Gateway Access Permissions Reference
Use this page as the single reference for Gateway access permissions used in allowedAccessPermissions.
Permission Catalog
Note:In current Gateway behavior,
generalanddefaultsare treated as a compatible pair for effective access. If one is configured, the other is included in effective permission evaluation.
How to Use This Table
When an administrator manages Gateway access permissions:
- Use Console label to find and select the permission in the Gateway access permissions UI.
- Use Permission key when configuring permissions in API/CLI payloads, including
allowedAccessPermissions. - Use Description to understand what each permission enables and to decide the minimum required access.
If a permission has no current Console label, it is not currently selectable in the Console permission list and should be managed by permission key in API/CLI workflows.
| Console label | Permission key | Description |
|---|---|---|
| Defaults | defaults | Manage default login and default encryption settings. |
| General | general | Manage general Gateway settings, including URL and TLS behavior. |
| ACME | acme | Manage Gateway ACME configuration and workflows. |
| Admin | admin | Full Gateway administration, including access permission management. |
| Automatic Migration | automatic_migration | Manage Dynamic Secrets settings used by automatic migration workflows. |
| Caching | caching | Manage cache and offline behavior settings. |
| Classic Keys | classic_keys | Manage Classic Keys through the Gateway. |
| Dynamic Secret | dynamic_secret | Manage dynamic secret configuration. |
| Event Forwarding | event_forwarding | Manage Event Forwarding settings. |
| N/A in current Console Gateway access permission list | hsm | Manage Gateway HSM integration settings. |
| Kubernetes Auth | k8s_auth | Manage Kubernetes authentication configuration for the Gateway. |
| Kerberos Auth | kerberos_auth | Manage Kerberos authentication configuration for the Gateway. |
| KMIP | kmip | Manage KMIP service configuration. |
| LDAP Auth | ldap_auth | Manage LDAP authentication configuration for the Gateway. |
| Log Forwarding | log_forwarding | Manage log forwarding settings. |
| Rotate Secret Value | rotate_secret_value | Rotate secret values through the Gateway without enabling broader manual secret editing. |
| Rotated Secret | rotated_secret | Manage rotated secret configuration. |
| N/A in current Console Gateway access permission list | sdr | Manage Gateway SDR scanner configuration and operations. |
Remote Access Configuration (sra in Console API enum) | sra_config | Manage Secure Remote Access (SRA) Gateway configuration. |
| Targets | targets | Manage target-related operations through the Gateway. |
| Zero Knowledge Encryption | zero_knowledge_encryption | Manage Zero-Knowledge Gateway settings. |
Console behavior note: in the current custom permission multi-select UI, admin and general are intentionally excluded for backward compatibility.
Permission Scope Behavior
Administrative operations for Gateway allowed access management require admin permission.
For item-related operations (targets, classic_keys, dynamic_secret, rotated_secret, and rotate_secret_value), access is evaluated in two scopes:
- Gateway allowed access permission for the relevant component.
- RBAC path permission for the specific item path.
Both scopes must allow the operation.
Related Pages
Updated 6 days ago