IAM Resources and Permissions
This page lists all IAM resources and their related permissions in Monte Carlo. This information is useful when configuring custom account roles.
Permission Types
Permissions have a type that indicates the kind of operations they authorize. The type is indicated by an icon next to the permission name:
- 📖
read– Authorizes operations that involve viewing/querying (read only--no changes) - ✏️
write– Authorizes operations that involve some form of modification (create, update, delete, etc.)
In role definitions, you can leverage these to allow or deny permissions of a specific type. For example, if you wanted to grant all read type operations to a resource (but deny all write type operations), you can use a policy statement like monitors/read: allow.
GraphQL
Controls core access to the GraphQL API for executing queries and mutations.
| Permission | Description |
|---|---|
Query 📖graphql/query | Allow reading data (executing queries) via the GraphQL API. This is required for baseline read-only access to the system, and is always asserted in addition to any more specific permissions. |
Mutate ✏️graphql/mutate | Allow making modifications (executing mutations) via the GraphQL API. This is required for any writes. This is always asserted in addition to any more specific permissions. |
Monitors
Controls access to data + AI monitors.
| Permission | Description |
|---|---|
Access 📖monitors/access | ⚠️ Deprecated: Use type-specific permissions under monitors/management/ (e.g., monitors/management/table/access). During transition, this permission is kept as an alias. |
Aggregates 📖monitors/aggregates | Allow viewing monitor metrics and aggregate summaries without full monitor access. Used for dashboards and reporting. |
Edit ✏️monitors/edit | ⚠️ Deprecated: Use type-specific permissions under monitors/management/ (e.g., monitors/management/table/edit). During transition, this permission is kept as an alias. |
Draft ✏️monitors/draft | ⚠️ Deprecated: Use type-specific permissions under monitors/management/ (e.g., monitors/management/table/draft). During transition, this permission is kept as an alias. |
Management
Controls creation, editing, and drafting of monitors by type. Use type-based/wildcard policies (e.g., monitors/management/write, monitors/management/*) to grant across all monitor types.
Table
Controls access to table monitors (freshness, volume, and asset selection-based monitoring).
| Permission | Description |
|---|---|
Access 📖monitors/management/table/access | Allow viewing table monitors and their configurations. |
Edit ✏️monitors/management/table/edit | Allow creating, updating, and deleting table monitors. |
Draft ✏️monitors/management/table/draft | Allow creating and editing draft table monitors before they are published. |
Metric
Controls access to metric/stats monitors.
| Permission | Description |
|---|---|
Access 📖monitors/management/metric/access | Allow viewing metric monitors and their configurations. |
Edit ✏️monitors/management/metric/edit | Allow creating, updating, and deleting metric monitors. |
Draft ✏️monitors/management/metric/draft | Allow creating and editing draft metric monitors. |
Validation
Controls access to validation rule monitors.
| Permission | Description |
|---|---|
Access 📖monitors/management/validation/access | Allow viewing validation monitors and their configurations. |
Edit ✏️monitors/management/validation/edit | Allow creating, updating, and deleting validation monitors. |
Draft ✏️monitors/management/validation/draft | Allow creating and editing draft validation monitors. |
Comparison
Controls access to comparison monitors.
| Permission | Description |
|---|---|
Access 📖monitors/management/comparison/access | Allow viewing comparison monitors and their configurations. |
Edit ✏️monitors/management/comparison/edit | Allow creating, updating, and deleting comparison monitors. |
Draft ✏️monitors/management/comparison/draft | Allow creating and editing draft comparison monitors. |
Custom Sql
Controls access to custom SQL monitors and SQL templates.
| Permission | Description |
|---|---|
Access 📖monitors/management/custom-sql/access | Allow viewing custom SQL monitors and their configurations. |
Edit ✏️monitors/management/custom-sql/edit | Allow creating, updating, and deleting custom SQL monitors. |
Draft ✏️monitors/management/custom-sql/draft | Allow creating and editing draft custom SQL monitors. |
Json Schema
Controls access to JSON schema monitors.
| Permission | Description |
|---|---|
Access 📖monitors/management/json-schema/access | Allow viewing JSON schema monitors and their configurations. |
Edit ✏️monitors/management/json-schema/edit | Allow creating, updating, and deleting JSON schema monitors. |
Draft ✏️monitors/management/json-schema/draft | Allow creating and editing draft JSON schema monitors. |
Agent Evaluation
Controls access to agent evaluation monitors.
| Permission | Description |
|---|---|
Access 📖monitors/management/agent-evaluation/access | Allow viewing agent evaluation monitors and their configurations. |
Edit ✏️monitors/management/agent-evaluation/edit | Allow creating, updating, and deleting agent evaluation monitors. |
Draft ✏️monitors/management/agent-evaluation/draft | Allow creating and editing draft agent evaluation monitors. |
Agent Trajectory
Controls access to agent trajectory monitors.
| Permission | Description |
|---|---|
Access 📖monitors/management/agent-trajectory/access | Allow viewing agent trajectory monitors and their configurations. |
Edit ✏️monitors/management/agent-trajectory/edit | Allow creating, updating, and deleting agent trajectory monitors. |
Draft ✏️monitors/management/agent-trajectory/draft | Allow creating and editing draft agent trajectory monitors. |
Agent Metric
Controls access to agent metric monitors.
| Permission | Description |
|---|---|
Access 📖monitors/management/agent-metric/access | Allow viewing agent metric monitors and their configurations. |
Edit ✏️monitors/management/agent-metric/edit | Allow creating, updating, and deleting agent metric monitors. |
Draft ✏️monitors/management/agent-metric/draft | Allow creating and editing draft agent metric monitors. |
Agent Validation
Controls access to agent validation monitors.
| Permission | Description |
|---|---|
Access 📖monitors/management/agent-validation/access | Allow viewing agent validation monitors and their configurations. |
Edit ✏️monitors/management/agent-validation/edit | Allow creating, updating, and deleting agent validation monitors. |
Draft ✏️monitors/management/agent-validation/draft | Allow creating and editing draft agent validation monitors. |
Query Performance
Controls access to query performance monitors.
| Permission | Description |
|---|---|
Access 📖monitors/management/query-performance/access | Allow viewing query performance monitors and their configurations. |
Edit ✏️monitors/management/query-performance/edit | Allow creating, updating, and deleting query performance monitors. |
Draft ✏️monitors/management/query-performance/draft | Allow creating and editing draft query performance monitors. |
Data Sampling
Controls access to sampled data from monitored tables.
| Permission | Description |
|---|---|
Access 📖monitors/data-sampling/access | Allow accessing sampled data from tables. Required to view sample data in the UI. |
Download 📖monitors/data-sampling/download | Allow downloading sampled data from tables. |
Exceptions
Controls access to monitor exception management for tracking and commenting on breached rows.
| Permission | Description |
|---|---|
Access 📖monitors/exceptions/access | Allow viewing monitor exception activity logs. |
Edit ✏️monitors/exceptions/edit | Allow editing monitor exceptions, including updating attributes and adding comments. |
Dashboard
Controls access to dashboards for visualizing data + AI quality metrics and insights.
| Permission | Description |
|---|---|
Access 📖dashboard/access | Allow viewing dashboards. |
Edit ✏️dashboard/edit | Allow creating and editing all dashboards in the account. |
Edit Their Own ✏️dashboard/edit-their-own | Allow creating and editing only dashboards the current user created. Those with dashboard/edit permission can also edit these dashboards. |
Data Products
Controls access to data products for organizing and tracking related data + AI assets.
| Permission | Description |
|---|---|
Access 📖data-products/access | Allow viewing data products. |
Edit ✏️data-products/edit | Allow creating and editing all data products in the account. |
Edit Their Own ✏️data-products/edit-their-own | Allow creating and editing only data products the current user created. Those with data-products/edit permission can also edit these data products. |
Data Exports
Controls access to data exports for downloading reports and data.
| Permission | Description |
|---|---|
Access 📖data-exports/access | Allow accessing and downloading data exports. |
Alerts
Controls access to alerts for viewing and managing data + AI quality issues.
| Permission | Description |
|---|---|
Access 📖alerts/access | Allow viewing alerts and their details. |
Edit ✏️alerts/edit | Allow editing alerts, including merging, splitting, and updating properties. |
Update Status ✏️alerts/update-status | Allow updating alert status (e.g., acknowledging, resolving) and providing feedback on anomaly detections. |
Assets
Controls access to the assets catalog for exploring and managing asset metadata.
| Permission | Description |
|---|---|
Access 📖assets/access | Allow viewing the assets catalog and asset metadata. |
Edit ✏️assets/edit | Allow editing asset metadata in the catalog. |
Lineage
Controls access to data + AI lineage features for understanding and monitoring data + AI flows.
| Permission | Description |
|---|---|
Access 📖lineage/access | Allow viewing lineage graphs and their metadata. |
Edit ✏️lineage/edit | Allow creating and editing lineage metadata (nodes, edges, etc.). |
Performance
Controls access to performance analytics to support query and warehouse analysis and optimization.
| Permission | Description |
|---|---|
Access 📖performance/access | Allow accessing the performance dashboard and query analytics. |
Users
Controls non-admin access to other account users.
| Permission | Description |
|---|---|
List 📖users/list | Allow listing users in the account for features like assignee selection and @mentions. |
Settings
Controls access to account settings and configuration.
| Permission | Description |
|---|---|
Access 📖settings/access | Top-level permission for viewing account settings. This is used where there is not a more specific permission for a given setting. |
Edit ✏️settings/edit | Top-level permission for editing account settings. This is used where there is not a more specific permission for a given setting. |
List Iam Resources 📖settings/list-iam-resources | Allow listing IAM resource and permission definitions. Required for managing users, authorization groups, or roles, since these operations need to display available permissions. |
Set Account Name ✏️settings/set-account-name | Allow changing the account display name. |
User
Controls self-managed, user-specific settings and preferences.
| Permission | Description |
|---|---|
Subscribe Weekly Digest ✏️settings/user/subscribe-weekly-digest | Allow subscribing to or unsubscribing from the weekly digest email notification. |
Users
Controls management of user accounts, including invitations and user attributes.
| Permission | Description |
|---|---|
Access 📖settings/users/access | Allow viewing authentication and authorization settings. |
Edit ✏️settings/users/edit | Allow managing users, authorization groups, SSO, and authorization provisioning (SCIM) settings. |
Authorization Groups
Controls management of authorization groups and their membership, including auth provisioning (SCIM) settings.
| Permission | Description |
|---|---|
Access 📖settings/authorization-groups/access | Allow viewing authorization groups and their members. Also required for user management, since group membership is displayed when managing users. |
Edit ✏️settings/authorization-groups/edit | Allow creating, editing, and deleting authorization groups. |
Manage Owners ✏️settings/authorization-groups/manage-owners | Allow managing members of the built-in Account Owners authorization group. |
Manage Domains Managers ✏️settings/authorization-groups/manage-domains-managers | Allow managing members of the built-in Domains Managers authorization group. |
Roles
Controls management of custom account roles and their permission definitions.
| Permission | Description |
|---|---|
Access 📖settings/roles/access | Allow viewing account roles and their permission definitions. Also required for managing authorization groups, since role assignment requires listing available roles. |
Edit ✏️settings/roles/edit | Allow creating, editing, and deleting custom account roles. |
SSO
Controls access to single sign-on (SSO) configuration settings.
| Permission | Description |
|---|---|
Access 📖settings/sso/access | Allow viewing SSO configuration settings. |
Edit ✏️settings/sso/edit | Allow configuring single sign-on (SSO) settings. |
Agents
Controls access to agent management for data collection agents.
| Permission | Description |
|---|---|
Access 📖settings/agents/access | Allow viewing agent details, logs, and reachability information. |
Edit ✏️settings/agents/edit | Allow creating, updating, deleting, and managing data collection agents. |
Domains
Controls access to domain management for organizing data + AI assets.
| Permission | Description |
|---|---|
Access 📖settings/domains/access | Allow viewing domain settings. |
List 📖settings/domains/list | Allow listing available domains. |
View Detail 📖settings/domains/view-detail | Allow viewing detailed domain information and their assets. |
Edit ✏️settings/domains/edit | Allow creating, editing, and deleting domains and related settings. |
PII Filters
Controls access to PII (Personally Identifiable Information) filter management.
| Permission | Description |
|---|---|
List 📖settings/pii-filters/list | Allow listing PII filters. |
View Metrics 📖settings/pii-filters/view-metrics | Allow viewing PII filter detection metrics. |
Edit ✏️settings/pii-filters/edit | Allow creating, editing, and deleting PII filters. |
Integrations
Controls access to integrations settings.
| Permission | Description |
|---|---|
Access 📖settings/integrations/access | Allow viewing integrations and their configurations. |
Edit ✏️settings/integrations/edit | Allow creating, editing, and deleting integrations. |
Notifications
Controls access to notification settings, audiences, and channels.
| Permission | Description |
|---|---|
Access 📖settings/notifications/access | Allow viewing notification settings, audiences, and channels. |
Edit ✏️settings/notifications/edit | Allow creating, editing, and deleting notification settings, audiences, and channels. |
API
Controls access to API tokens and the API explorer.
| Permission | Description |
|---|---|
Access 📖settings/api/access | Allow accessing API settings and the API explorer. |
Edit ✏️settings/api/edit | Allow managing personal API tokens. |
Manage Tokens ✏️settings/api/manage-tokens | Allow managing account-level service tokens and integration tokens. |
Ingestion
Controls access to data ingestion settings and metrics for the account.
| Permission | Description |
|---|---|
Access 📖settings/ingestion/access | Allow viewing data ingestion settings and metrics. |
Edit ✏️settings/ingestion/edit | Allow editing data ingestion settings. |
Manage Collection ✏️settings/ingestion/manage-collection | Allow managing data collection settings, including upgrades and collection preferences. |
Secrets
Controls access to secrets management for storing sensitive credentials.
| Permission | Description |
|---|---|
Access 📖settings/secrets/access | Allow viewing secrets (names/metadata only, not values). Use settings/secrets/view-values to view secret values. |
Edit ✏️settings/secrets/edit | Allow creating, editing, and deleting secrets. |
View Values 📖settings/secrets/view-values | Allow viewing secret values. This grants access to sensitive credential data. |
Billing
Controls access to billing information and invoices.
| Permission | Description |
|---|---|
Access 📖settings/billing/access | Allow viewing billing information and invoices. |
Edit ✏️settings/billing/edit | Allow modifying billing plan and contract settings. |
Network
Controls network access control settings such as IP restrictions for data being pushed into our system via API, Integration Gateway, or other push-based services.
| Permission | Description |
|---|---|
Access 📖settings/network/access | Allow viewing network access control settings. |
Edit ✏️settings/network/edit | Allow managing network access control settings. |
Session
Controls account-level session timeout settings, including absolute session lifetime and inactivity timeout.
| Permission | Description |
|---|---|
Access 📖settings/session/access | Allow viewing session timeout settings. |
Edit ✏️settings/session/edit | Allow managing session timeout settings. |
MCP
Controls access to the Monte Carlo Model Context Protocol (MCP) interface used by AI agents to query and act on the account.
| Permission | Description |
|---|---|
Access 📖mcp/access | Allow authenticating to MCP and using read-only MCP tools. |
Edit ✏️mcp/edit | Allow authenticating to MCP and using tools that modify account data or configuration. |
Updated 1 day ago