Management API privilege levels
Explain the different privilege levels of the Management API and UI
Management API Privileges
The Radiator HTTP Management API uses a hierarchical privilege system to control access to different operations. Each authenticated user or credential is assigned a privilege level that determines which API endpoints and operations they can access. The detailed information of each API endpoint is available under the API documentation.
The Management API is not designed to be exposed to the internet.
Quick Reference
| Privilege Level | Intended For | Key Capabilities |
|---|---|---|
| none | Health checks | Unauthenticated health/liveness/readiness endpoints only |
| monitor | Monitoring tools | View statistics, metrics, logs, and runtime status (read-only) |
| read | Read-only users | View logs, operational dashboards, and all configurations (no modifications) |
| write | Configuration administrators | Full access to manage configurations and server status |
| all | System administrators | Full access to manage configurations and server status: Prefer this over write for administrators. |
Privilege Levels
The following privilege levels are available, ordered from least to most permissive:
none
- Value:
none - Description: No privileges. The user cannot access any authenticated management API endpoints.
- Use case: Used as a default value or to explicitly deny access.
- Note: Some endpoints like
/api/v1/health,/liveand/readydo not require authentication and can be accessed without credentials.
any
Used only for internal use cases.
- Value:
any - Description: Basic authenticated access. Can access endpoints that only require proof of authentication.
- Use case: Used for endpoints that need to verify the user is authenticated but don't require specific permissions.
monitor
- Value:
monitor - Description: Read-only access to monitoring and runtime data. Can view statistics, status, logs, and metrics.
- Use case: For monitoring systems and users who need to observe server health and performance without making changes.
read
- Value:
read - Description: Read access to configuration and stored data. Includes all Monitor privileges plus ability to read configurations.
- Use case: For users who need to inspect server configuration but should not modify it.
install
Used only for internal use cases.
- Value:
install - Description: Special privilege for installation and initial setup operations.
- Use case: Used during initial server setup to change the install/setup password.
write
- Value:
write - Description: Full read and write access to configuration. Can modify all configurations and data.
- Use case: For administrators who need to manage the server configuration.
all
- Value:
all - Description: Represents all possible privileges (maximum privilege level).
- Use case: Currently equivalent to Write. This is recommended as the access method for administrators over write.
Privilege Hierarchy
The privileges are ordered hierarchically:
none (0) < any (1) < monitor (2) < read (3) < install (4) < write (5) < all (255)
When checking authorization, if an endpoint requires a specific privilege level, any equal or higher privilege will be accepted. For example:
- An endpoint requiring
readaccepts users withread,install,write, orallprivileges - An endpoint requiring
monitoraccepts users withmonitor,read,install,write, orallprivileges