migration_import — permissions
All permissions are namespaced under migration_import..
| Permission | Endpoints | Default roles |
|---|---|---|
migration_import.job.read | GET /jobs, GET /jobs/{id}, GET /jobs/{id}/warnings, POST /jobs/{id}/preview | admin (*) |
migration_import.job.write | POST /jobs, POST /jobs/{id}/validate | admin (*) |
migration_import.job.execute | POST /jobs/{id}/execute | admin (*) |
migration_import.binary.write | POST /jobs/{id}/binaries (sync agent) | admin (*) |
manifest.role_permissions grants * to admin only. No other role sees the page or can execute. Widen at the manifest level if a tenant wants a dedicated migration operator role.
The sync agent should be issued an account with the admin role (or a narrower role that only holds migration_import.binary.write) and ideally tied to a service-account user.