User and role permissions

Boolean security permissions that may be granted to Funnelback users and roles.

These may be set to either yes or no in the user and role ini files.

cp.change.passwd

Controls whether the user may change the password of other users

See the 'Modify Funnelback users' section in the API UI.

cp.diagnostics

Controls whether the user may see the Perl Admin UI 'View Diagnostics' page

cp.ip.tracker.viewing

Controls whether the user may see the Perl Admin UI IP address tracking screen (iptracker-check.cgi)

⚠ Deprecated as it does not work with the modern-ui.

cp.license.key

Controls whether the user may see and change the Funnelback license key in the Perl Admin UI.

On upgrade this permission will be removed and if it was set to yes the user will be granted: sec.license.view-usage, sec.license.install, sec.license.delete.

⚠ Deprecated as it is replaced with sec.license.view-usage, sec.license.install, sec.license.delete.

cp.status

Controls whether the user may see the Perl Admin UI Collection status box

plugin.build.report.db

Controls whether the user can Update the search analytics and trend alert reports.

plugin.show.fm.rules

Controls whether the user is allowed to see the "Edit File-Manager Rules" link in the System drop down menu. Does not control whether the user is allowed to edit File-Manager rules.

sec.accessibility-auditor

Controls whether the user may access the Accessibility Auditor reports

Also controls whether the user may audit documents and modify/view Accessibility Auditor Acknowledgements.

sec.accounts.create-roles

Controls whether the user may create new roles

See the 'Modify Funnelback roles' section in the API UI.

sec.accounts.create-users

Controls whether the user may create new users.

See the 'Modify Funnelback users' section in the API UI.

sec.accounts.delete-roles

Controls whether the user may delete roles

See the 'Modify Funnelback roles' section in the API UI.

sec.accounts.delete-users

Controls whether the user may delete users

See the 'Modify Funnelback users' section in the API UI.

sec.administer.read

Controls whether the user may view some administrative data on the server.

Required:

  • to show the System Logs in the system menu

  • if the user does not have sec.administer.system to be able to view some files that do not belong to a collection for example System logs

sec.administer.read-only.override

Controls whether the user may override read-only mode, and make changes to a server via a limited set of admin-api endpoints.

In order to make an override request, the user also needs to set the override header to true (X-Funnelback-Read-Only-Override: true).

The capability to override read-only mode is only supported on endpoints where it is necessary for a master server to propagate changes to child servers via the admin-api.

sec.administer.system

Controls whether the user may complete some administrative tasks.

Controls if the user may prepare Funnelback for upgrade using the API as well as via the classic Admin UI. Also controls by default displaying of the 'Prepare Funnelback for upgrade' link in the system drop down menu in the class Admin UI.

Controls if the user may ignore the collection parameter white-list and set any setting within collection.cfg.

Controls whether the user may edit and view file manager rules.

Controls whether the user may run mediator commands via the classic Admin UI. The user may also need other permissions such as access to the collection the command is running on.

Controls whether the user may trigger the upgrade of indexes after an upgrade.

sec.api.debug

Controls whether the user may use Debug API.

Controls whether the link to the API UI is displayed in the system drop down menu.

sec.application-token.non-expiring.create

Controls whether the user can create and revoke non-expiring tokens.

sec.auto-completion

Controls whether the user may edit auto-completion.csv file

sec.best-bet

Controls whether the user may edit a service’s best-bet style curator rules.

sec.blending

Controls whether a user may edit a service’s query blending synonyms.

sec.can-edit-all-unknown-config-keys

Controls whether a user is automatically granted permission to edit unknown configuration options.

Unknown configuration options are keys which are not included in Funnelback and not declared as a custom configuration key in custom-keys.cfg.

In the case this permission is not granted, a user may still have access to edit an unknown configuration option if they are explicitly granted access to edit the key or are granted access to edit all keys.

sec.can-read-all-unknown-config-keys

Controls whether a user is automatically granted permission to read unknown configuration options.

Unknown configuration options are keys which are not included in Funnelback and not declared as a custom configuration key in custom-keys.cfg.

In the case this permission is not granted, a user may still have access to read an unknown configuration option if they are explicitly granted access to read the key or are granted access to read all keys.

sec.clients.create

Controls whether the user may create new clients

clients can still be created in other ways through manual crafting of role and license apis.

sec.clients.delete

Controls whether the user may delete a client.

sec.collection-start-urls

Controls whether the user can edit a collection’s collection.cfg.start.urls file

start URLs can still be modified in other ways. See crawler.start_url and the individual permissions surrounding collection configuration keys which are unaffected by this permission.

sec.content-auditor

Controls whether the user may access Content Auditor.

sec.continuous.rest

Controls whether the user may access the Push API calls.

This controls access to all Push API calls including add/delete/get documents, snapshots, health APIs and APIs used in multi-server replication.

sec.contract.view-all

Controls whether the user is permitted to view all contracts on the server.

When not granted the user will only be able to view their own contracts.

Controls whether the user can edit a collection’s cookies.txt

sec.curator

Controls whether the user may edit a service’s curator rules.

Not required for editing curator rules with the best bet label.

sec.custom-gather

Controls whether the user can edit a collection’s custom_gather.groovy

sec.data.reporter

Controls whether the user may view the broken links reports and the collection update history link. Required:

  • to display the 'View Data Reports Dashboard' link in the classic Admin UI.

  • to view the broken links reports.

  • to display the 'View Collection Update History' link in the classic Admin UI.

sec.delete.collection

Controls whether the user may delete collections.

The user must have permission to the collection being deleted. This also controls if the link to delete a collection is clickable in the classic Admin UI.

sec.delete.collection.disable-hook

Controls whether the user may choose not to run the pre delete hook when deleting a collection.

Disabling the delete hook script is useful to avoid recursive deletions when using the delete hook on a master host to delete collections on slave hosts.

sec.edit.collection

Controlled whether the user could access the old 'Edit collection settings' administration page which was removed in Funnelback 15.22.0.

Unused since: 15.22

sec.external-metadata

Controls whether the user is allowed to edit external metadata.

Since: 16.0

sec.faceted-navigation

Controls whether the user may edit faceted navigation configuration.

The user will also need access to the collection and service the faceted navigation configuration belongs to.

sec.file.manager

Controls whether the user is allowed to list and publish files in the classic Admin UI.

This controls:

  • Viewing collection log file listing page, but not viewing of those log files.

  • If the 'Browse Collection Configuration Files' link is clickable in the classic Admin UI (by default).

  • If the 'Browse Collection Configuration Files' page is accessible but does not control if editing, viewing, downloading, creating of collection configuration files is possible.

  • If publishing of collection configuration files in the classic Admin UI, other permissions may also be required.

sec.file.manager.edit

Controls whether the user can edit tuning queries, view proposed queries, view some URL data. This controls:

  • If the user can get information about a URL from the /collection-info/v1/collections/{collection}/url API and the /data below that API.

  • If the 'Design Results Page' page link is shown in the classic Admin UI (by default). Does not control if editing of the forms is allowed or not

sec.group.manager

Reserved for future use.

sec.gscopes

Controls whether the user can edit a collection’s gscopes.cfg and/or query-gscopes.cfg file/s

sec.halt.manual

Controls whether the user may stop an update.

sec.hook-script

Controls whether the user can edit the public-ui groovy hook scripts in a collection.

This includes access to edit hook_extra_searches.groovy, hook_post_datafetch.groovy, hook_post_process.groovy, hook_pre_datafetch.groovy, hook_pre_process.groovy and hook_pre_cache.groovy.

sec.instant.update

Controls whether the user may run instant updates, and other "instant" tasks.

Controls whether the user may run the following tasks via the API:

  • INSTANT_UPDATE

  • REMOVE_URLS_BY_PREFIX_FROM_LIVE_VIEW

  • ADD_URLS_TO_LIVE_VIEW

  • REMOVE_URLS_FROM_LIVE_VIEW

See the 'Queued Tasks' under the API UI for more details.

sec.knowledge-graph-labels

Controls whether the user may edit knowledge graph public UI labels.

sec.knowledge-graph-relationships

Controls whether the user may edit knowledge graph relationships.

sec.knowledge-graph-templates

Controls whether the user may edit knowledge graph public UI templates.

sec.knowledge-graph-update

Controls whether the user may run knowledge graph updates.

sec.license.delete

Controls whether the user may delete a license.

See the 'Manage licenses for this installation' section in the API UI.

sec.license.install

Controls whether the user may install a license.

See the 'Manage licenses for this installation' section in the API UI.

sec.license.view-usage

Controls whether the user has access to the document usage per license API.

Controls access to the '/v2/document-usage-per-license' API, see the 'License limits and usage' section of the Admin API UI for further details.

sec.meta-name

Controls whether the user can read or edit a collection’s meta-names.xml

sec.metadata-mapping

Controls whether the user is allowed to modify metadata mappings.

The user must have access to the collection on which the metadata mappings are being modified. Users do not need this permission to view metadata mappings.

sec.plugin.debug

Controls whether a user can run a plugin under the plugin debug APIs.

sec.predictive-segmentation

Controls whether the user may access the predictive segmentation API

sec.profile.manage

Controls whether the user is allowed to create and delete profiles.

Also controls, by default, if the 'Manage Profiles' link is shown in the classic Admin UI.

Also controls if the user may use the classic Admin UI to set a profile to be a service as well as decommissioning a service. Also controls if the links to do these operations are visible.

sec.qie

Controls whether the user is allowed to edit QIE (Query Independent Evidence) for a collection.

sec.queue.delete-other-users-tasks

Controls whether the user may delete tasks of other users.

See the 'Queued tasks' section in the API UI.

sec.queue.priority

Controls whether the user may change or set the priority of tasks.

See the 'Queued tasks' section in the API UI.

sec.reporter

Controls whether the user should be able to view the search analytics with the UI.

In the classic Admin UI controls whether the 'View Query Reports Dashboard' should be shown.

In the modern Admin UI controls whether the 'Search Analytics' can be viewed.

Does not control access to the search analytic APIs.

sec.reporter.email

Controls, by default, if the 'Edit Analytics Email Settings' link is shown in the classic Admin UI.

Does not control if the analytics email report settings can be modified or not.

sec.reporting-exclusion

Controls whether a user may edit the reporting blacklist or reporting stop words configuration for a search package or results page.

sec.sched.cron

Controls whether a user may schedule regular updates.

sec.sched.manual

Controls whether a user may start or restart an update on most collection types.

This includes most normal update types as well as restarting updates on web collections, this does not include instant updates. This does not apply to Push collections.

See the 'Queued Tasks' under the API UI for more details.

sec.seo-auditor

Controls whether the user may access SEO Auditor (previously known as Content Optimiser).

This was previously called sec.content.optimiser.

sec.server-alias

Controls whether the user may edit a collection’s server alias configuration.

sec.server.config

Controls whether the user is allowed to edit or read server configuration.

This controls whether the user is allowed to edit or read any setting from server configuration (global.cfg), provided they also have access to read/edit the key. The 'environment-name' key is exempt from this setting as all users are permitted to read that setting.

Since: 15.22

sec.service.mediator

Controls whether the user can run tasks using the mediator API.

sec.service.webdav

Controls whether the user can view and manipulate files under SEARCH_HOME

This is not the WebDav service served by the Admin API, this permission should generally never be given to any user or role.

sec.site-profile

Controls whether the user may edit a collection’s site profiles configuration.

sec.spelling

Controls whether the user can read or edit preferred and excluded spelling suggestions.

sec.support-package

Controls whether the user can download a support package on the server.

Required:

  • to be able to download a support package for a search package/ data source which the user has access to.

sec.synonym

Controls whether the user may edit a service’s synonyms.

sec.template

Controls whether the user may edit template.xsl or a service’s template files to affect search result presentation.

sec.tuning

Controls whether the user may edit a service’s tuning data and view past tuning runs.

sec.tuning.run

Controls whether the user may start or stop a new tuning run for a service.

sec.url-kill-list

Controls whether the user may read or edit kills lists in the API.

Does not control access to kill list files in the classic Admin UI, that is controlled by file manager rules.

sec.view.logs

Controls whether the user can view some collection analysis tools and click some collection log links.

Controls, by default, whether the 'Browse Log Files' and the 'Collection Tools' link is shown in the classic Admin UI.

Controls whether the user may call APIs under /collection-info/v1/{collection}/update-history/. See the 'Update History' section in API UI for more details.

Controls whether the user may use the collection tools page and the analysis-tools.cgi API, used by the collection tools page.

Controls whether the user may view some collection logs via WebDav including update logs, modern UI logj2 logs and query logs.

sec.web-resources

Controls whether the user may edit web-resource files within a profile. Currently not used, reserved for future use.

sec.workflow-config

Controls whether the user can read or edit a collection’s workflow.cfg

sec.xml-index

Controls whether the user may edit a collections XML indexing configuration.