Organize your IT landscape > Understanding Raynet One Permissions

Raynet One uses a flexible and fine-grained permission system based on resource groups and Access Control Lists (ACLs). These mechanisms enable controlled user access to various entity types through grouping them and assigning permissions at the group level.

Assets and ACLs

Entities like devices, networks, and databases are classified as assets. These assets do not belong to any specific user. By default, all users have full access to them.

When an ACL is applied to an asset via a resource group, only users with explicitly granted permissions in the ACL can view or operate on the asset. This mechanism provides precise control over asset visibility and permitted actions.

Operational Entities and Ownership

Operational entities - such as credentials, runners, scopes, and resource groups - are always created by a a specific user. This user becomes the owner of the entity.

•The owner automatically receives full control over the entity.

•Other users (except administrators) have no access unless granted explicitly through an ACL.

•Future versions may include owner-initiated direct sharing capabilities.

Access Control Lists (ACLs)

ACLs define the permissions (View, Edit, Delete) for all entities within a resource group. They are assigned to user groups, and each user inherits the ACLs assigned to the groups they belong to.

Permission Context

Introduced in Raynet One 1.2, the Permission Context is a computed model that defines the exact permissions a user has over all available entities in the system. It is determined exclusively by the ACLs assigned to the user's groups. The Permission Context does not consider roles. It purely reflects access based on ACLs.

Roles and Effective Permissions

While the Permission Context defines what entities a user can see and what entity-level actions (like View, Edit, or Delete) are permitted based on ACLs, a user's role governs what kinds of operations or features are available to them in the application. Importantly, many operations in Raynet One require both:

•Sufficient permissions in the user's Permission Context (e.g., Edit permission on a device).

•The correct role (e.g., Asset Manager) that allows the user to perform such operations on that type of entity.

For example:

•A user with the Edit permission on a device might still be unable to perform operational tasks (e.g., gathering inventory data), unless their role explicitly allows it.

•Another user with a more limited role might be able to edit corporate metadata of a device, but cannot initiate device inventory or access sensitive device data (open ports).

This dual-layer model enables fine-grained access control: ACLs determine where a user has access, and roles determine permitted actions within that scope.

Summary

•Assets: Public by default, access restricted via ACLs.

•Operational Entities: Private to their creators unless shared through ACLs.

•Owners: Always have full access to their created entities.

•ACLs: Define permissions (View, Edit, Delete) on grouped resources, assigned via user groups.

•Permission Context: Based on ACLs; defines a user's access to specific entities.

•Roles: Define which operations a user can perform when they have access to an entity.

•Effective Permissions = Permission Context (what entities and actions are visible/allowed) x User Role (what operations are available)

•Certain operations require both a matching ACL permission and an appropriate role.

Permission Matrix

A permission matrix defines the required combination of role and ACL-derived permission to perform operations on different entity types. It acts as a guideline for evaluating user capabilities across the system.

Legend

View required on Entity [ACL]

Edit required on Entity [ACL]

Delete required on Entity [ACL]

Workspace	Type	Module	Permission	Guest	User	Asset Manager	Global Asset Manager	Admin	ACL Details
Asset Management	View	IT Visibility	View		✓	✓	✓	✓	Based on overall View permissions
Asset Management	View	Devices	View All devices		✓	✓	✓	✓	[Device View required]
Asset Management	View	Scheduled Job	View Automation			✓	✓	✓	[Scheduled Job View required]
Asset Management	Action	Scheduled Job	Remove Scheduled Tasks			✓	✓	✓
Asset Management	Action	Scheduled Job	Edit Scheduled Tasks			✓	✓	✓
Asset Management	Action	Scheduled Job	Run Scheduled Tasks			✓	✓	✓
Asset Management	Action	Scheduled Job	Create Scheduled Tasks			✓	✓	✓
Asset Management	View	Devices	View Troubleshooting			✓	✓	✓	[Device View required]
Asset Management	View	Devices	View Advanced Device Details			✓	✓	✓	[Device View required]
Asset Management	Action	Devices	Configure Connector				✓	✓
Asset Management	Action	Devices	Manually Add Device			✓	✓	✓	[Scope Edit required] To create a device the user needs edit permissions on the scope he wants to create the device in
Asset Management	Action	Devices	Remove Device			✓	✓	✓	[Device Delete required]
Asset Management	Action	Devices	Trigger Device Inventory			✓	✓	✓	[Device Edit required]
Asset Management	Action	Devices	Change Corporate Information		✓	✓	✓	✓	[Device Edit required]
Asset Management	View	Networks	View Networks			✓	✓	✓	[Network View required]
Asset Management	Action	Networks	Trigger Network Discovery			✓	✓	✓	[Network Edit required]
Asset Management	Action	Networks	Remove Network			✓	✓	✓	[Network Delete required]
Asset Management	Action	Networks	Manually Add Network			✓	✓	✓	[Scope Edit required] To create a network the user needs edit permissions on the scope
Asset Management	View	Software	View Software Library (Software, Vendors, Vulnerabilities etc.)		✓	✓	✓	✓	[Device View required]
Asset Management	View	Hardware	View Hardware Library (CPU, GPU, Models)		✓	✓	✓	✓	[Device View required]
Asset Management	View	Databases	View Oracle Databases		✓	✓	✓	✓	[Oracle/Device View required]
Asset Management	View	Databases	View Advanced Oracle Database Details			✓	✓	✓	[Oracle/Device View required]
Asset Management	Action	Databases	Remove Database			✓	✓	✓	[Oracle/Device Delete required]
Asset Management	Action	Databases	Discover Database			✓	✓	✓	[Device Edit required] To discover oracle db's on devices the user needs edit permission on the respective devices
Asset Management	Action	Databases	Inventory Database			✓	✓	✓	[Oracle/Device Edit required]
Asset Management	View	Containers	View Docker Services		✓	✓	✓	✓	[Device View required]
Asset Management	View	Hypervisors	View Hypervisor Services		✓	✓	✓	✓	[Device View required]

Configuration	View	Runners	View runners			✓	✓	✓	[Runner View required]
Configuration	View	Runners	View runner download page			✓	✓	✓
Configuration	View	Runners	View Advanced runner configuration			✓	✓	✓	[Runner Edit required]
Configuration	Action	Runners	Add runner			✓	✓	✓
Configuration	Action	Runners	Remove runner			✓	✓	✓	[Runner Delete required]
Configuration	Action	Runners	Configure runner configuration			✓	✓	✓	[Runner Edit required]
Configuration	View	Runners	View runner scopes			✓	✓	✓	[Scope View & Runner Edit required]
Configuration	Action	Runners	Configure runner scopes			✓	✓	✓	[Scope Edit & Runner Edit required]
Configuration	View	Runners	View runner services			✓	✓	✓	[Runner Edit required]
Configuration	Action	Runners	Configure runner services			✓	✓	✓	[Runner Edit required]
Configuration	View	Scopes	View Scopes			✓	✓	✓	[Scope View required]
Configuration	Action	Scopes	Remove Scope				✓	✓
Configuration	View	Scopes	Add new scope				✓	✓
Configuration	View	Credentials	View credentials			✓	✓	✓	[Credentials View required]
Configuration	Action	Credentials	Add credentials			✓	✓	✓
Configuration	View	Credentials	View credential details			✓	✓	✓	[Credentials View required]
Configuration	Action	Credentials	Remove credentials			✓	✓	✓	[Credentials Delete required]
Configuration	Action	Credentials	Edit credential details			✓	✓	✓	[Credentials Edit required]
Configuration	Action	Credentials	Assign credential to resource group			✓	✓	✓	[Credentials Edit & Resource group Edit required] To assign credentials to a resource group the user needs edit permission on the group & on the credentials
Configuration	Action	Credentials	Assign credentials to devices/networks			✓	✓	✓	[Device/Network View & Credentials Edit required]
Configuration	View	Users	View Users				✓	✓
Configuration	View	Users groups	View Users Groups				✓	✓
Configuration	Action	Resource groups	Remove Resource group			✓	✓	✓	[Resource group Delete required]
Configuration	View	Resource groups	View Resource groups			✓	✓	✓	[Resource group View required]
Configuration	Action	Resource groups	Create Resource group			✓	✓	✓
Configuration	Action	Resource groups	Assign Entities to Resource group			✓	✓	✓	[Resource group Edit required] [Entity Edit required]
Configuration	Action	Resource groups	Unassign Entities from Resource group (Overwrite dynamic assignm.)			✓	✓	✓	[Resource group Edit required] [Entity Edit required]
Configuration	View	Resource groups	View & Configure dynamic group assignments				✓	✓
Configuration	Action	Resource groups	Configure dynamic group assignments				✓	✓
Configuration	View	Resource groups	View ACLs				✓	✓
Configuration	Action	Resource groups	Configure ACLs				✓	✓
Configuration	View	Integrations	View Integrations					✓
Configuration	Action	Integrations	Configure Integrations					✓
Configuration	View	Plugins	View Installed Plugins				✓	✓
Configuration	Action	Plugins	Enable/Disable Plugins				✓	✓
Configuration	Action	Plugins	Configure instruments				✓	✓
Configuration	Action	Settings	Default Run Book			✓	✓	✓
Configuration	Action	Settings	Default Port Settings			✓	✓	✓
Configuration	Action	Settings	Inventory Settings			✓	✓	✓
Configuration	Action	Settings	Import Settings				✓	✓
Configuration	Action	Settings	Oracle Settings			✓	✓	✓
Configuration	View	Inventory Scripts	View Scripts			✓	✓	✓	[InvScript View required]
Configuration	Action	Inventory Scripts	Remove Script			✓	✓	✓	[InvScript Delete required]
Configuration	Action	Inventory Scripts	Add Script			✓	✓	✓
Configuration	Action	Inventory Scripts	Edit Script			✓	✓	✓	[InvScript Edit required]
Configuration	View	About	About					✓