Panopta's access control (ACL) functionality gives teams fine-grained controls over the infrastructure team members can view (scope) and specific actions they can perform. The system is driven by roles, which are logical groupings of actions that a user can perform. A user can have one-to-many roles assigned to them - they're designed to be layered on top of one another.
Out of the box, Panopta provides a number of default roles that will be more than sufficient for a lot of teams. They are not editable, but you can easily clone and customize them to meet your needs.
Teams looking for more fine tuning can leverage custom roles. Custom roles can be comprised of any number of actions that are available in Panopta. For instance, you may want a role that allows a user to view and edit instances, but read-only access for network devices. When creating a custom role, you may choose to either start from scratch or clone an existing role.