Understanding Ploy Permissions and Roles
Overview
Ploy uses a granular permission system that allows you to control access to specific resources and actions. Each permission can be assigned independently, giving you fine-grained control over what users can see and do within the platform.
Note: Resource restrictions are currently in beta and may not apply to all areas of Ploy. Some features may bypass these restrictions.
Permission Types
Most resources support the following standard permissions:
read – View the resource and its data
write – Create, update, or delete the resource
Some resources have additional specialized permissions (such as run, grant, or execute_action) that control specific actions.
Resource Permissions Reference
Platform Area | Permissions Available | Permissions Description |
App | read, write | View and modify application resources within Ploy. |
Member | read, write, read_personal_email | View and manage member profiles. The |
Managed Access | read, write | View and configure managed access policies that control how resources are provisioned and accessed. |
Access | grant, deprovision | Grant access to resources for users or revoke (deprovision) existing access rights. |
Member Account | read, write, revoke_token | View and manage member account details. The |
Custom Field | read, write | View and create custom data fields to extend Ploy's data model for your organization's needs. |
Offboarding | read, write | View and manage offboarding workflows for departing employees, including access revocation processes as well as viewing employees who are due to be offboarded |
Access Review | read, write | View and manage periodic access review configurations as an administrator, scoping reviews, assigning reviews and distributing reviews. |
Notifications | read, write | View and configure notification settings, alerts, and communication preferences. |
Usage | read, write | View and manage usage analytics, metrics, and resource consumption data. |
Survey | read, write | View and create surveys for gathering feedback from end users around their application usage. |
Form | read, write | View and create forms for data collection, requests, or workflow inputs. |
Task | read, write | View and manage tasks, assignments, and workflow items within Ploy. |
Catalog | read, write | View and manage the application catalog, including available apps and services. |
Flow | read, write, run | View, configure, and execute automated workflows. The |
Integration | read, write, execute_action | View and configure third-party integrations. The |
Analytics | read, write | View and configure analytics dashboards, reports, and data visualizations. |
Luna | write | Interact with Luna, Ploy's AI assistant, to perform actions and get insights. |
Resource Restrictions
In addition to permissions, you can configure resource restrictions using Allow Lists and Block Lists:
Allow List: Specify which resources the user CAN access. Leave empty for no restrictions.
Block List: Specify which resources the user CANNOT access, even if they have the required permissions.
This is particularly useful if you have sensitive applications, groups or databases that you would like to be hidden from certain Ploy administrators.
Best Practices
Follow the principle of least privilege – only grant permissions that users need to perform their job functions.
Regularly review access permissions as part of your access review process.
Use Block Lists sparingly – they can make troubleshooting access issues more complex.
Document your permission strategy and ensure it aligns with your organization's security policies.
Need Help?
If you have questions about configuring permissions or need assistance with role management, please contact us.