Permissions Available in Anypoint Platform
Anypoint Platform has a variety of permissions that control user access to various areas of Anypoint Platform. Each product owns its own permissions, but you can assign most of the following permissions to teams and individual users. You can assign other permissions in their respective product interfaces.
Some products require permissions from other products to use them properly. For example, Anypoint Monitoring requires users to have certain Runtime Manager permissions in addition to Anypoint Monitoring-related permissions. See each product’s documentation to determine which permissions your users need and how to set them.
Depending on your organization, its licensing, and its entitlements, you might not see all of these permissions during configuration.
Access Management
- Organization Administrator
-
At the root organization level, grants a user most permissions available in Anypoint Platform, including but not limited to secrets management, network administration, and other view, modify, execute, and delete permissions.
The Organization Administrator permission also grants access to the Organization Administration page, where the user can add and manage users and permissions, view and edit organization details, access API Manager > Client Applications, access the client ID and client secret for the organization, and customize the theme of the Developer Portal. This permission enables a user to edit all versions of all APIs, all registered applications, and all API Portals in Anypoint Platform.
For security reasons, MuleSoft recommends distributing this permission to as few users as possible.
- Audit Log Config Manager
-
Enables a user to configure the retention period for audit logs across their organization.
Apply this permission at the root organization level. This permission appears only if the organization has the modern UI enabled in Access Management.
- Audit Log Viewer
-
Enables a user to view audit logs in Access Management.
Anypoint Code Builder
- Anypoint Code Builder Developer
-
Enables a user to create and use cloud IDE instances of Anypoint Code Builder. This permission does not apply to Anypoint Code Builder for Desktop.
- Mule Developer Generative AI User
-
Enables a user to use natural language prompts to develop and generate flows using the Einstein for Anypoint Code Builder Generative Flows feature.
API Catalog
- API Catalog Contributor
-
Enables a user to catalog assets and other resources using API Catalog.
API Experience Hub
- API Experience Hub Admin
-
Enables a user to view, create, modify, and delete content in API Experience Hub.
- API Experience Hub Community User
-
Enables a user to view but not modify content in API Experience Hub.
API Governance
- Governance Administrator
-
Enables a user to manage profiles and view reports.
- Governance Viewer
-
Enables a user to view reports.
API Manager
Depending on your organization, you might see one of the following sets of permissions available for API Manager.
- API Manager Environment Administrator
-
Enables a user to view, create, modify, and delete APIs in the specified environment.
Users can also execute any actions related to API configurations, groups, proxies, alerts, contracts, tiers, policies, automated policies, and other settings in the specified API Manager environment.
- API Group Administrator
-
Enables a user to view, create, modify, deprecate, and delete API groups and API group instances in the specified environment.
- Deploy API Proxies
-
Enables a user to deploy API proxies in the specified environment.
- Manage API Alerts
-
Enables a user to view, create, modify, and delete API alerts in the specified environment.
- Manage APIs Configuration
-
Enables a user to view and modify API configurations in the specified environment.
- Manage Client Applications
-
Enables a user to create and manage client applications in the root organization.
Users with this permission can view and modify application credentials and can add and remove client owners.
- Manage Contracts
-
Enables a user to view, accept, reject, and delete contracts and tiers in the specified environment.
- Manage Policies
-
Enables a user to view, create, modify, and delete API policies in the specified environment.
- View API Alerts
-
Enables a user to view the API alerts in the specified environment.
- View APIs Configuration
-
Enables a user to view API configurations in the specified environment.
- View Client Applications
-
Enables a user to view client applications in the root organization.
Users with this credential cannot view application secrets and cannot modify applications.
- View Contracts
-
Enables a user to view contracts and tiers in the specified environment.
- View Policies
-
Enables a user to view API policies in the specified environment.
Or:
- API Creator
-
Enables you to create an API in the specified environment.
- API Versions Owner
-
Enables you to view, modify, delete, and deprecate all API versions in the specified business group.
- Portals Viewer
-
Enables you to view all portals in the specified business group.
Data Gateway
- Data Gateway Administrator
-
Enables a user to have full access to Data Gateway Designer.
- Data Gateway Viewer
-
Enables a user to have read-only access to Data Gateway Designer.
DataGraph
- Contribute
-
Enables a user to:
-
Add source APIs to the unified schema.
-
Edit any source API schema added to the unified schema.
-
Request access to run queries.
-
Promote API schemas to an environment.
-
View query traces in real-time while running queries from the UI.
-
Download a copy of the unified schema from the query editor.
-
- Consume
-
Enables a user to:
-
View and explore the unified schema.
-
Request access to run queries and make data requests from the UI.
-
Download a copy of the unified schema from the query editor.
-
- Operate
-
Enables a user to:
-
View customer-facing logs.
-
Set a dedicated load balancer URL for Anypoint Datagraph.
-
- DataGraph Admin
-
Enables a user to:
-
Contribute, consume, and operate the unified schema.
-
View usage metrics.
-
- DataGraph Project - Contributor
-
Enables a user to:
-
Add source APIs to the unified schema.
-
Edit any source API schema added to the unified schema.
-
Request access to run queries.
-
Promote API schemas to an environment.
-
View query traces in real-time while running queries from the UI.
-
Download a copy of the unified schema from the query editor in a specific project.
-
- DataGraph Project - Operator
-
Enables a user to view customer-facing logs and set a dedicated load balancer URL for Anypoint Datagraph in a specific project.
- DataGraph Project - Admin
-
Enables a user to:
-
Contribute, consume, and operate the unified schema.
-
View usage metrics in a specific project.
-
Design Center
- Design Center Developer
-
Enables a user to view, create, and manage all projects within a business group.
Use this permission to set up administrators for all projects within a specific business group.
- Design Center Creator
-
Enables a user to create projects in Design Center from the navigation panel and view all projects created or shared with the user.
Use this permission to invite users to create, edit, and maintain your projects.
- Design Center Viewer
-
Enables a user to view all Design Center projects within a business group and test projects with the Mocking Service.
Users with this permission cannot create new projects, edit or rename existing projects, or share projects with another user.Assign this permission to those who consume your project in a specific business group.
Design Center Project-level Permissions
- Project Administrator
-
Enables a user to manage and share a Design Center project within a business group.
Use this permission to set up administrators for all the projects within a specific business group.
- Project Editor
-
Enables a user to edit a Design Center project within a business group.
Use this permission to invite users to create, edit, and maintain your projects.
- Project Viewer
-
Enables a user to view a Design Center project within a business group and test projects with the Mocking Service.
Users with this permission cannot create a new project, edit or rename the existing project, or share the project with another user.
Assign this permission to those who consume your project in a specific business group.
Exchange
- Exchange Administrator
-
Enables a user to:
-
View, create, and download assets within a business group.
-
Edit asset portal content in an existing asset version.
Users with this permission have the same access as users with the Exchange contributor and Exchange viewer permissions, and access to share an asset with another user, deprecate an asset, and delete an asset.
Use this permission to set up Exchange administrators for all assets within a specific business group.
-
- Exchange Contributor
-
Enables a user to view, create, and download assets within a business group.
Users with this permission can edit asset portal content in an existing asset version.
Use this permission to invite users to edit and maintain your asset portal descriptions.
- Exchange Viewer
-
Enables a user to view and download assets within a business group. Users with this permission cannot add new assets, edit asset portal content, or share an asset with another user.
Assign this permission to those who consume your assets in a specific business group.
- Exchange Creator
-
Enables a user to create new assets within a business group’s catalog. A user with this permission can’t modify assets or asset versions created by other users in the business group.
Once the users with this permission create an asset, the Asset Administrator permission is automatically assigned for the assets they create. The Asset Administrator permission allows these users to modify only the assets that they create.
Use this permission to restrict the modification of assets except for assets created by this user while allowing all developers across all teams in a business group to create new assets in Exchange.
- Asset Viewer
-
Enables a user to view and download an asset. Users with this permission cannot edit asset portal content or share an asset with another user.
Use this permission to invite a user outside your business group to view and download an asset.
- Asset Contributor
-
Enables a user to view, add a new version, and download an asset.
Use this permission to invite a user outside of your business group to view, download, and add edit portal content for an asset.
- Asset Administrator
-
Enables a user to view, create, download, deprecate, and delete an asset. Users with this permission have the same access as users with the Exchange Administrator permission, but on only a single asset. This permission is assigned by default to an asset creator.
Use this permission to extend administrator permissions for an asset to an additional user.
IDP
- Manage Actions
-
Gives a user complete access to IDP and assigns reviewer permission by default for every document action.
- Build Actions
-
Enables a user to create, edit, and publish document actions and assign reviewers to the actions.
- Execute Published Actions
-
Enables a user to execute a published document action and retrieve the results of the execution.
- Configure Connected Apps
-
Enables a user to configure a connected app to communicate with IDP.
Monitoring
- Monitoring Administrator
-
Enables a user to view, create, modify, and delete content in Anypoint Monitoring.
- Monitoring Viewer
-
Enables a user to view but not modify content in Anypoint Monitoring.
- Telemetry Exporter Administrator
-
Enables a user to:
-
View connections and configurations in Telemetry Exporter
-
Create, modify, and delete connections in Telemetry Exporter
-
Create, modify, and delete configurations in Telemetry Exporter
Assign this permission at the root organization level.
-
- Telemetry Exporter Configurations Manager
-
Enables a user to:
-
View connections and configurations in Telemetry Exporter
-
Create, modify, and delete configurations in Telemetry Exporter
-
MQ
- View clients
-
Enables a user to view all client apps, including client app IDs and client secrets for each client app.
- View destinations
-
Enables a user to:
-
View all destinations and each destination’s settings (ID, Type, Message TTL, and Message Lock Default TTL).
-
View In Queue messages.
-
View In Flight message stats.
-
- Clear destinations
-
Enables a user to:
-
View all destinations and each destination’s settings (ID, Type, Message TTL, and Message Lock Default TTL).
-
View In Queue messages.
-
View In Flight message stats.
-
Clear destinations.
-
- Manage clients
-
Enables a user to:
-
View all client apps, including client app IDs and client secrets for each client app.
-
Create client apps.
-
- Administer destinations
-
Enables a user to:
-
View all destinations and each destination’s settings (ID, Type, Message TTL, and Message Lock Default TTL).
-
View In Queue messages.
-
View In Flight message stats.
-
Clear destinations.
-
Create new queues, message exchanges, and bindings.
-
Edit existing queues, message exchanges, and bindings.
-
Purge messages from queues.
-
- Manage destinations (deprecated)
-
This permission is deprecated. To achieve the same abilities as Manage permissions, assign these permissions to the user:
-
Administer destinations
-
Destination subscriber for given environment
-
Destination publisher for given environment
-
- Destination subscriber for given environment
-
Enables a user to consume messages from a destination and delete messages from a destination.
- Destination publisher for given environment
-
Enables a user to send messages to a destination and update message TTL on a destination.
- Read MQ Stats
-
Enables a user to view organization and environment statistics.
Partner Manager
- Partner Manager Administrator
-
Enables a user to have complete access to the host, partner, message flow configurations, and transaction activity.
- View Host, Partners and Message Flows
-
Enables a user to have view-only access to the host, partner, and message flow configurations.
This user cannot view transaction activity.
- Manage Partners and Message Flows
-
Enables a user to:
-
Create, modify, and delete partners or message flow configurations.
-
View partner configurations.
This user cannot view and manage transaction activity.
-
- Manage Activity
-
Enables a user to view and manage transaction activity.
This user cannot view or modify either partner or message flow configurations.
- Manage Host
-
Enables a user to create, modify, and delete host configurations.
This user cannot view or modify partner configurations or transaction activity. This access applies even if the user has the Organization Administrator permission.
- View Activity
-
Enables a user have view-only access to transaction activity.
This user cannot view or modify either partner or message flow configurations.
RPA
- RPA Administrator
-
The RPA Administrator permission includes all other permissions, except for the RPA Project Manager permission. A user with this permission can only view or administer automation projects if the user is part of the process team.
- RPA Automations Designer
-
The RPA Automations Designer permission enables an RPA developer, citizen technologist, or knowledge source (such as a business analyst or process owner) to do the following in RPA Manager:
-
Create automation projects.
-
Record or design models of business processes that a process manager or center of excellence approved for automation.
-
Document and edit the applications required for performing the processes.
The RPA Automations Designer permission contains the following deprecated RPA permissions:
-
Application Create
-
Application Edit
-
Process Automation Open
-
Process Create
-
Process Recording
-
- RPA Automations Contributor
-
The RPA Automations Contributor permission enables an RPA developer, citizen technologist, or knowledge source (such as a business analyst or process owner) to do the following:
-
In RPA Manager:
-
Create automation projects.
-
Record or design models of business processes that a process manager or center of excellence approved for automation.
-
Document and edit the applications required for performing the processes.
-
Create and edit global variables to link to activity parameters created with RPA Builder.
-
-
In RPA Builder:
-
Build the automation based on the model.
-
Reuse activities from the Activity Library.
-
The RPA Automations Contributor permission contains the following deprecated RPA permissions:
-
Activity Library Open
-
Application Create
-
Application Edit
-
Builder Usage
-
Global Variables Create for Productionphase
-
Global Variables Create for Testphase
-
Global Variables Edit for Productionphase
-
Global Variables Edit for Testphase
-
Process Automation Open
-
Process Create
-
Process Recording
-
- RPA Automations Manager
-
The RPA Automations Manager permission enables an RPA developer, citizen technologist, or knowledge source (such as a business analyst or process owner) to do the following:
-
In RPA Manager:
-
Create automation projects.
-
Record or design models of business processes that a process manager or center of excellence approved for automation.
-
Document and manage the applications required for performing the processes.
-
Create and manage global variables to link to activity parameters created with RPA Builder.
-
Change the owners and managers of processes.
-
Reassign unprocessed user tasks
-
-
In RPA Builder:
-
Build the automation based on the model.
-
Reuse and manage activities from the Activity Library.
-
The RPA Automations Manager permission contains the following deprecated RPA permissions:
-
Activity Library Administration
-
Activity Library Open
-
Application Create
-
Application Delete
-
Application Edit
-
Builder Usage
-
Change Process Owner
-
Change Project Manager
-
Global Variables Create for Productionphase
-
Global Variables Create for Testphase
-
Global Variables Edit for Productionphase
-
Global Variables Edit for Testphase
-
Global Variables Delete
-
Process Automation Open
-
Process Create
-
Process Recording
-
Unprocessed Task List Edit
-
Unprocessed Task List Open
-
- RPA Bots Manager
-
The RPA Bots Manager permission enables the user to do the following in RPA Manager:
-
Monitor and manage all RPA Bots, including the following:
-
Manage service times.
-
View session queues.
-
-
Manage the applications required for performing the processes, including downtimes.
The RPA Bots Manager permission contains the following deprecated RPA permissions:
-
Application Create
-
Application Delete
-
Application Edit
-
Process Monitoring Open
-
Robot Management Administration
-
Robot Management Open
-
Robot State and Operation Open
-
Service Time Create
-
Service Time Delete
-
Service Time Edit
-
- RPA Evaluations Viewer
-
The RPA Evaluations Viewer permission enables a user to do the following in RPA Manager:
-
View all process evaluations, regardless of whether the user belongs to the process team.
-
View:
-
Evaluation criteria
-
Evaluation templates
-
The RPA Evaluations Viewer permission contains the following deprecated RPA permissions:
-
Evaluation Criteria Open
-
Evaluation Templates Open
-
Global Process Evaluation View
-
Process Evaluation Open
-
- RPA Evaluations Contributor
-
The RPA Evaluations Contributor permission enables a user to do the following in RPA Manager:
-
View all process evaluations, regardless of whether the user belongs to the process team.
-
View, create, and edit:
-
Evaluation criteria
-
Evaluation templates
-
-
View, create, edit, and delete process evaluations.
The RPA Evaluations Contributor contains the following deprecated RPA permissions:
-
Evaluation Criteria Create
-
Evaluation Criteria Edit
-
Evaluation Criteria Open
-
Evaluation Templates Create
-
Evaluation Templates Edit
-
Evaluation Templates Open
-
Global Process Evaluation View
-
Process Evaluation Administration
-
Process Evaluation Open
-
- RPA Evaluations Manager
-
The RPA Evaluations Manager permission enables a user to do the following in RPA Manager:
-
View all process evaluations, regardless of whether the user belongs to the process team.
-
View, create, edit, and delete:
-
Evaluation criteria
-
Evaluation templates
-
Process evaluations
-
-
Approve evaluated processes to a center of excellence or a project manager for automation.
The RPA Evaluations Manager contains the following deprecated RPA permissions:
-
Evaluation Criteria Create
-
Evaluation Criteria Delete
-
Evaluation Criteria Edit
-
Evaluation Criteria Open
-
Evaluation Templates Create
-
Evaluation Templates Delete
-
Evaluation Templates Edit
-
Evaluation Templates Open
-
Global Process Evaluation View
-
Process Evaluation Administration
-
Process Evaluation Approval to a CoE
-
Process Evaluation Approval to a Project manager
-
Process Evaluation Open
-
- RPA Operations Viewer
-
The RPA Operations Viewer permission enables a user to do the following in RPA Manager:
-
View all aspects of the following RPA assets:
-
Alerts
-
Bots
-
Dashboards
-
-
View the following information for processes for which the user belongs to the process team:
-
Deployment maps
-
Execution plans
-
Session queues
-
-
Watch the bot at work via process streaming.
The RPA Operations Viewer contains the following deprecated RPA permissions:
-
Alerting Open
-
Dashboard Open
-
Process Deployment Map Open
-
Process Execution Plans Open
-
Process Monitoring Open
-
Process Streaming Open
-
Robot Management Open
-
Robot State and Operation Open
-
- RPA Operations Manager
-
The RPA Operations Manager enables a user to do the following in RPA Manager:
-
View and manage the following RPA assets:
-
Alerts
-
Bots
-
Dashboards
-
Unprocessed user tasks
-
Upcoming process changes
-
-
Analyze finance aspects and billing reports
-
View the following information for processes for which the user belongs to the process team:
-
Deployment maps
-
Execution plans
-
Session queues
-
-
Watch the bot at work via process streaming.
The RPA Operations Viewer contains the following deprecated RPA permissions:
-
Alerting Administration
-
Alerting Open
-
Dashboard Open
-
Process Deployment Map Open
-
Process Execution Plans Open
-
Process Monitoring Open
-
Process Streaming Open
-
Robot Management Open
-
Robot State and Operation Open
-
Billing Report Open
-
Dashboard Administration
-
Finance Analysis Edit
-
Finance Analysis Open
-
Global Finance Analysis View
-
Global Process Execution Plans View
-
Unprocessed Task List Edit
-
Unprocessed Task List Open
-
Upcoming Process Changes Administration
-
Upcoming Process Changes Open
-
- RPA Performance Analyzer
-
The RPA Performance Analyzer permission enables the user to do the following in RPA Manager:
-
Analyze the financial aspects (such as the break-even point) of all processes.
-
View the billing reports.
The RPA Performance Analyzer permission contains the following deprecated RPA permissions:
-
Billing Report Open
-
Finance Analysis Edit
-
Finance Analysis Open
-
Global Finance Analysis View
-
- RPA Project Manager
-
The Project Manager permission enables a user to be assigned as a project manager of automation projects in RPA Manager. For a user to function as a project manager, the user must also have one of the following permissions:
-
RPA Automations Designer
-
RPA Automations Contributor
-
RPA Automations Manager
-
RPA Administrator
The RPA Project Manager permission contains the following deprecated RPA permissions:
-
Project Management
-
Runtime Manager
- CloudHub Network Administrator
-
Enables a user to manage CloudHub and CloudHub 2.0 network resources.
- CloudHub Network Viewer
-
Enables a user to view CloudHub and CloudHub 2.0 network resources.
- Delete Applications
-
Enables a user to delete applications in a specific environment.
- Download Applications
-
Enables a user to download application files in a specific environment.
- Manage Alerts
-
Enables a user to create, update, and delete application alerts in a specific environment.
- Manage Application Data
-
Enables a user to create and delete application data in a specific environment.
- Manage Queues
-
Enables a user to clear application queues in a specific environment.
- Read Runtime Fabric
-
Enables a user to query Runtime Fabrics in the organization.
- Manage Runtime Fabrics
-
Enables a user to read, create, update, and delete Runtime Fabric resources.
- Manage Runtime Fabric
-
Enables a user to read, create, update, and delete Runtime Fabric resources.
- Manage Schedules
-
Enables a user to run and update application schedules in a specific environment.
- Manage Settings
-
Enables a user to update application settings in a specific environment.
- Manage Tenants
-
Enables a user to create, update, and delete application tenants in a specific environment.
- Read Alerts
-
Enables a user to view alerts in a specific environment.
- Read Applications
-
Enables a user to view applications in a specific environment.
- Manage Servers
-
Enables a user to create, update, and delete server and Flex Gateway resources.
- Read Servers
-
Enables a user to view server and Flex Gateway resources.
- Manage Application Flows
-
Enables a user to update flows.
- Create Applications
-
Enables a user to create applications in a specific environment.
Secrets Manager
- Grant access to secrets
-
Enables a user to browse, read metadata and grant access to secrets in a specific environment.
- Manage secret groups
-
Enables a user to:
-
Create, modify, delete, read, and clone secret groups in a specific environment.
-
Check if the user can initiate a new clone or restore operation.
-
- Read secrets metadata
-
Enables a user to browse and read metadata of secrets in a specific environment.
- Write secrets
-
Enables a user to upload, create, modify secrets in a specific environment.