IAM Resources and Permissions
This page lists all IAM resources and their related permissions in Monte Carlo. This information is useful when configuring custom account roles.
Permission Types
Permissions have a type that indicates the kind of operations they authorize. The type is indicated by an icon next to the permission name:
- π
readβ Authorizes operations that involve viewing/querying (read only--no changes) - βοΈ
writeβ Authorizes operations that involve some form of modification (create, update, delete, etc.)
In role definitions, you can leverage these to allow or deny permissions of a specific type. For example, if you wanted to grant all read type operations to a resource (but deny all write type operations), you can use a policy statement like monitors/read: allow.
GraphQL
Controls core access to the GraphQL API for executing queries and mutations.
| Permission | Description |
|---|---|
Query πgraphql/query | Allow reading data (executing queries) via the GraphQL API. This is required for baseline read-only access to the system, and is always asserted in addition to any more specific permissions. |
Mutate βοΈgraphql/mutate | Allow making modifications (executing mutations) via the GraphQL API. This is required for any writes. This is always asserted in addition to any more specific permissions. |
Monitors
Controls access to data + AI monitors.
| Permission | Description |
|---|---|
Access πmonitors/access | β οΈ Deprecated: Use type-specific permissions under monitors/management/ (e.g., monitors/management/table/access). During transition, this permission is kept as an alias. |
Aggregates πmonitors/aggregates | Allow viewing monitor metrics and aggregate summaries without full monitor access. Used for dashboards and reporting. |
Edit βοΈmonitors/edit | β οΈ Deprecated: Use type-specific permissions under monitors/management/ (e.g., monitors/management/table/edit). During transition, this permission is kept as an alias. |
Draft βοΈmonitors/draft | β οΈ Deprecated: Use type-specific permissions under monitors/management/ (e.g., monitors/management/table/draft). During transition, this permission is kept as an alias. |
Management
Controls creation, editing, and drafting of monitors by type. Use type-based/wildcard policies (e.g., monitors/management/write, monitors/management/*) to grant across all monitor types.
Table
Controls access to table monitors (freshness, volume, and asset selection-based monitoring).
| Permission | Description |
|---|---|
Access πmonitors/management/table/access | Allow viewing table monitors and their configurations. |
Edit βοΈmonitors/management/table/edit | Allow creating, updating, and deleting table monitors. |
Draft βοΈmonitors/management/table/draft | Allow creating and editing draft table monitors before they are published. |
Metric
Controls access to metric/stats monitors.
| Permission | Description |
|---|---|
Access πmonitors/management/metric/access | Allow viewing metric monitors and their configurations. |
Edit βοΈmonitors/management/metric/edit | Allow creating, updating, and deleting metric monitors. |
Draft βοΈmonitors/management/metric/draft | Allow creating and editing draft metric monitors. |
Validation
Controls access to validation rule monitors.
| Permission | Description |
|---|---|
Access πmonitors/management/validation/access | Allow viewing validation monitors and their configurations. |
Edit βοΈmonitors/management/validation/edit | Allow creating, updating, and deleting validation monitors. |
Draft βοΈmonitors/management/validation/draft | Allow creating and editing draft validation monitors. |
Comparison
Controls access to comparison monitors.
| Permission | Description |
|---|---|
Access πmonitors/management/comparison/access | Allow viewing comparison monitors and their configurations. |
Edit βοΈmonitors/management/comparison/edit | Allow creating, updating, and deleting comparison monitors. |
Draft βοΈmonitors/management/comparison/draft | Allow creating and editing draft comparison monitors. |
Custom Sql
Controls access to custom SQL monitors and SQL templates.
| Permission | Description |
|---|---|
Access πmonitors/management/custom-sql/access | Allow viewing custom SQL monitors and their configurations. |
Edit βοΈmonitors/management/custom-sql/edit | Allow creating, updating, and deleting custom SQL monitors. |
Draft βοΈmonitors/management/custom-sql/draft | Allow creating and editing draft custom SQL monitors. |
Json Schema
Controls access to JSON schema monitors.
| Permission | Description |
|---|---|
Access πmonitors/management/json-schema/access | Allow viewing JSON schema monitors and their configurations. |
Edit βοΈmonitors/management/json-schema/edit | Allow creating, updating, and deleting JSON schema monitors. |
Draft βοΈmonitors/management/json-schema/draft | Allow creating and editing draft JSON schema monitors. |
Agent Evaluation
Controls access to agent evaluation monitors.
| Permission | Description |
|---|---|
Access πmonitors/management/agent-evaluation/access | Allow viewing agent evaluation monitors and their configurations. |
Edit βοΈmonitors/management/agent-evaluation/edit | Allow creating, updating, and deleting agent evaluation monitors. |
Draft βοΈmonitors/management/agent-evaluation/draft | Allow creating and editing draft agent evaluation monitors. |
Agent Trajectory
Controls access to agent trajectory monitors.
| Permission | Description |
|---|---|
Access πmonitors/management/agent-trajectory/access | Allow viewing agent trajectory monitors and their configurations. |
Edit βοΈmonitors/management/agent-trajectory/edit | Allow creating, updating, and deleting agent trajectory monitors. |
Draft βοΈmonitors/management/agent-trajectory/draft | Allow creating and editing draft agent trajectory monitors. |
Agent Metric
Controls access to agent metric monitors.
| Permission | Description |
|---|---|
Access πmonitors/management/agent-metric/access | Allow viewing agent metric monitors and their configurations. |
Edit βοΈmonitors/management/agent-metric/edit | Allow creating, updating, and deleting agent metric monitors. |
Draft βοΈmonitors/management/agent-metric/draft | Allow creating and editing draft agent metric monitors. |
Agent Validation
Controls access to agent validation monitors.
| Permission | Description |
|---|---|
Access πmonitors/management/agent-validation/access | Allow viewing agent validation monitors and their configurations. |
Edit βοΈmonitors/management/agent-validation/edit | Allow creating, updating, and deleting agent validation monitors. |
Draft βοΈmonitors/management/agent-validation/draft | Allow creating and editing draft agent validation monitors. |
Query Performance
Controls access to query performance monitors.
| Permission | Description |
|---|---|
Access πmonitors/management/query-performance/access | Allow viewing query performance monitors and their configurations. |
Edit βοΈmonitors/management/query-performance/edit | Allow creating, updating, and deleting query performance monitors. |
Draft βοΈmonitors/management/query-performance/draft | Allow creating and editing draft query performance monitors. |
Data Sampling
Controls access to sampled data from monitored tables.
| Permission | Description |
|---|---|
Access πmonitors/data-sampling/access | Allow accessing sampled data from tables. Required to view sample data in the UI. |
Download πmonitors/data-sampling/download | Allow downloading sampled data from tables. |
Exceptions
Controls access to monitor exception management for tracking and commenting on breached rows.
| Permission | Description |
|---|---|
Access πmonitors/exceptions/access | Allow viewing monitor exception activity logs. |
Edit βοΈmonitors/exceptions/edit | Allow editing monitor exceptions, including updating attributes and adding comments. |
Dashboard
Controls access to dashboards for visualizing data + AI quality metrics and insights.
| Permission | Description |
|---|---|
Access πdashboard/access | Allow viewing dashboards. |
Edit βοΈdashboard/edit | Allow creating and editing all dashboards in the account. |
Edit Their Own βοΈdashboard/edit-their-own | Allow creating and editing only dashboards the current user created. Those with dashboard/edit permission can also edit these dashboards. |
Data Products
Controls access to data products for organizing and tracking related data + AI assets.
| Permission | Description |
|---|---|
Access πdata-products/access | Allow viewing data products. |
Edit βοΈdata-products/edit | Allow creating and editing all data products in the account. |
Edit Their Own βοΈdata-products/edit-their-own | Allow creating and editing only data products the current user created. Those with data-products/edit permission can also edit these data products. |
Data Exports
Controls access to data exports for downloading reports and data.
| Permission | Description |
|---|---|
Access πdata-exports/access | Allow accessing and downloading data exports. |
Alerts
Controls access to alerts for viewing and managing data + AI quality issues.
| Permission | Description |
|---|---|
Access πalerts/access | Allow viewing alerts and their details. |
Edit βοΈalerts/edit | Allow editing alerts, including merging, splitting, and updating properties. |
Update Status βοΈalerts/update-status | Allow updating alert status (e.g., acknowledging, resolving) and providing feedback on anomaly detections. |
Assets
Controls access to the assets catalog for exploring and managing asset metadata.
| Permission | Description |
|---|---|
Access πassets/access | Allow viewing the assets catalog and asset metadata. |
Edit βοΈassets/edit | Allow editing asset metadata in the catalog. |
Lineage
Controls access to data + AI lineage features for understanding and monitoring data + AI flows.
| Permission | Description |
|---|---|
Access πlineage/access | Allow viewing lineage graphs and their metadata. |
Edit βοΈlineage/edit | Allow creating and editing lineage metadata (nodes, edges, etc.). |
Performance
Controls access to performance analytics to support query and warehouse analysis and optimization.
| Permission | Description |
|---|---|
Access πperformance/access | Allow accessing the performance dashboard and query analytics. |
Users
Controls non-admin access to other account users.
| Permission | Description |
|---|---|
List πusers/list | Allow listing users in the account for features like assignee selection and @mentions. |
Account Owners πusers/account-owners | Allow viewing the list of Account Owners in the account. |
Settings
Controls access to account settings and configuration.
| Permission | Description |
|---|---|
Access πsettings/access | Top-level permission for viewing account settings. This is used where there is not a more specific permission for a given setting. |
Edit βοΈsettings/edit | Top-level permission for editing account settings. This is used where there is not a more specific permission for a given setting. |
List Iam Resources πsettings/list-iam-resources | Allow listing IAM resource and permission definitions. Required for managing users, authorization groups, or roles, since these operations need to display available permissions. |
Set Account Name βοΈsettings/set-account-name | Allow changing the account display name. |
User
Controls self-managed, user-specific settings and preferences.
| Permission | Description |
|---|---|
Subscribe Weekly Digest βοΈsettings/user/subscribe-weekly-digest | Allow subscribing to or unsubscribing from the weekly digest email notification. |
Users
Controls management of user accounts, including invitations and user attributes.
| Permission | Description |
|---|---|
Access πsettings/users/access | Allow viewing authentication and authorization settings. |
Edit βοΈsettings/users/edit | Allow managing users, authorization groups, SSO, and authorization provisioning (SCIM) settings. |
Authorization Groups
Controls management of authorization groups and their membership, including auth provisioning (SCIM) settings.
| Permission | Description |
|---|---|
Access πsettings/authorization-groups/access | Allow viewing authorization groups and their members. Also required for user management, since group membership is displayed when managing users. |
Edit βοΈsettings/authorization-groups/edit | Allow creating, editing, and deleting authorization groups. |
Manage Owners βοΈsettings/authorization-groups/manage-owners | Allow managing members of the built-in Account Owners authorization group. |
Manage Domains Managers βοΈsettings/authorization-groups/manage-domains-managers | Allow managing members of the built-in Domains Managers authorization group. |
Roles
Controls management of custom account roles and their permission definitions.
| Permission | Description |
|---|---|
Access πsettings/roles/access | Allow viewing account roles and their permission definitions. Also required for managing authorization groups, since role assignment requires listing available roles. |
Edit βοΈsettings/roles/edit | Allow creating, editing, and deleting custom account roles. |
SSO
Controls access to single sign-on (SSO) configuration settings.
| Permission | Description |
|---|---|
Access πsettings/sso/access | Allow viewing SSO configuration settings. |
Edit βοΈsettings/sso/edit | Allow configuring single sign-on (SSO) settings. |
Agents
Controls access to agent management for data collection agents.
| Permission | Description |
|---|---|
Access πsettings/agents/access | Allow viewing agent details, logs, and reachability information. |
Edit βοΈsettings/agents/edit | Allow creating, updating, deleting, and managing data collection agents. |
Domains
Controls access to domain management for organizing data + AI assets.
| Permission | Description |
|---|---|
Access πsettings/domains/access | Allow viewing domain settings. |
List πsettings/domains/list | Allow listing available domains. |
View Detail πsettings/domains/view-detail | Allow viewing detailed domain information and their assets. |
Edit βοΈsettings/domains/edit | Allow creating, editing, and deleting domains and related settings. |
PII Filters
Controls access to PII (Personally Identifiable Information) filter management.
| Permission | Description |
|---|---|
List πsettings/pii-filters/list | Allow listing PII filters. |
View Metrics πsettings/pii-filters/view-metrics | Allow viewing PII filter detection metrics. |
Edit βοΈsettings/pii-filters/edit | Allow creating, editing, and deleting PII filters. |
Integrations
Controls access to integrations settings.
| Permission | Description |
|---|---|
Access πsettings/integrations/access | Allow viewing integrations and their configurations. |
Edit βοΈsettings/integrations/edit | Allow creating, editing, and deleting integrations. |
Notifications
Controls access to notification settings, audiences, and channels.
| Permission | Description |
|---|---|
Access πsettings/notifications/access | Allow viewing notification settings, audiences, and channels. |
Edit βοΈsettings/notifications/edit | Allow creating, editing, and deleting notification settings, audiences, and channels. |
API
Controls access to API tokens and the API explorer.
| Permission | Description |
|---|---|
Access πsettings/api/access | Allow accessing API settings and the API explorer. |
Edit βοΈsettings/api/edit | Allow managing personal API tokens. |
Manage Tokens βοΈsettings/api/manage-tokens | Allow managing account-level service tokens and integration tokens. |
OAuth Clients
Controls access to OAuth 2.0 client credentials for machine-to-machine authentication.
| Permission | Description |
|---|---|
Access πsettings/oauth-clients/access | Allow viewing OAuth clients and their configurations. |
Edit βοΈsettings/oauth-clients/edit | Allow creating and deleting OAuth clients. |
Ingestion
Controls access to data ingestion settings and metrics for the account.
| Permission | Description |
|---|---|
Access πsettings/ingestion/access | Allow viewing data ingestion settings and metrics. |
Edit βοΈsettings/ingestion/edit | Allow editing data ingestion settings. |
Manage Collection βοΈsettings/ingestion/manage-collection | Allow managing data collection settings, including upgrades and collection preferences. |
Secrets
Controls access to secrets management for storing sensitive credentials.
| Permission | Description |
|---|---|
Access πsettings/secrets/access | Allow viewing secrets (names/metadata only, not values). Use settings/secrets/view-values to view secret values. |
Edit βοΈsettings/secrets/edit | Allow creating, editing, and deleting secrets. |
View Values πsettings/secrets/view-values | Allow viewing secret values. This grants access to sensitive credential data. |
Billing
Controls access to billing information and invoices.
| Permission | Description |
|---|---|
Access πsettings/billing/access | Allow viewing billing information and invoices. |
Edit βοΈsettings/billing/edit | Allow modifying billing plan and contract settings. |
Network
Controls network access control settings such as IP restrictions for data being pushed into our system via API, Integration Gateway, or other push-based services.
| Permission | Description |
|---|---|
Access πsettings/network/access | Allow viewing network access control settings. |
Edit βοΈsettings/network/edit | Allow managing network access control settings. |
Session
Controls account-level session timeout settings, including absolute session lifetime and inactivity timeout.
| Permission | Description |
|---|---|
Access πsettings/session/access | Allow viewing session timeout settings. |
Edit βοΈsettings/session/edit | Allow managing session timeout settings. |
MCP
Controls access to the Monte Carlo Model Context Protocol (MCP) interface used by AI agents to query and act on the account.
| Permission | Description |
|---|---|
Access πmcp/access | Allow authenticating to MCP and using read-only MCP tools. |
Edit βοΈmcp/edit | Allow authenticating to MCP and using tools that modify account data or configuration. |
Updated about 7 hours ago