Skip to main content

Permission Management

Hub's permission system provides granular access control across all products. Permissions follow a hierarchical format and support wildcards for flexible assignment.

🔒 users.manage(Owner or Admin)

Permission Format

Every permission follows the pattern: {product}.{resource}.{action}

Examples:

  • psa.tickets.create — Create tickets in PSA
  • crm.contacts.delete — Delete contacts in CRM
  • defend.alerts.acknowledge — Acknowledge security alerts in Defend
  • rmm.devices.remote_access — Start remote sessions in RMM

Wildcards

Wildcards let you grant broad access without listing every individual permission:

PatternMeaning
psa.tickets.*All ticket-related permissions in PSA
psa.*All permissions in PSA
*All permissions across all products (Owner-level)
⚠️Wildcard permissions are powerful. Use psa.* sparingly — it grants create, read, update, and delete access to every resource in that product.

How Permissions Are Resolved

When you access a product, Hub resolves your effective permissions through this chain:

  1. Platform role — Sets the baseline (Owner gets *, Viewer gets read-only)
  2. Hub roles — Named permission bundles assigned to the user
  3. Product access — Per-user permission overrides for specific products
  4. Wildcard expansion — Patterns are expanded against the registered permission catalog

The result is a flat list of permissions the product checks against when you perform actions.

Viewing Effective Permissions

To see what a user can actually do:

  1. Go to Settings > Users
  2. Click on the user's name
  3. Select the Permissions tab
  4. Permissions are grouped by product, showing both inherited (from roles) and directly assigned permissions

Granting Permissions

Via Product Access

The simplest way to grant permissions is through product access. When you give a user access to a product, you select which roles and permissions they receive.

Via Direct Assignment

For fine-grained control:

  1. Open the user's profile in Settings > Users
  2. Go to the Permissions tab
  3. Click Add Permission
  4. Search for the permission by product, resource, or action
  5. Click Grant

Via Hub Roles

Hub roles are named bundles of permissions you can assign to multiple users. For example, you might create a "Service Desk Technician" role that includes psa.tickets.*, psa.time_entries.create, and crm.contacts.read.

Revoking Permissions

  1. Open the user's profile
  2. Go to the Permissions tab
  3. Click the X next to the permission you want to revoke
  4. Confirm the revocation

Revocations take effect immediately. The user's next action that requires the revoked permission will be denied.

Sensitive Permissions

Some permissions are flagged as sensitive — they require an Admin or Owner to grant. These include:

  • Permissions involving deletion of records
  • Permissions involving financial data
  • Permissions involving user management
  • Permissions involving audit log access

Sensitive permissions are marked with a shield icon in the permission picker.

Bulk Permission Management

For organizations with many users, you can:

  1. Create Hub roles with the permission sets your teams need
  2. Assign roles to users instead of individual permissions
  3. When a role changes, all users with that role are updated automatically

This is the recommended approach for organizations with more than 10 users.

💡Create roles that match your team structure — "Service Desk Tech", "Network Engineer", "Account Manager" — each with the minimum permissions needed for that job function.