> ## Documentation Index
> Fetch the complete documentation index at: https://doc.lucidworks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles

export const LwTemplate = ({title = "Key questions to get you started", icon = "sparkles", cta = "Powered by Agent Studio", linkHref = "https://lucidworks.com/demo/?utm_source=docs&utm_medium=referral&utm_campaign=docs_cta_ai"}) => {
  const [isLoaded, setIsLoaded] = useState(false);
  useEffect(() => {
    const timer = setTimeout(() => {
      setIsLoaded(true);
    }, 500);
    return () => clearTimeout(timer);
  }, []);
  return <div className="lw-template-container">
      <Card title={title} icon={icon}>
        {isLoaded && <span dangerouslySetInnerHTML={{
    __html: `<lw-template id="a029c1a9-28be-427e-b0e1-5d918920246a"></lw-template
            >`
  }} />}
        <Link href={linkHref} className="agent-studio-link text-left text-gray-600 gap-2 dark:text-gray-400 text-sm font-medium flex flex-row items-center hover:text-primary dark:hover:text-primary-light group-hover:text-primary group-hover:dark:text-primary-light">Powered by Lucidworks Agent Studio</Link>
      </Card>
    </div>;
};

[localhost link]: http://localhost:3000/docs/lucidworks-search/08-administration/access-control/roles

[mintlify link]: https://doc.lucidworks.com/docs/lucidworks-search/08-administration/access-control/roles

[old doc.lw link]: https://doc.lucidworks.com/managed-fusion/5.9/ydvorx

Roles are named sets of [permissions](/docs/lucidworks-search/08-administration/access-control/permissions) that encapsulate the permissions needed for different kinds of users. Permissions grant users access to subsets of Lucidworks Search functionality. A role can specify UI permissions, API permissions, or both:

* UI permissions grant users access to parts of the Lucidworks Search UI.
* API permissions grant users access to specific API commands for specific REST API endpoints.

See [Permissions](/docs/lucidworks-search/08-administration/access-control/permissions) for information about how permissions supplied by multiple roles and by user definitions combine.

<Warning>
  Users who can create or modify code obtain access to the broader Lucidworks Search environment. This access can be used to create intentional or unintentional damage to Lucidworks Search.
</Warning>

<LwTemplate />

## Roles and environments

The roles that Lucidworks Search clients have depend on the type of [environment](/docs/lucidworks-search/08-administration/environments/overview).

## Default roles

At initial startup, Lucidworks Search creates a set of default roles for common types of users.

### admin

The admin role is the equivalent to the Unix `root` or superuser.
It allows full access to all Lucidworks Search services:

```bash theme={"dark"}
GET,POST,PUT,DELETE,PATCH,HEAD:/**
```

### developer

The developer role has all the read/write permissions required for building and running applications. This role cannot add users; user management is handled by Lucidworks.

<Note>
  The developer role is updated for Lucidworks Search 5.10 to exclude permissions for creating, editing, and deleting Spark jobs, JavaScript stages in querying and indexing pipelines, and custom index and query stages. The new roles including these permissions are created when upgrading to Lucidworks Search 5.10, but the existing developer role is not updated in order to prevent unexpected changes.
</Note>

```bash theme={"dark"}
GET,POST,PUT:/system/**
GET,POST,PUT,DELETE,HEAD:/stopwords/**
GET,POST,PUT:/usage/**
GET:/features/**
GET,POST,PUT,DELETE,HEAD:/blobs/**
GET,POST,PUT,DELETE,HEAD:/scheduler/**
GET,POST,PUT,DELETE,HEAD:/experiments
GET:/introspect/**
PUT:/usage/**
GET,POST,PUT,DELETE,HEAD:/index-stages/**
GET,POST,PUT,DELETE,HEAD:/messaging/**
GET,POST,PUT,DELETE,HEAD:/catalog
GET,POST,PUT,DELETE,HEAD:/parsers/**
GET,POST,PUT:/appkit/**
GET,POST,PUT,DELETE,HEAD:/index-profiles/**
GET,POST,PUT:/recommend/**
GET,POST,PUT,DELETE,HEAD:/history/**
GET,POST,PUT,DELETE,HEAD:/apps/**
GET,POST,PUT,DELETE,HEAD:/solr/**
GET,POST:/query/**
GET,POST,PUT:/signals/**
GET,POST,PUT:/searchLogs/**
GET,POST,PUT,DELETE,HEAD:/query-pipelines/**
GET,POST,PUT:/configurations/**
GET:/suggestions/**
GET,POST,PUT,DELETE,HEAD:/searchCluster/**
GET,POST,PUT,DELETE,HEAD:/index-pipelines/**
GET:/license
GET,POST,PUT,DELETE,HEAD:/spark/**
GET,POST,PUT,DELETE,HEAD:/query-stages/**
GET,POST,PUT,DELETE,HEAD:/prefs/apps/search/*
GET:/nodes/**
GET,POST,PUT,DELETE,HEAD:/solrAdmin/**
GET,POST,PUT:/synonyms/**
GET,POST,PUT,DELETE,HEAD:/jobs/**
GET,POST,PUT,DELETE,HEAD,OPTIONS:/collections/**
GET,POST,PUT,DELETE,HEAD:/connectors/**
GET,POST,PUT,DELETE,HEAD:/groups/**
GET,POST,PUT,DELETE,HEAD:/query-profiles/**
GET,POST,PUT:/templates/**
GET,POST,PUT,DELETE,HEAD:/tasks/**
GET,POST,PUT,DELETE,HEAD:/links/**
PATCH:/users/{id}:id=#ID
GET,POST,PUT:/registration/**
POST:/index/**
GET,POST,PUT:/objects/**
GET,POST,PUT:/templates/**
```

<Note>
  The permission `PATCH:/users/{id}:id=#ID` uses the variable value `#ID` as a placeholder for the currently logged-in user ID. It is included so the Lucidworks Search UI "change password" feature is available to native realm users.
</Note>

### readonly

The readonly role can view everything in Fusion but cannot modify configurations. Lucidworks Search customers must make changes in the appropriate stage environment, after which Lucidworks will promote the change to production.

```bash theme={"dark"}
PUT,DELETE:/apps/*/blobs/prefs-*._lw_tmp_*
PUT,DELETE:/prefs/apps/search/*._lw*_tmp_*
PUT,DELETE:/apps/*/query-pipelines/_lw*_tmp_*
POST:/prefs/apps/search
PUT,DELETE:/apps/*/index-pipelines/_lw*_tmp_*
POST:/apps/*/query-pipelines
POST:/query-pipelines/_system/collections/*/select
POST:/apps/*/parsers
POST:/apps/*/index-pipelines
PUT:/usage/counters/*
GET:/**
PUT,DELETE:/apps/*/parsers/_lw*_tmp_*
POST,GET,PUT:/signals/**
```

### rules

The rules role provides [query rewriting](/docs/lucidworks-search/07-improve-your-queries/query-rewriting/overview) API access to all Lucidworks Search apps.

```bash theme={"dark"}
GET:/apps/*/query-profiles/**
GET,POST,PUT,PATCH,DELETE,HEAD:/apps/*/query-rewrite/**
GET:/solr/**
GET:/query/**
GET:/collections/**
GET:/apps/**
```

### search

The search role has read-only query and write-only signal API access to the Lucidworks Search "default" collection. These permissions are required for search applications, for example, for App Studio.

```bash theme={"dark"}
POST:/apps/*/signals/**
GET,POST:/query/**
POST:/signals/**
PATCH:/users/{id}:id=#ID
GET,POST:/apps/*/query/**
```

<Note>
  The permission `PATCH:/users/{id}:id=#ID` uses the variable value `#ID` as a placeholder for the currently logged-in user ID. It is included so the Lucidworks Search UI "change password" feature is available to native realm users.
</Note>

### webapps-role

The webapps role can list and download Lucidworks Search apps.

```bash theme={"dark"}
GET,HEAD:/webapps/**
GET,HEAD:/license
```

## Role information

Lucidworks Search stores role information in [Apache ZooKeeper](http://zookeeper.apache.org/).
Each role in a ZooKeeper entry contains the following:

* `id`– ID string, created by Lucidworks Search
* `name`– Role name string
* `desc`– Text description; optional
* `permissions`– A list of Lucidworks Search permission specifications
* `ui-permisions`– A list of names of Lucidworks Search UI components
* `created-at`– Timestamp; created by Lucidworks Search
* `updated-at`– Timestamp for last edit; created by Lucidworks Search

## Manage roles

Only users with admin privileges can manage roles. In Lucidworks Search environments, Lucidworks is responsible for managing roles.

## Assign job permissions

<Note>
  **Important**

  The colon character `:` is a special character used in the permissions engine, so you must use an asterisk `*` in the command.
</Note>

To assign permissions for a specific job, enter the following command, where you must enter the specific job in the `<JOB_NAME>` field:

```bash theme={"dark"}
POST:/apps/*/jobs/task*<JOB_NAME>/actions
```

### Assign job permissions in the UI

The command to assign permissions for a specific job in the UI is an exact call, so you must specify the `<JOB_NAME>`.

For example, if the job name is `testing-call`, two example commands are:

```bash theme={"dark"}
POST:/apps/<APP_NAME>/jobs/task:testing-call/actions
```

or

```bash theme={"dark"}
POST:/apps/*/jobs/task:testing-call/actions
```

### Assign permissions in the API

The command to assign permissions to a job using an API does not require you to specify the `<APP_NAME>`.

Two example commands are:

```bash theme={"dark"}
POST:/jobs/**
```

or

```bash theme={"dark"}
POST:/jobs/task*<JOB_NAME>/actions
```
