# Permissions Three concepts govern an Integration Gateway user's permissions: * [User Type (Standard, Staff, Service Account)](#user-type) * [User Permissions](#user-permissions) * [Group Permissions](#group-permissions) ### User Type | Page | Standard User | Staff User | | ---------------- | -------------------- | -------------------- | | Dashboard | :white\_check\_mark: | :white\_check\_mark: | | Bookmarks | :white\_check\_mark: | :white\_check\_mark: | | Run History | :white\_check\_mark: | :white\_check\_mark: | | Build | :white\_check\_mark: | :white\_check\_mark: | | Swagger API | :white\_check\_mark: | :white\_check\_mark: | | Schedule | :white\_check\_mark: | :white\_check\_mark: | | Vault | -- | :white\_check\_mark: | | Migrate | -- | :white\_check\_mark: | | View Changes | -- | :white\_check\_mark: | | Invite | -- | :white\_check\_mark: | | Admin (settings) | -- | :white\_check\_mark: | A **Standard** Integration Gateway user account is appropriate for everyday users who build, maintain, or monitor integrations. A **Staff** Integration Gateway user is equivalent to a system administrator. These users have access to additional pages, notably the *Invite* page, which allows them to invite additional Standard and Staff users into Integration Gateway, and the *Admin* page, which controls settings for the Integration Gateway environment. A **Service Account** manages third-party system access to integrations on Integration Gateway. A Service Account is only meant to execute integrations, and cannot log into the Integration Gateway UI, view or edit integrations, or invite other users. Learn more about service accounts here. ### User Permissions Both Standard and Staff users can have their abilities augmented by being granted permissions specific to a particular action. A Staff user can manage these permissions from the Admin portal. ### Integration Permissions Each user — both Standard and Staff — must be explicitly granted permission to access integrations. This must be done for each integration. A Staff user can assign integration permissions to individual users from the Admin portal, or assign them to a group using Group Integration Permissions. Integrations have four separate permission types: Read, Write, Execute, and Debug. By default, the user who creates the integration has all four integration permissions. * `read` — Allows the user to see the contents of the integration, including its Service Requests, Field Mappings, Value Mapping Sets, etc. * `write` — Allows the user to modify the integration * `execute` — Allows the user to run the integration using the *Run Integration* feature, or via an API call using their account credentials * `debug` — Allows the user to see run histories from past integration runs, regardless of which account originally ran the integration ### Group Permissions Groups allow you to manage permissions for multiple users at once. To create a group: 1. Click your profile icon and select **Admin** to open the Admin portal. 2. Navigate to **Authentication > Groups** and click **+ Add**. 3. Enter a name for the group. 4. Select permissions from the Available permissions list and move them to the Chosen permissions list. 5. Select users from the Available Users list and move them to the Chosen Users list. 6. Click **Save**. Any member of the group automatically receives these permissions when they join, and the system revokes those permissions if you remove the user from the group. Permissions granted through a group are only additive to any existing permissions a user has. ### Permissions Across Environments In standard Integration Gateway projects, a user will have access to three separate environments: DEV, TEST, and PROD. While the permissions concepts outlined on this page function the same way on all three environments, policies and best-practice dictates which permissions are typically given in each environment.\ \ Integration Gateway's default policy is: | Environment | Integration Permissions | | ----------- | ----------------------- | | DEV | Read, Debug, Write\* | | TEST | Read, Debug | | PROD | Read, Debug | *\*We recommend restricting Write permissions to the minimum set of users necessary to build the integration.* No group receives Execution permissions. Integration Gateway best practice is to restrict execution permissions to a dedicated [service account](/integration-gateway-platform-reference/permissions/service-accounts.md), rather than execute integrations with an employee's Integration Gateway account. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://glyue.docs.sandboxbanking.com/integration-gateway-platform-reference/permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.