Any user with a global role that has the Product Rights > Control Tower global permission can access the Control Tower product pages. Certain tasks, however, require specific permissions.
Global permissions
| Global permission | Description | Required license | New license |
|---|---|---|---|
|
Product Rights > Control Tower |
Allows users full access to the Control Tower product pages. |
Read only | Viewer |
By default, only the Sysadmin global role has this global permission. There is no out-of-the-box Control Tower-related global role. We recommend that you do one of the following:
- Give this global permission to an existing global role.
- Create a new global role and give it this global permission.
For guidance on how to do this, go to Set up Control Tower.
Resource permissions
| Resource permission | Description | Required license | New license |
|---|---|---|---|
|
Asset > Control > Activate and Run |
Allows users to enable (activate) a control query. Any user with the Control Tower > Product Rights permission can create a control query, but this resource permission is required to enable it. |
Standard | Creator |
| Asset > Add | Allows user to create Managed Control assets. | Standard | Creator |
| Asset > Remove | Allows user to deleted Managed Control assets. | Standard | Creator |
| Asset > Update | Allows user to edit Managed Control assets, including configuring controls. | Standard | Creator |
The out-of-the-box Control Manager resource role has this resource permission.