WebIAM
Permissions
The Permissions page provides a matrix view showing which roles have access to which modules. Permission strings follow the module:action format where action is one of read, write, or admin.
Permission Matrix
| Module | Admin | Manager | Analyst | Viewer |
|---|---|---|---|---|
| Cost & Usage | read + write | read + write | read | read |
| Redshift Health | read + write | read + write | read | — |
| IAM | read + write + admin | read | — | — |
| Monitoring | read + write | read + write | read | — |
| Vidura AI | read | read | read | — |
| Settings | read + write + admin | read + write | — | — |
Permission Strings Reference
Each cell in the matrix above corresponds to one or more permission strings:
| Permission String | What It Grants |
|---|---|
| cost_analysis:read | View Cost & Usage dashboards, unit cost, optimization views |
| cost_analysis:write | Modify cost analysis configuration, filters, and alert thresholds |
| redshift_health:read | View all Redshift Health dashboards: table analysis, query analysis, alerts, live observation |
| iam:read | View users, groups, roles, and the permission matrix |
| iam:write | Create and update users and groups |
| iam:admin | Full IAM control: manage custom roles, delete users, manage environments |
| alerts:read | View alert rules, fired alerts, incidents, and notification channels |
| alerts:write | Create and modify alert rules, escalation policies, and channels |
| vidura:read | Access Vidura AI chat, create and view chat sessions, use the "Ask Vidura" drawer |
Permission Resolution Order
When a user makes a request, the API resolves their effective permissions using the following priority order (highest to lowest):
- User override — Permissions explicitly set on the individual user record
- Group permissions — Union of all permissions from every group the user belongs to
- Role permissions — The permission set defined by the user's assigned role
- Global default — Tenant-level permissions applied to all authenticated users
Most Permissive Wins
Permission resolution uses a most-permissive-wins approach within the same tier. If a user belongs to two groups where one grants
read and the other grants write, the user receives write (the union of both).