Custom roles in Splunk Observability Cloud

Manage users: Create custom roles for users in Splunk Observability Cloud

Predefined roles in Splunk Observability Cloud

Splunk Observability Cloud has built-in roles and the ability to add custom roles. The four built-in roles with predefined capabilities include the following:

admin
power
usage
read_only

For general information on these predefined roles, see About roles in Splunk Observability Cloud. For more specific details on how predefined roles map to capabilities in Splunk Observability Cloud, see Splunk Observability Cloud matrix of roles and capabilities.

Prerequisites

To create custom roles, you must meet the following prerequisites:

Be an administrator in Splunk Cloud Platform
Have set up Unified Identity between your Splunk Cloud Platform and Splunk Observability Cloud organizations. See Unified Identity: Splunk Cloud Platform and Splunk Observability Cloud.
Have set up centralized user and role management. See How to set up centralized user and role management.

Custom roles and cross-region connections

You can use custom roles in cross-region connections only for Splunk Cloud Platform version 10.0.2503 and later.

For Splunk Cloud Platform releases prior to 10.0.2503, you can use custom roles only if your Splunk Observability Cloud and Splunk Cloud Platform organizations are in the same region.

Custom roles and multi-org

If you have multiple Splunk Observability Cloud organizations paired with your Splunk Cloud Platform organization, you can customize a role for a specific observability organization. See Connect multiple Splunk Observability Cloud organizations for more information on a multi-org environment.

A custom role isa custom set of capabilities that the admin selects. You can use a policy to assign a capability or set of capabilities to a specific organization in a multi-org environment. See Create authorization policies in Splunk web to learn about policies in general. Follow the instructions below to attach a policy to a set of capabilities.

You can create a policy for a custom role in two ways:

Use the Policy management page to find or create a policy then attach it to a capability.
Use the Roles management page, Capabilities tab to add a policy to a specific capability.

Use the Policy management page to create a policy and attach it to a custom role by following these steps:

Log in to Splunk Cloud Platform as an admin, then go to Settings > Policies.
You can select an existing policy and edit it or select + Add policy then add a name.
Note: You cannot edit the name of an existing policy. Once you name a policy, the name is permanent and you must delete the policy and create a new one to have a new name.
In the Attribute field, select O11y Organization ID.
In the Attribute value field, select the paired Splunk Observability Cloud organization to which you want to map this policy.
Select the role and capability or capabilities you want to map to this paired Splunk Observability Cloud organization, then select Save Policy.

Use the Roles management page to attach a policy to a custom role by following these steps:

Log in to Splunk Cloud Platform as an admin, then go to Settings > Roles and select the Capabilities tab.
Select the plus sign ("+") next to the capability you want to map to a specific observability organization, then from the drop-down menu, select Create new policy or select an existing policy in the list.
Warning: When you create a policy for a capability to map it to a specific organization, all other organizations effectively lose that capability. If a capability has no policies mapping it to specific organizations, the capability is, by default, accessible to all paired Splunk Observability Cloud organizations.
In the Attribute field, select a Splunk Observability Cloud organization.
Select the custom role you want to assign to that org in the Attribute value field.

How to create a custom role

After setting up Unified Identity and centralized user and role management, Splunk Cloud Platform is the role based access control (RBAC) store for Splunk Observability Cloud. You must create and manage all Splunk Observability Cloud roles in Splunk Cloud Platform. See Create and manage roles with Splunk Web to learn about roles in Splunk Cloud Platform.

To create a custom Splunk Observability Cloud role, follow these steps:

Follow the instructions in the "Add or edit a role" section only of Create and manage roles with Splunk Web.
In Splunk Cloud Platform, on Settings > Roles > Capabilities, specify the custom role capabilities by selecting any combination of capabilities from the table in the following section, Splunk Observability Cloud capabilities.
Note: Capabilities are always additive in nature. You cannot take away the ability to do something by adding a capability. If you don't want users who hold a role to perform a certain function on your Splunk platform instance, then do not assign that role a capability that lets a user perform that function.
[Recommended] Add the o11y_read_basic_ui_access and o11y_read_org_user capabilities to all custom roles to ensure users have all required baseline UI access.
Warning: Capabilities relating to Dashboard Groups, Tokens, and Global Search require that a user also have the "o11y_admin" role. Even if a user has read, update, or delete capabilities for Dashboard Groups, Tokens, or Global Search, the user cannot utilize those capabilities without a full admin role, "o11y_admin".

Splunk Observability Cloud capabilities

The following table lists all of the capabilities that you can add to a role to define the role's permissions in Splunk Observability Cloud:

Table 1. Splunk Observability Cloud capabilities
Capability name	What it lets users assigned to this role do	admin	power	usage	read_only
ASSIGN_ROLE	Grants user permission to assign a role to a given object type (e.g. NamedToken, OrgUser, or Team)	X
CREATE_AUTOMATED_ARCHIVAL_EXEMPT_METRICS	Grants user permission to generate automated archival exempt metrics	X	X
CREATE_AUTOMATED_ARCHIVAL_SETTINGS	Grants user the permission to create and generate automated archival settings for the org with provided lookback and grace periods	X
CREATE_BUSINESS_JOURNEY	Grants user permission to create Business Journey	X	X
CREATE_CHART	Grants user permission to create a new chart	X	X
CREATE_CHILD_ORG	Grants user permission to create new child organization	X
CREATE_CONFIG	Grants user permission to create a visibility filter on APM resources	X
CREATE_COST_INSIGHTS_BILLING_CREDENTIAL	Grants user permission to store billing credentials in the Cost Insights app in order to fetch real cost data from cloud providers	X	X
CREATE_DASHBOARD	Grants user permission to create a new dashboard. You must also assign the CREATE_SHAREABLE_SNAPSHOT capability to allow the user to save the dashboard	X	X
CREATE_DASHBOARD_DATA_LINK	Grants user permission to create a dashboard data link	X	X
CREATE_DASHBOARD_GROUP	Grants user permission to create a new dashboard group	X	X
CREATE_DASHBOARD_PRIVATE_AREA	Grants user permission to create dashboards in a private area	X	X
CREATE_DEA_INSIGHTS	Grants user the permission to create RUM funnels	X	X
CREATE_DETECTOR	Grants user permission to create a detector	X	X
CREATE_DIMENSION	Grants user permission to create a new dimension	X	X
CREATE_EVENT	Grants user permission to create a new event	X	X
CREATE_FIELD_ALIASING	Grants user permission to create aliases	X	X
CREATE_GLOBAL_DATA_LINK	Grants user permission to create data links and dashboard data links	X
CREATE_GOOGLE_AUTH	Grants user permission to create a google domain for auth configuration	X
CREATE_INTEGRATION	Grants user the permission to create an integration	X
CREATE_LOGS_PIPELINE	Grants user permission to create a new logs pipeline with processing rules	X	X
CREATE_LOGS_QUERIES	Grants user permission to create saved logs queries	X	X
CREATE_METRIC	Grants user permission to create a new metric	X	X
CREATE_METRIC_RULESET	Grants user permission to create a metric ruleset	X	X
CREATE_MUTING_RULE	Grants user permission to create a new muting rule	X	X
CREATE_NAMEDTOKEN	Grants user permission to create a Session or Org Token	X
CREATE_NAVIGATOR	Grants user permission to create a new navigator	X
CREATE_ORG_EC_PAIRING	Grants use permission to create the pairing between a Splunk platform and a Splunk Observability Cloud org	X
CREATE_ORG_USER	Grants user permission to create a new user	X
CREATE_PACKAGE	Grants user permission to create an SFX Package	X	X
CREATE_REPORT	Grants user permission to create an APM report	X
CREATE_ROLE	Grants user permission to create a new custom role	X
CREATE_SECUREAPP_ALERT	Grants user permission to create AlertingActions in Secureapp	X	X
CREATE_SHAREABLE_SNAPSHOT	Grants user permission to create a shareable snapshot of an existing chart or dashboard	X	X
CREATE_SLO	Grants user permission to create a new service level objective	X	X
CREATE_SSO	Grants user permission to create SSO connections	X	X
CREATE_SYNTHETICS_DOWNTIME_CONFIGURATION	Grants user permission to create synthetic downtime configurations	X	X
CREATE_SYNTHETICS_PRIVATE_LOCATION	Grants user permission to create synthetic private location	X	X
CREATE_SYNTHETICS_PRIVATE_LOCATION_TOKEN	Grants user permission to create a synthetic private location token	X	X
CREATE_SYNTHETICS_TEST	Grants user permission to create synthetic tests	X	X
CREATE_TAG	Grants user permission to create a new tag	X	X
CREATE_TEAM_MANAGER	Grants user permission to: add members to existing teams where user is a team manager create team members as team manager Update existing members to team manager make changes to a team irrespective of being a team manager	X	X
CREATE_TEAM_MEMBER	Grants user permission to: create a new team add members to existing teams where user is a team manager add a user to a team create team members as team manager make changes to a team irrespective of being a team manager update existing teams	X	X
DELETE_AUTOMATED_ARCHIVAL_EXEMPT_METRICS	Grants user permission to delete automated archival exempt metrics	X	X
DELETE_AUTOMATED_ARCHIVAL_SETTINGS	Grants user the permission to delete existing automated archival setting for the org	X
DELETE_BUSINESS_JOURNEY	Grants user permission to delete a Business Journey	X	X
DELETE_CHART	Grants user permission to delete an existing chart	X
DELETE_CHILD_ORG	Grants user the permission to delete (decommission) its child organization	X
DELETE_CONFIG	Grants user permission to delete APM services filters	X
DELETE_COST_INSIGHTS_BILLING_CREDENTIAL	Grants user permission to delete billing credentials in the Cost Insights app	X	X
DELETE_DASHBOARD	Grants user permission to delete an existing dashboard	X	X
DELETE_DASHBOARD_DATA_LINK	Grants user permission to delete an existing data link	X	X
DELETE_DASHBOARD_GROUP	Grants user permission to delete an existing dashboard group	X	X
DELETE_DASHBOARD_PRIVATE_AREA	Grants user permission to delete dashboards in private area	X	X
DELETE_DEA_INSIGHTS	Grants user permission to delete RUM funnels	X	X
DELETE_DETECTOR	Grants user permission to delete an existing detector	X	X
DELETE_DIMENSION	Grants user permission to delete an existing dimension	X	X
DELETE_EVENT	Grants user permission to delete an existing event	X	X
DELETE_GLOBAL_DATA_LINK	Grants user permission to delete data links and dashboard data links	X
DELETE_INTEGRATION	Grants user permission to delete an existing integration	X
DELETE_METRIC	Grants user permission to delete an existing metric	X	X
DELETE_METRIC_RULESET	Grants user permission to delete an existing metric ruleset	X	X
DELETE_MUTING_RULE	Grants user permission to delete an existing muting rule	X	X
DELETE_NAMEDTOKEN	Grants user permission to delete an existing named token	X
DELETE_NAVIGATOR	Grants user permission to delete an existing navigator	X
DELETE_ORG_USER	Grants user the permission to delete an existing user	X
DELETE_PACKAGE	Grants user permission to delete an existing SFX Package	X	X
DELETE_ROLE	Grants user permission to delete an existing custom role	X
DELETE_SAML	Grants user permission to remove the SAML IDP configuration for a given user	X
DELETE_SECUREAPP_ALERT	Grants user permission to delete AlertingActions in Secureapp	X	X
DELETE_SLO	Grants user permission to delete an existing Service Level Objective	X
DELETE_SYNTHETICS_DOWNTIME_CONFIGURATION	Grants user permission to delete synthetic downtime configurations	X	X
DELETE_SYNTHETICS_PRIVATE_LOCATION	Grants user permission to delete synthetic private location	X	X
DELETE_SYNTHETICS_PRIVATE_LOCATION_TOKEN	Grants user permission to delete synthetic private location token	X	X
DELETE_SYNTHETICS_TEST	Grants user permission to delete synthetic tests	X	X
DELETE_TAG	Grants user permission to delete an existing tag	X	X
DELETE_TEAM	Grants user permission to delete an existing team	X	X
DELETE_TEAM_MEMBER	Grants user permission to remove an existing team member from a team	X	X
EXECUTE_SIGNAL_FLOW	Grants user permission to execute a SignalFlow computation using program text and params	X	X	X	X
LOGS_READ_ENTITY_MAPPINGS	Grants user ability to read the generated mappings containing targeted splunk indexes	X	X	X	X
LOGS_WRITE_ENTITY_MAPPINGS	Grants user ability to generate mappings for selected set of splunk indexes which are part of a connection	X
PREVIEW_AUTOMATED_ARCHIVAL	Grants user permission to preview the automated archival metrics	X	X	X	X
READ_AIE		X
READ_ALERT	Grant user permission to retrieve and display alerts	X	X	X	X
READ_ALIAS	Grants user permission to read the mapping alias for the metrics	X	X	X	X
READ_APM_DATA	Grants user permission to read and write APM metricsets, business workflows, and extended trace retention settings	X	X	X	X
READ_APM_PROFILING_DATA	Grants the user permission to read APM profiling data sets	X	X	X	X
READ_AUTOMATED_ARCHIVAL_EXEMPT_METRICS	Grants user permission to read automated archival exempted metrics	X	X	X	X
READ_AUTOMATED_ARCHIVAL_SETTINGS	Grants user permission to read the automated archival settings for the org	X	X	X	X
READ_BASIC_UI_ACCESS	Grants user permission to use basic user interface	X	X	X	X
READ_BUSINESS_JOURNEY	Grants user permission to read a Business Journey	X	X	X	X
READ_CHART	Grants user permission to retrieve and display a list of charts	X	X	X	X
READ_CHILD_ORG	Grants user permission to retrieve and display its child organizations	X
READ_CONFIG	Grants user permission to retrieve and display APM services	X	X	X	X
READ_COST_INSIGHTS_BILLING_CREDENTIAL	Grants user permission to list and view billing credentials in the Cost Insights app	X	X	X	X
READ_DASHBOARD	Grants user permission to retrieve and display a list of dashboards	X	X	X	X
READ_DASHBOARD_DATA_LINK	Grants user permission to read a dashboard data link	X	X	X	X
READ_DASHBOARD_GROUP	Grants user permission to retrieve and display a list of dashboard groups	X	X	X	X
READ_DASHBOARD_PRIVATE_AREA	Grants user permission to read dashboards in private area	X	X
READ_DEA_BASIC_ACCESS	Grants user permission to read RUM funnels	X	X	X	X
READ_DETECTOR	Grants user permission to retrieve and display detectors	X	X	X	X
READ_DIMENSION	Grants user permission to retrieve and display a list of dimensions or a list of metrics	X	X	X	X
READ_DIMENSION, READ_METRIC_RULESET	Grants user permission to retrieve and display a list of dimensions. Also grants user permission to retrieve and display a list of metric rulesets	X	X	X	X
READ_ENTITY	Grants user permission to: View the discovered entities in the data management UI View the OTel collectors count in the data management UI Read the discovered entities via OTel collectors in the data management UI	X	X	X	X
READ_EVENT	Grants user permission to retrieve and display a list of events	X	X	X	X
READ_FIELD_ALIASING	Grants user read access to aliases	X	X	X	X
READ_GENERAL_SETTINGS	Grants user permission to read the general settings	X
READ_GLOBAL_BUCKET_SEARCH	Grants user permission to do a global search	X	X	X	X
READ_GLOBAL_DATA_LINK	Grants user permission to read data links and dashboard data links	X	X	X	X
READ_INCIDENT	Grants user permission to retrieve incidents	X	X	X	X
READ_INSIGHTS	Grants user permission to read Kubernetes insights based on metric data from the last 20 seconds	X	X	X	X
READ_INTEGRATION	Grants user permission to retrieve and display a list of integrations	X	X	X	X
READ_LOG_OBSERVER	Grants user read access to Log Observer Connect connections, saved queries, user preferences, logs data, and indices	X	X	X	X
READ_LOGS_PIPELINE	Grants user permission to view the configured logs pipeline and processing rules	X	X
READ_METRIC	Grants user permission to retrieve and display a list of metrics	X	X	X	X
READ_METRIC_RULESET	Grants user permission to retrieve and display a list of metric rulesets	X	X	X	X
READ_METRIC_USAGE	Grants user permission to read metric usage for various domain objects, such as NamedTokens, Metrics, Charts, and Detectors. The user also requires read capabilities on such domain objects.	X	X	X	X
READ_METRIC, READ_METRIC_RULESET	Grants user the permission to retrieve and display a list of metrics and metric rulesets	X	X	X	X
READ_MUTING_RULE	Grants user permission to retrieve and display a list of muting rules	X	X	X	X
READ_NAMEDTOKEN	Grants user permission to retrieve and display a list of named tokens	X	X
READ_NAVIGATOR	Grants user permission to retrieve and display a list of navigators	X	X	X	X
READ_OPEN_API	Grants user permission to retrieve the o11y OpenAPI specification document	X	X	X	X
READ_ORG_USER	Grants user permission to: create a new user retrieve and display a list of existing users	X	X	X	X
READ_ORGANIZATION	Grants user permission to see organization information	X	X	X	X
READ_ORGANIZATION_OVERVIEW	Grants user the permission to read organization overview	X
READ_ORGANIZATION_QUOTA	Grants user permission to read the organization's quota settings	X	X	X	X
READ_PACKAGE	Grants user permission to read SFPackages	X	X	X	X
READ_PARENT_ORG	Grants user permission to retrieve and display its parent organization	X
READ_PERMISSION	Grants user permission to retrieve the business objects' permissions	X	X	X	X
READ_PREFERENCES	Grants user permission to read users' preferences	X	X	X	X
READ_ROLE	Grants user permission to retrieve and display a list of existing roles	X	X
READ_RUM_BASIC_ACCESS	Grants user permission to: get the current custom indexed tags configuration get a list of all known RUM standard tags get a list of all organization IDs for the realm get the top apps for a given org get an error summary for each fingerprint in a list of semi-colon delimited error fingerprints get the Druid metric family for a given metric name cancel the job for a given search job ID (Returns a 202 if the request for cancellation is accepted or a 404 if the job doesn't exist) get the results for a given span search job ID get exemplar session IDs from Druid for a given time range and filters, then further hydrate the session IDs with session details from Presto get MTSes from Druid for a time range and filters (Timestamps in the time series represent the end time of the interval returned) start a job to get exemplars for a given URL config rule cancel the job for a given exemplar job ID (Returns a 202 if the request for cancellation was accepted or a 404 if the job doesn't exist) get the results from the job if given an exemplar job ID get the current custom indexed tags definition for a given org ID get the current URL config rules object for a given org ID get the current URL config version object for a given org ID get normalized URLS for a given URL get a list of tag values for given filters (useful for populating type-ahead lists in a UI) get the session chunk belonging to a span session for given session ID and chunk batch IDs get spans for a given session ID and span ID from that session and its neighboring (+/-) spans with chunk start time get session summary (start time, end time, tags, and session chunks) for a given span session ID get SR scripts belonging to a given SR session ID get SR data for a given SR session ID, script ID and offset get customer usage data for the org for a given start and end time start a job to get spans that match a given start time, end time, and filters	X	X	X	X
READ_SECUREAPP	Grants user permission to read APIs v2/secureapp/*. User can get a) the vulnerabilities associated with the packages in the running applications, b) the libraries and its details, and c) the services.	X	X	X	X
READ_SHAREABLE_SNAPSHOT	Grants user permission to retrieve an existing shareable snapshot	X	X	X	X
READ_SLO	Grants user permission to retrieve and display a list of objectives	X	X	X	X
READ_SSO	Grants user permission to retrieve Single Sign On connection	X	X	X	X
READ_SUGGESTION	Grants user permission to use suggestions for entities	X	X	X	X
READ_SYNTHETICS_DOWNTIME_CONFIGURATION	Grants user permission to read synthetic downtime configurations	X	X	X	X
READ_SYNTHETICS_PRIVATE_LOCATION	Grants user permission to read synthetic private location	X	X	X	X
READ_SYNTHETICS_PRIVATE_LOCATION_TOKEN	Grants user permission to read synthetic private location token	X	X	X	X
READ_SYNTHETICS_TEST	Grants user permission to read synthetic tests	X	X	X	X
READ_TAG	Grants user permission to retrieve and display a list of tags	X	X	X	X
READ_TEAM	Grants user permission to retrieve and display a list of existing teams	X	X	X	X
READ_TEAM_MEMBER	Grants user permission to retrieve and display a list of existing team members	X	X	X	X
READ_USAGE	Grants user permission to view subscription usage data	X	X	X	X
UPDATE_AUTOMATED_ARCHIVAL_SETTINGS	Grants user permission to update existing automated archival settings for the org	X
UPDATE_BASIC_UI_ACCESS	Grants user permission to use basic UI	X	X	X	X
UPDATE_BUSINESS_JOURNEY	Grants user permission to update Business Journey	X	X
UPDATE_CHART	Grants user permission to make changes to an existing chart	X	X
UPDATE_CHILD_ORG	Grants admin permission to update its child organization properties including subscription resource allocation	X
UPDATE_CONFIG	Grants user permission to update APM services filters	X
UPDATE_DASHBOARD	Grants user permission to make changes to an existing dashboard	X	X
UPDATE_DASHBOARD_DATA_LINK	Grants user permission to change existing dashboard data links or existing data links	X	X
UPDATE_DASHBOARD_GROUP	Grants user permission to make changes to an existing dashboard group. You must also assign the UPDATE_SHAREABLE_SNAPSHOT capability to allow the user to save the dashboard group	X	X
UPDATE_DASHBOARD_PRIVATE_AREA	Grants user permission to update dashboards in private area	X	X
UPDATE_DEA_INSIGHTS	Grants user permission to update RUM funnels	X	X
UPDATE_DETECTOR	Grants user permission to make changes to an existing detector	X	X
UPDATE_DIMENSION	Grants user permission to make changes to an existing dimension	X	X
UPDATE_FIELD_ALIASING	Grants user permission to update or delete field aliases	X	X
UPDATE_GLOBAL_DATA_LINK	Grants user permission to update existing data links and existing dashboard data links	X	X
UPDATE_GLOBAL_TEAM_MANAGER	Grants user permission to: create a new team add members to existing teams where user is a team manager add a user to a team create team members as team manager make changes to a team irrespective of being a team manager update existing team members to team manager	X	X
UPDATE_INCIDENT	Grants user permission to clear an existing incident	X	X
UPDATE_INTEGRATION	Grants user permission to make changes to an existing integration	X
UPDATE_LOGS_PIPELINE	Grants user permission to update a logs pipeline with processing rules	X	X
UPDATE_LOGS_QUERIES	Grants user permission to create, update, and delete saved logs queries	X	X
UPDATE_METRIC	Grants user permission to make changes to an existing metric	X	X
UPDATE_METRIC_RULESET	Grants user permission to make changes to an existing metric ruleset	X	X
UPDATE_METRIC_RULESET_ROUTING	Grants user the permission to make changes to an existing metric ruleset's routing.	X
UPDATE_MUTING_RULE	Grants user permission to make changes to an existing muting rule object	X	X
UPDATE_NAMEDTOKEN	Grants user permission to make changes to an existing named token	X
UPDATE_NAVIGATOR	Grants user permission to make changes to an existing navigator	X
UPDATE_ORG_USER	Grants user permission to make changes to an existing user	X
UPDATE_ORGANIZATION	Grants user permission to make changes to an existing organization's details	X
UPDATE_OTEL_MIGRATION	Grants user permission to run OTel migration from 1x to 2x	X
UPDATE_PACKAGE	Grants user permission to update an existing SFPackage	X	X
UPDATE_PREFERENCES	Grants user permission to update the user''s preferences	X	X	X	X
UPDATE_ROLE	Grants user permission to make changes to an existing role	X
UPDATE_RUM_BROWSER_MAPPING_FILE	Grants user permission to upload the RUM browser mapping file	X	X
UPDATE_RUM_CONFIG	Grants user permission to: update the current custom indexed tag config for the given org delete a given tag for a given org ID pause indexing of a specified tag and org ID launch a cardinality job for a given tag and org ID to analyze the specified tag for indexing Enable the tag analyzed by the current cardinality job to be indexed for a given org ID restart the current cardinality job for a given org ID stop the current cardinality job for a given org ID	X
UPDATE_RUM_MOBILE_MAPPING_FILE	Grants user permission to upload the RUM mobile mapping file	X	X
UPDATE_RUM_URL_GROUPING_RULE	Grants user permission to update the current URL config object (modify, add, or remove rules)	X	X
UPDATE_SECUREAPP_ALERT	Grants user permission to update AlertingActions in Secureapp	X	X
UPDATE_SERVICE_CENTRIC_VIEW_CONFIG	Grants user permission to create or update an APM Services configuration for a service	X	X
UPDATE_SHAREABLE_SNAPSHOT	Grants user permission to update an existing SFPackage	X	X
UPDATE_SLO	Grants user permission to make changes to an existing service level objective	X	X
UPDATE_SYNTHETICS_DOWNTIME_CONFIGURATION	Grants user permission to update synthetic downtime configurations	X	X
UPDATE_SYNTHETICS_TEST	Grants user permission to update synthetic tests	X	X
UPDATE_TAG	Grants user permission to make changes to an existing tag	X	X
UPDATE_TEAM	Grants user permission to: update existing teams add members to existing teams where user is a team manager make changes to a team irrespective of being a team manager	X	X
UPDATE_TEAM_MEMBER	Grants user permission to: update existing members to team manager create team members as team manager make changes to a team irrespective of being a team manager	X	X
WRITE_ENTITY	Grants user permission to update a discovered entity in the data management UI	X	X