Required Permissions for API Users

To use the REST APIs, you must be an authorized Illumio user with credentials to log into the PCE.

For authentication permissions for each REST API call, see the Illumio Core REST API Reference.

User Permissions and the API

Authentication to the PCE is based on three user roles that allow users to perform specific API operations:

Organization owner: All GET, POST, PUT, and DELETE APIs
Administrator: Most GET, POST, PUT, and DELETE APIs
Read-only: GET only

The PCE also has two other kinds of roles:

Unscoped: Not bound by label scopes
Scoped: Bound by label scopes

Unscoped Roles

API Role Name	UI Role Name	Granted Access
`owner`	Global Organization Owner	Perform all actions: Add, edit, or delete any resource, organization setting, or user account.
`admin`	Global Administrator	Perform all actions except cannot change organization setting and cannot perform user management tasks.
`read_only`	Global Read Only	View any resource or organization setting. Cannot perform any operations.
`global_object_provisioner`	Global Policy Object Provisioner	Provision rules containing IP lists, services, and label groups, and manage security settings. Cannot provision rulesets, virtual services, or virtual servers, or add, modify, or delete existing policy items.

Scoped Roles

API Role Name	UI Role Name	Granted Access
`ruleset_manager`	Full Ruleset Manager	Add, edit, and delete all rulesets within the specified scope. Add, edit, and delete rules when the provider matches the specified scope. The rule consumer can match any scope.
`limited_ruleset_manager`	Limited Ruleset Manager	Add, edit, and delete all rulesets within the specified scope. Add, edit, and delete rules when the provider and consumer match the specified scope. Ruleset Managers with limited privileges cannot manage rules that use IP lists, user groups, label groups, or iptables rules as consumers, or rules that allow internet connectivity.
`ruleset_provisioner`	Ruleset Provisioner	Provision rulesets within a specified scope. This role cannot provision virtual servers, virtual services, SecureConnect gateways, security settings, IP list, services, or label groups

API Role Name

UI Role Name

Granted Access

ruleset_manager

Full Ruleset Manager

Add, edit, and delete all rulesets within the specified scope.

Add, edit, and delete rules when the provider matches the specified scope. The rule consumer can match any scope.

limited_ruleset_manager

Limited Ruleset Manager

Add, edit, and delete all rulesets within the specified scope.

Add, edit, and delete rules when the provider and consumer match the specified scope.

Ruleset Managers with limited privileges cannot manage rules that use IP lists, user groups, label groups, or iptables rules as consumers, or rules that allow internet connectivity.

ruleset_provisioner

Ruleset Provisioner

Provision rulesets within a specified scope. This role cannot provision virtual servers, virtual services, SecureConnect gateways, security settings, IP list, services, or label groups

REST APIs for 23.5

Required Permissions for API Users

User Permissions and the API

Unscoped Roles

Scoped Roles

Search results