# Permission Sets Permission Sets in DuploCloud provide fine-grained access control for users. They define which APIs/resource types a user can access within specific Tenants. Permission Sets can be assigned directly to users or bundled into Permission Groups for easier management. A **Permission Set** is a collection of allow or deny policies applied to users. These policies define which APIs, resource types, and HTTP methods a user can access within specific Tenants. Permission Sets are evaluated by priority, with lower numbers overriding higher numbers. Permission Sets can be system-wide, assigned directly to users, or assigned to user groups. A **Permission Group** is a bundle of users assigned one or more Permission Sets. Groups simplify administration by giving multiple users the same access rules and are ideal for managing permissions by team or role. Users inherit all permissions from the Permission Sets assigned to the group. Users can belong to multiple groups, and all permissions from their assigned groups are combined. ## Configuring Permission Sets in DuploCloud 1. In the DuploCloud Portal, navigate to **Administrator** → **Permissions**. 2. Select the **Sets** tab. 3. Click **Add**. The **Add Permission Set** pane displays.

4. Complete the following fields:


Name	Enter a meaningful name for the Permission Set (e.g., `deny-k8s-job`).
Scope	Select the appropriate scope for the Permission Set (e.g., User or System Wide). Note: Choosing System Wide creates a Permission Set that applies to all users. This can be used for default allow-all permissions or to enforce explicit deny rules across the platform.
Priority	Enter a numeric value; lower numbers take higher precedence. (Tip: start with higher numbers like 50 for flexibility.)
Applicable Tenants	Select the applicable Tenants or choose All Tenants.
Allow or Deny Policy	Click Add Allow Policy or Add Deny Policy and complete the following fields: Resource Type RegEx: Enter the resource type (e.g., `k8s/job`). API Name RegEx: Enter a regex matching the API (e.g., `.k8s/job.`). Method: Choose GET, POST, PUT, DELETE, or ALL.

5. Click **Save** to create the Permission Set. ## Assigning Users to a Permission Set After creating a Permission Set, assign specific users to it: 1. In the **DuploCloud Portal**, navigate to **Administrator** → **Permissions**. 2. Select the **Sets** tab. 3. Select the Permission Set from the **NAME** column. The Permission Set details page displays.

4. Select the **Users** tab. 5. Select the users to whom the Permission Set should apply. 6. Click **Save**. ## Creating a User Group User Groups allow you to assign multiple users the same set of permissions at once. 1. Navigate to **Administrator** → **Permissions**. 2. Select the **Groups** tab. 3. Click **Add**. The **Add Permission Group** pane displays.

4. Complete the fields:


Name	Enter a descriptive name for the Permission Group.
Users	Select one or more users to include in the group.
Permissions	Click Add under Permissions. The Add Permissions pane displays: Select one or more Permission Sets to assign to the group. Click Add to confirm the selection.

Name

Enter a descriptive name for the Permission Group.

Users

Select one or more users to include in the group.

Permissions

Click Add under Permissions. The Add Permissions pane displays:

Select one or more Permission Sets to assign to the group.
Click Add to confirm the selection.

5. Click **Add** to create the Permission Group. {% hint style="info" %} **Notes on User Groups** * Users inherit all permissions from the assigned Permission Sets. * Users can belong to multiple groups; all permissions are combined. {% endhint %} ## Handling Conflicting Permissions It is possible for a user to be assigned multiple Permission Sets that contain contradictory rules. DuploCloud resolves conflicts using the following logic: * **Priority Evaluation:** Permission Sets are evaluated in ascending priority (lower numbers first). * **First Match Wins:** The first matching policy (allow or deny) determines access. * **Default Deny:** If no policy matches, access is denied by default (`400` error). **Example:** * `Permission Set A` (priority 5) denies `GetSecretData` * `Permission Set B` (priority 10) allows `GetSecretData` * **Result:** access is denied because `Permission Set A` has higher precedence. **Best Practices:** * Assign careful priority numbers to Permission Sets to ensure intended behavior. * Use Permission Groups to simplify management, but check for overlapping sets with conflicting rules. ## Testing Permission Set or User Group Configuration 1. Log in as a user assigned to a Permission Set or a User Group. 2. Attempt actions governed by the assigned Permission Set(s). 3. Verify that access is granted or denied according to the rules. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.duplocloud.com/docs/automation-platform/security-and-compliance/access-control-2/permission-sets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.