Permissions resources
This document contains a list of each unique resource type, with a description of each, and the permissions available for that resource.
Each resource type has up to three permissions available, which specify the actions that can be taken by the member for that resource. The acronym CRUD in the table below stands for Create, Read, Update and Delete permissions. Edit permissions include view permissions, and admin permissions include edit permissions.
See Permissions for how to configure these for your team.
Workbench resources
| Resource | Description | View Permission | Edit Permission | Admin Permission |
|---|---|---|---|---|
| API authentication controls | Used to authenticate your requests to the Atomic API | List credentials | CRUD | n/a |
| Analytics exporter | Access to view real-time analytics and download batched analytics sets | Download & view analytics | n/a | n/a |
| Audit log | Log of workbench members’ actions within your organization (org scoped) | View own audit log entries | n/a | View others' audit log entries |
| Card instance | An instance of a card template sent to a customer | View log and analytics | Send cards from workbench | Cancel sent cards (preview feature) |
| Card template | Used to view, send, edit and publish card templates | View card templates and media, send test cards | Edit draft card templates and media | Publish and archive card templates |
| Connectors | Configuration for incoming webhook connectors | View | CRUD | n/a |
| Container | Configures card streams within your app | View | CRUD | n/a |
| Customer | A user of your web and mobile applications | n/a | n/a | CRUD |
| Environment | Each environment within an organization is a separate space, with separate configuration | View environment name | Create and edit name | Deactivate and edit custom fields |
| Notifications | Push notification configuration details for each SDK platform | View config details | CRUD | n/a |
| Organization | Atomic customers are typically given one organization. Each organization contains multiple environments (org scoped) | View name and preferences | Edit name and preferences | n/a |
| Override card approval | Enables a member to approve on behalf of any approval group | n/a | n/a | Approve on behalf of any approval group |
| Request debugger | Log of the last 100 failed client API requests (org scoped) | View log | n/a | n/a |
| Role | An identity with specific permissions. A role can be assigned to 1 or more groups, giving a set of permissions to all members of that group (org scoped) | View all roles and their permissions | Create and edit roles | n/a |
| SDK API key | Needed for SDK integrations, and to configure allowed JWT issuers | View API key | CRUD | n/a |
| Segment | Subset of customers with common characteristics | View which filters are applied | Create and edit segments | n/a |
| Stream | A collection of cards which can be assigned to 1 or more stream containers in your apps | View | CRUD | n/a |
| Tag | Tags are available when filtering customers | View | CRUD (inc user tags) | n/a |
| Theme | Theming configuration for stream containers | View | CRUD | n/a |
| Webhook credentials | Authentication credentials for webhook requests | View | CRUD | n/a |
| Webhook request log | Status and metadata for outgoing webhook requests | View metadata | n/a | n/a |
| Webhook subscription | Requests made from Atomic to external services | View | CRUD | n/a |
| Workbench member | A member of the workbench (org scoped) | View | CRUD | n/a |
| Workbench member group | Controls workbench member groups and their associated roles (org scoped) | View | CRUD | n/a |
| Workbench member group assignment | Controls assignment of workbench members to groups (org scoped) | View | CRUD | n/a |
Example permission sets
Card approval
People who only need to approve cards can be given a view permission on the card template resource - no other permissions are needed.
Insights dashboard
People who need access to the insights dashboard need view permissions on the card instance as well as the card template resources.
Organization-scoped workbench resources
Some resources are scoped to the organization level as opposed to the environment level. This means that permissions to these resources can't be limited to an environment.
These resources are:
- audit log
- organization
- request debugger
- role
- workbench member
- workbench member group
- workbench member group assignment
See the Scoping of resources section for a further explanation and a worked example of how to create a group with environment-level scoped resource permissions as well as organization-level scoped resource permissions.
Permissions for default roles
By default your Atomic account comes with three groups: Owner, Admin, and Editor.
This table describes the default permissions each of these roles has:
| Resource | Owner | Admin | Editor |
|---|---|---|---|
| API authentication controls | Edit | Edit | |
| Analytics exporter | View | View | |
| Card instance | Edit | Edit | View |
| Card template | Admin | Admin | Admin |
| Container | Edit | Edit | View |
| Customer | Admin | Admin | |
| Environment | Admin | Admin | View |
| Notifications | Edit | Edit | |
| Organization | Edit | Edit | View |
| Override card approval | Admin | Admin | n/a |
| Request debugger | Edit | Edit | |
| Role | Edit | Edit | |
| SDK API key | Edit | Edit | |
| Segment | Edit | Edit | |
| Stream | Edit | Edit | View |
| Tag | Edit | Edit | View |
| Theme | Edit | Edit | |
| Webhook credential | Edit | Edit | |
| Webhook request log | View | View | |
| Webhook subscription | Edit | Edit | |
| Workbench member | Edit | Edit | |
| Workbench member group | Edit | Edit | |
| Workbench member group assignment | Edit | Edit |