Access profiles determine which model types a user can view or manage. They are assigned to users through the Access Profiles page.

By default, most system-provided access profiles (except Operator profiles) allow:

The Access Profiles list view page lists all existing profiles. From here you can view, add, update, or delete access profiles.

The table describes access profile configuration fields in the Details tab/panel

Type-specific permissions define what actions are allowed per model type. They override wildcard permissions of the same type.

Title	Field Name	Description
Name *	name	A unique name for the access profile.
Description	description	Details about what this access profile is for.
Full Access	full_access	Grants complete system access, if enabled.
Miscellaneous Permissions	miscellaneous_permissions	Additional permissions not tied to a specific model type.

The panel lists the model types the profile can access (supports wildcards *). Click on a permission to update it for the access profile.

The table describes the fields in the type-specific permissions configuration screen.

Access profile permissions and operations

Title	Field Name	Description
Permitted Type	type	The model type permitted by this access profile (supports use of a `*` wildcard). The wildcard can be restricted by a type-specific permission of the same type.
Permitted Operations	operations	Actions allowed for this model type.

Administrators at or above Provider level (for example, hcsadmin) can create and manage access profiles as part of role management.

You can use wildcards in model references (e.g., data/*) when defining type-specific operations.

The following Provider-level administrator roles have full general and type-specific permissions across all models:

Miscellaneous permissions

These are general permissions. Many can be overridden via type-specific settings:

Permission	Description
Api Root	Allows access to the API root endpoint.
Copilot Chat	Displays and enables the VOSS Wingman AI assistant. Requires the global setting Enable Copilot Chat enabled. Refer to the Settings and Tools section in the Advanced Configuration Guide.
Device Type Root	Allows access to the root endpoint for device type models. For example, `https://<host_name>/api/device/cucm/`
Export Data	Granted to all users by default; allows export of search result data.
Help	Shows the online help button.
Help Export	Allows exporting of Help content.
JSON Editor	Enables editing model instances via the JSON Editor in the UI.
Login	Allows the user to login to the system.
Meta Schema	Default permission for all users; API endpoint providing access to model root endpoints. Used by the UI for populating itself with information about resources. Therefore, disable with extreme caution.
Model Type Choices	Default permission for all users; shows model type dropdowns and API model choices.
Model Type Root	Access to model root endpoints. For example, `https://<host_name>/api/device/`.
Operations	Allows operations to be run on models.
Tag	Allows tagging of search results. Removing the permission triggers a permission error.
Tool Root	Access to the API tool root endpoint (`https://<host_name>/api/tool/`)
Upload	Allows users to upload files.

Note

The following permissions allow for discovery of resources in API integrations:

Device Type Root
Model Type Root
Tool Root

Dashboard permissions (permission groups)

Dashboard permission groups group related Insights reporter resources (data/ReporterResource) that dashboards require.

You can either:

Grant reporter resource permissions individually, or
Use a Dashboard Permission Group to simplify management

If a dashboard widget relies on a reporter resource that isn't included in the user's access profile:

The widget will not display its data
The user cannot manage the widget

Admins with inherited Provider-level access can create and delete dashboard permission groups.

A user's dashboard permissions consist of both of the following:

Permissions selected in groups
Individually selected resources

Type-specific permissions

These are shown in the UI when viewing or listing a particular model's type.

Note

Available permissions vary by model type. Enabling Create automatically enables Clone for that model type.

Examples of type-specific permissions

Permission	Description
`data/DashboardFieldGrouping:read`	Required for dashboards; granted to all users.
`view/HcsVersionVIEW`	Allows viewing About information.
`data/UserSavedSearch:read`	Allows viewing saved searches.
`data/Alert:read`	Allows receiving alert notifications.
`data/MenuLayout:read`	Granted to all users by default.
`data/Dashboard:read`	Default for all users.
`data/Dashboard:export_dashboard_data`	Allows exporting dashboard data (not the schema).
`data/HierarchyNode:read`	Default for all users.
`data/SelfServiceTranslation:read`	Default for all users.

Type-specific operations

Operation	Description
Create, Delete, Read, Update	Standard model management operations.
Configuration Template / Field Display Policy	Allows creating templates and field policies.
Export / Export Bulkload Template	Enables export functionality.
Bulk Update	Allows bulk editing of selected list items.
Purge	For system administrators; removes the local database instance while retaining it on the device. Relevant only where the UC server is online and available in the VOSS system.
Migration	For designers; allows generating migration templates.
Tag / Tag Version	For designers; allows tagging model instances.

Dependent permissions

Some API endpoints grant permissions through higher-level operations, and may be granted by having another permission in the access profile.

Example:

Permission to /api/handle_oauth_webex/

Granted automatically if the user has Update permission on relation/SparkCustomer

Related topics

Introduction to access profiles in the Core Feature Guide

Access profiles define model types that a user is permitted to access. Access profiles are assigned to users via Roles

Model Details: data/AccessProfile

An asterisk * in the title indicates the field is mandatory.
If a field has a default value, it is shown in the Description column.
If the field type is an array, the Field Name has a .[n] suffix, where n is the array index placeholder.
Object and array field names are listed to provide context. If a field belongs to an object or an array, the full field name is shown in dot separated notation.

Title				Description	Details
Name *				The name that is given to the Access Profile.	Field Name: name Type: String MaxLength: 1024
Description				A description for the Access Profile.	Field Name: description Type: String MaxLength: 1024
Full Access				Enabling this flag, grants the user full system access.	Field Name: full_access Type: Boolean
	Miscellaneous Permissions			The list of miscellaneous operations permitted by this Access Profile.	Field Name: miscellaneous_permissions.[n] Type: Array
Dashboard Permissions					Field Name: dashboard_permissions Type: Object
		Dashboard Permission Groups		The list of dashboard permission groups that are permitted by this Access Profile.	Field Name: dashboard_permission_groups.[n] Type: Array
		Specific Permissions		The list of specific resources permissions that are permitted by this Access Profile.	Field Name: specific_permissions.[n] Type: Array
	Type Specific Permissions			The list of types that are permitted by this Access Profile.	Field Name: type_specific_permissions.[n] Type: Array
		Permitted Type *		The type that is permitted by this Access Profile. This field supports the use of the * wildcard.	Field Name: type_specific_permissions.[n].type Type: String MaxLength: 1024 Format: uri
			Permitted Operations	The operations that are permitted by this Access Profile for the given type.	Field Name: operations.[n] Type: Array

Model: data/AccessProfile

Introduction to Access Profiles

Access profile permissions and operations

Miscellaneous permissions

Dashboard permissions (permission groups)

Type-specific permissions

Dependent permissions

Model Details: data/AccessProfile