Roles & Permissions Reference#
Complete reference for the Reply CMP RBAC model — all roles, their permissions, assignment rules, caching behaviour, and security guarantees.
Permission Format#
All permissions in Reply CMP follow the pattern:
Module.Resource / Action
Examples:
FinOps.Cost / Read— read cost data in FinOpsDiscovery.Resource / Write— create/modify resources in DiscoveryOnboarding.Connection / Delete— delete cloud connections
Built-in Roles#
Three built-in roles cover the most common access patterns:
Role |
Scope |
Summary |
|---|---|---|
Owner |
Tenant |
Full access to all modules + RBAC management (assign/revoke roles) |
Contributor |
Tenant |
Full access to all modules; cannot manage RBAC |
Reader |
Tenant |
Read-only access to all modules |
Module-specific Roles#
Module roles allow granular elevation for specific platform areas:
Role |
Module |
Permissions |
|---|---|---|
Discovery Contributor |
Discovery |
|
Discovery Reader |
Discovery |
|
FinOps Contributor |
FinOps |
|
FinOps Reader |
FinOps |
All FinOps resources |
Provisioning Contributor |
Provisioning |
|
Provisioning Reader |
Provisioning |
|
Policy Contributor |
Automation |
|
Policy Reader |
Automation |
|
Monitoring Contributor |
Monitoring |
|
Monitoring Reader |
Monitoring |
|
Tenant Reader |
Tenant |
|
User Administrator |
Users |
|
Permission Domains#
All permission domains in the platform:
Domain |
Resources |
Actions available |
|---|---|---|
|
|
Read, Write, Delete |
|
|
Read, Write, Delete |
|
|
Read, Write, Delete |
|
|
Read, Write, Delete |
|
|
Read, Write |
|
|
Read, Write, Delete |
|
AI agent tools |
Various (per-tool access control) |
Assignment Rules#
Superset rule: You can only assign roles whose combined permissions are a subset of your own. This prevents privilege escalation through delegation.
A FinOps Reader cannot assign the FinOps Contributor role to another user.
A Contributor can assign any non-Owner role.
Self-operation prohibition: You cannot assign roles to yourself, nor revoke your own roles. This requires a second administrator.
Scope: Roles are tenant-scoped. A user’s roles apply to the entire tenant — there are no per-group or per-resource role assignments.
Multiple roles: A user can hold any number of roles simultaneously. Effective permissions are the union of all assigned roles.
Caching#
For performance, role assignments and effective permission sets are cached:
Cache |
Duration |
Notes |
|---|---|---|
Role assignments |
30 minutes (5-minute sliding window) |
After assigning a new role, it may take up to 30 min to take effect |
Role definitions |
24 hours |
Role definitions rarely change |
Note
If you need a permission to take effect immediately (e.g., for a new user who needs urgent access), ask the user to log out and log back in — this invalidates their session cache.
CMP Agent (MCP Tool) Permissions#
The 11 MCP tools used by the CMP Agent are permission-gated. Each tool requires one or more standard permissions. The mapping is enforced automatically — users who lack the required permission will not have that tool available to the Agent when they chat.
Example: QueryRawDataTool requires FinOps.Cost / Read. A Discovery-only user
cannot query cost data through the CMP Agent.