Each role is associated with a single permission set. A permission set specifies a set of Aqua operations that can be performed on the resources by users with the associated role(s).

  • The resources are grouped into 4 categories: policies, assets, compliance, and system. 
  • Approximately 25 types of resources are predefined in Aqua, to provide system administrators with highly granular control. The resources are grouped into categories: Policies, Assets, Compliance, and System.
  • The permission set specifies, for each of the resources, one of the following: Edit permission, View Only permission, or no permission at all. Editing includes the creation, modification, and deletion of the item in question.

Permission set components: access selector and permissions

A permission set consists of an access selector and a detailed set of permissions.

Access selector

The access selector defines whether the permission set includes access to functionality in:

  • Both the UI and the API
  • Only the API


Checking the option Full Permission grants the permission set Edit permission on all Aqua Enterprise functionality, in both the UI and the API.

If Full Permission is not granted, permissions are granted to individual items arranged in these categories: Policies, Assets, Compliance, and System. Each item is assigned any of these permissions:

  • Edit: Generally includes the viewing, listing, creation, modification, and deletion of the item in question (either in the UI or via relevant APIs). The meaning of "Edit" is slightly different in some cases, and "Edit" does not apply to every item.
  • View Only: Includes viewing only of the item in question
  • Not Set: No permissions; the item will not even appear in the UI (default)


Assurance PoliciesCreate, modify, and delete Assurance Policies (e.g., Image Assurance Policies)View existing Assurance Policies
Image Profiles

Create, modify, and delete Image Profiles

View existing Image Profiles
Firewall PoliciesCreate, modify, and delete Firewall PoliciesView existing Firewall Policies
Runtime PoliciesCreate, modify, and delete Runtime Policies (e.g., Container Runtime Policies)View existing Runtime Policies
User Access Control PoliciesCreate, modify, and delete User Access Control PoliciesView existing User Access Control Policies


DashboardConfigure the dashboardView the dashboard
Risk ExplorerN/AView the Risk Explorer
ImagesAdd (register) images to Aqua; remove images; profile containersView images already registered to Aqua
Host imagesAdd (register) host images to Aqua; remove host imagesView unregistered host images in the Images screen (Host Images tab); view host images under Compliance / Host Images
FunctionsAdd (register) functions to AquaView functions
EnforcersAdd, modify, and remove Enforcer groups and EnforcersView existing Enforcer groups and Enforcers
ContainersN/AView containers and running workloads
ServicesAdd, modify, and remove Aqua servicesView existing Aqua services
InfrastructureView Infrastructure and run discovery of clusters and hostsView Infrastructure (clusters and hosts)


VulnerabilitiesView and acknowledge vulnerabilities discovered during scanningView vulnerabilities discovered during scanning
CIS BenchmarksView and trigger CIS benchmark scansView CIS benchmark scans in the UI


Audit EventsN/AView audit events
SecretsCreate, modify, and delete secretsView existing secrets
SettingsView and modify settings, as well as Gateway, Access Management, and Application Scopes
View the Settings UI screen
IntegrationsView and modify IntegrationsView the Administration > Integrations UI screen
Scanner CLIN/AThe permissions required by the Aqua Scanner on the Aqua Server
GatewaysEdit Gateway parameters; delete (clean up) disconnected gatewaysView the Aqua Gateways UI screen
ConsolesN/AView the Aqua Consoles UI screen
Webhook authorization APIN/APermission to use the Webhook authorization API

In the Advanced plan, the users will get only limited items from all the four operations (policies, assets, compliance, and system. However, the Enterprise plan users can access all the above-mentioned items. 

Defining and managing permission sets

A permission set can be created, modified, and deleted. Additionally, you can view all the predefined permission sets in the console. To know more about these operations, see Permission Set Operations.