Table 1. Available scopes and their hierarchy | Scope | Grants permission to: | | --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `(no_scope)` | Identify the owner of the requesting entity. | | `self` | The user’s own resources _(metascope for users, resolves to (no_scope) for services)_ | | `inherit` | Everything that the token-owning entity can access _(metascope for tokens)_ | | `admin-ui` | Access the admin page. Permission to take actions via the admin page granted separately. | | `admin:users` | Read, modify, create, and delete users and their authentication state, not including their servers or tokens. This is an extremely privileged scope and should be considered tantamount to superuser. | |    `admin:auth_state` | Read a user’s authentication state. | |    `users` | Read and write permissions to user models (excluding servers, tokens and authentication state). | |       `read:users` | Read user models (including the URL of the default server if it is running). | |          `read:users:name` | Read names of users. | |          `read:users:groups` | Read users’ group membership. | |          `read:users:activity` | Read time of last user activity. | |       `list:users` | List users, including at least their names. | |          `read:users:name` | Read names of users. | |       `users:activity` | Update time of last user activity. | |          `read:users:activity` | Read time of last user activity. | |    `read:roles:users` | Read user role assignments. | |    `delete:users` | Delete users. | | `read:roles` | Read role assignments. | |    `read:roles:users` | Read user role assignments. | |    `read:roles:services` | Read service role assignments. | |    `read:roles:groups` | Read group role assignments. | | `admin:servers` | Read, start, stop, create and delete user servers and their state. | |    `admin:server_state` | Read and write users’ server state. | |    `servers` | Start and stop user servers. | |       `read:servers` | Read users’ names and their server models (excluding the server state). | |          `read:users:name` | Read names of users. | |       `delete:servers` | Stop and delete users' servers. | | `tokens` | Read, write, create and delete user tokens. | |    `read:tokens` | Read user tokens. | | `admin:groups` | Read and write group information, create and delete groups. | |    `groups` | Read and write group information, including adding/removing any users to/from groups. Note: adding users to groups may affect permissions. | |       `read:groups` | Read group models. | |          `read:groups:name` | Read group names. | |       `list:groups` | List groups, including at least their names. | |          `read:groups:name` | Read group names. | |    `read:roles:groups` | Read group role assignments. | |    `delete:groups` | Delete groups. | | `admin:services` | Create, read, update, delete services, not including services defined from config files. | |    `list:services` | List services, including at least their names. | |       `read:services:name` | Read service names. | |    `read:services` | Read service models. | |       `read:services:name` | Read service names. | |    `read:roles:services` | Read service role assignments. | | `read:hub` | Read detailed information about the Hub. | | `access:services` | Access services via API or browser. | | `shares` | Manage access to shared servers. | |    `access:servers` | Access user servers via API or browser. | |    `read:shares` | Read information about shared access to servers. | |    `users:shares` | Read and revoke a user's access to shared servers. | |       `read:users:shares` | Read servers shared with a user. | |    `groups:shares` | Read and revoke a group's access to shared servers. | |       `read:groups:shares` | Read servers shared with a group. | | `proxy` | Read information about the proxy’s routing table, sync the Hub with the proxy and notify the Hub about a new proxy. | | `shutdown` | Shutdown the hub. | | `read:metrics` | Read prometheus metrics. |