Skip to content

Roles and permissions

Roles represent specific permissions that you can assign to a group of users. Among other options, groups and roles allow you to use separate groups, with different roles for the same users, in different Collection Zone instances, if desired.

Roles are specific to each application in Zenoss Cloud, including Zenoss Cloud itself. For more information about assigning roles to groups, see Managing groups.

Collection Zone roles

Collection Zones support one set of roles that provides cumulative privileges and a customizable role:

  • The ZenUserZenOperatorZenManager set provides cumulative privileges for all Collection Zone UI features.
  • The Delegate to Collection Zone role provides the privileges you define through administered objects.

For more information about roles in Collection Zones, see Managing users.

ZenUser → ZenOperator → ZenManager


ZenUser ZenOperator ZenManager
Read access for all Collection Zone objects (yes) (yes) (yes)
Read-write access for event management (no) (yes) (yes)
Read-write access for all Collection Zone objects (no) (no) (yes)

Combine ZenOperator and ZenUser to grant read access, but also allow write privileges for acknowledging and closing events, moving events to history, setting production states, running commands, and adding log messages to events. Also, you can associate the ZenOperator role with an individual device, a device class, or a group of devices.

Zenoss Cloud roles

Zenoss Cloud provides two sets of roles that provide cumulative privileges:

  • The ReadOnlyUserUserManager set provides cumulative privileges for most Zenoss Cloud UI features.
  • The Key CreatorKey AdministratorManager set provides cumulative privileges for authentication key creation and management.

Typically, all users get one of the roles from the first set, but only a few also get a role from the second set.

ReadOnlyUser → User → Manager roles

This set provides cumulative privileges for most Zenoss Cloud UI features.


ReadOnlyUser User Manager
Display public Zenoss Cloud dashboards (yes) (yes) (yes)
Display Zenoss Cloud events consoles (yes) (yes) (yes)
Display Smart View pages (yes) (yes) (yes)
Create Zenoss Cloud dashboards (no) (yes) (yes)
Copy dashboard templates (no) (yes) (yes)
Edit individual metric dictionary entries (no) (yes) (yes)
Edit or delete any user's public dashboard (no) (no) (yes)
Manage user session security (no) (no) (yes)
Create and delete user groups and user accounts (no) (no) (yes)
Create and delete a customized login message (no) (no) (yes)
Manage the metric dictionary (no) (no) (yes)

Key Creator → Key Administrator → Manager roles

This set provides cumulative privileges for authentication key creation and management.


Key Creator Key Administrator Manager
Create keys for Collection Zone API clients (yes) (yes) (yes)
Create and delete API Clients (no) (yes) (yes)
Create and delete keys for Zenoss API clients (no) (yes) (yes)
Delete keys for Collection Zone API clients created by others (no) (yes) (yes)