Understanding Ploy Permissions and Roles

This article explains the permission system in Ploy, helping administrators understand how to configure user access and roles effectively.

Written By Jacob Prime

Last updated 11 days ago

Overview

Ploy uses a granular permission system that allows you to control access to specific resources and actions. Each permission can be assigned independently, giving you fine-grained control over what users can see and do within the platform.

Note: Resource restrictions are currently in beta and may not apply to all areas of Ploy. Some features may bypass these restrictions.

Permission Types

Most resources support the following standard permissions:

read – View the resource and its data
write – Create, update, or delete the resource

Some resources have additional specialized permissions (such as run, grant, or execute_action) that control specific actions.

Resource Permissions Reference

Platform Area	Permissions Available	Permissions Description
App	read, write	View and modify application resources within Ploy.
Member	read, write, read_personal_email	View and manage member profiles. The `read_personal_email` permission allows access to members' personal email addresses if this is being pulled in through one of your integrations
Managed Access	read, write	View and configure managed access policies that control how resources are provisioned and accessed.
Access	grant, deprovision	Grant access to resources for users or revoke (deprovision) existing access rights.
Member Account	read, write, revoke_token	View and manage member account details. The `revoke_token` permission allows invalidating authentication tokens.
Custom Field	read, write	View and create custom data fields to extend Ploy's data model for your organization's needs.
Offboarding	read, write	View and manage offboarding workflows for departing employees, including access revocation processes as well as viewing employees who are due to be offboarded
Access Review	read, write	View and manage periodic access review configurations as an administrator, scoping reviews, assigning reviews and distributing reviews.
Notifications	read, write	View and configure notification settings, alerts, and communication preferences.
Usage	read, write	View and manage usage analytics, metrics, and resource consumption data.
Survey	read, write	View and create surveys for gathering feedback from end users around their application usage.
Form	read, write	View and create forms for data collection, requests, or workflow inputs.
Task	read, write	View and manage tasks, assignments, and workflow items within Ploy.
Catalog	read, write	View and manage the application catalog, including available apps and services.
Flow	read, write, run	View, configure, and execute automated workflows. The `run` permission allows triggering flow executions.
Integration	read, write, execute_action	View and configure third-party integrations. The `execute_action` permission allows triggering integration actions.
Analytics	read, write	View and configure analytics dashboards, reports, and data visualizations.
Luna	write	Interact with Luna, Ploy's AI assistant, to perform actions and get insights.

Resource Restrictions

In addition to permissions, you can configure resource restrictions using Allow Lists and Block Lists:

Allow List: Specify which resources the user CAN access. Leave empty for no restrictions.
Block List: Specify which resources the user CANNOT access, even if they have the required permissions.

This is particularly useful if you have sensitive applications, groups or databases that you would like to be hidden from certain Ploy administrators.

Best Practices

Follow the principle of least privilege – only grant permissions that users need to perform their job functions.
Regularly review access permissions as part of your access review process.
Use Block Lists sparingly – they can make troubleshooting access issues more complex.
Document your permission strategy and ensure it aligns with your organization's security policies.

Need Help?

If you have questions about configuring permissions or need assistance with role management, please contact us.