Skip to main content

Predefined Roles

PK Protect provides a set of predefined roles. You can also define additional roles as required.

Default Roles



The SUPER_ADMIN can access the Admin UI and perform all the operations allowed within the Admin.

At least one SUPER_ADMIN is required. Multiple users can be assigned the SUPER_ADMIN role.



The Default User role is automatically assigned to each new user unless you explicitly assign a different role.

Users with Default role have Product and Owner access by default on Policies, Sensitive Types, Domain, Structures, etc.

They can see objects created by themselves in addition to the predefined ones.


It has the following permissions:

Access to all the products.

Owner Access for connections. The user has Create, Read, Update, and Delete permissions on the connections that he or she has defined.

Owner Access for tasks. The user has Create, Read, Update, Delete, and Execute permissions on the Search-It, Find-It, Search Files, and Masker tasks that he or she has defined.

This is a minimum set of permissions that provides the user full control over the connections and tasks that they themselves create while limiting their impact on the other users.

*Note: For security reasons, it is recommended to keep the DEFAULT_USER permissions as minimal as possible. Develop new roles to capture more extensive permissions.


The Connection Administrator role has full CRUD control over all the connections in the system. The Connection Administrator is typically someone who is either a DBA or has a detailed knowledge and access to the various databases of interest in the organization. A person in this role is responsible for maintaining the connections that will be used in different tasks.


The Task Designer creates tasks for locating, searching, and masking data stores. This role has read access to the connections created by the Connection Administrator and CRUD access to all the task definitions.

The Task Designer also has the execute permissions on all the tasks, making the Task Designer capable of performing the Task Executor role. The expectation, however, is that the Task Designer will execute the tasks only to get the task definitions stabilized and ready for production. After that, the Task Designer informs the Task Executor and the Analyst that the task is ready to be run.


The Task Executor has read access to the connections and task definitions and execute permission on all task definitions. The Task Executor does not have CRUD permissions on either connections or tasks.


The Analyst has read permissions on the task definitions and connections. This gives the Analyst read permissions on Task Results. The Analyst can view and analyze the results of various runs but cannot modify the definitions or connections.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.