine learning resources |
✓ |
|
|
Read machine learning resources |
✓ |
|
|
Full access to ground truth labels |
✓ |
|
|
Full access to ground truth rules |
✓ |
|
|
Full access to ML workflow jobs |
✓ |
|
|
Run ML inference jobs |
✓ |
|
|
Read ML workflow jobs |
✓ |
|
|
Full access to named entity recognition resources |
✓ |
|
|
Read named entity recognition resources |
✓ |
|
|
Full access to notes |
✓ |
✓ |
|
Full access to pipeline sections |
✓ |
✓ |
|
Full access to pipeline workflows |
✓ |
|
|
Read pipeline workflows |
✓ |
|
|
Full access to item previews |
✓ |
|
|
Read item previews |
✓ |
|
|
Read project metadata |
✓ |
✓ |
|
Modify project metadata |
✓ |
|
|
Full access to saved searches (create, read, modify, delete) |
✓ |
✓ |
|
Full access to scores |
✓ |
|
|
Read scores |
✓ |
|
|
Full access to signals |
✓ |
|
|
Read signals |
✓ |
|
|
Full access to data sources |
✓ |
|
|
Read data sources |
✓ |
|
|
Read synonym configurations |
✓ |
✓ |
Server Role Permissions#
The table below lists the permissions granted to each server-level (tenant) role.
Permission |
Description |
Admin |
User |
Reader |
|---|---|---|---|---|
|
Full server administrator privileges |
✓ |
||
|
Access to the Server administration space in the UI |
✓ |
✓ |
|
|
Update own account profile and settings |
✓ |
✓ |
|
|
Create new projects |
✓ |
✓ |
|
|
Read-only (Restricted) server access |
✓ |
||
|
Standard user server access |
✓ |
||
|
Create new workspaces |
✓ |
✓ |
|
|
Delete workspaces |
✓ |