# IAM role for an Amazon Q Business web experience Amazon Q Business web experience **Note** If you are using permissions for Amazon Q Apps created prior to July 10, 2024, you must update your role with the new [Amazon Q Apps](deploy-q-apps-iam-permissions.md) permissions for your users to have access to use the [permissions to view and specify approved data sources](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/deploy-q-apps-iam-permissions.html#deploy-data-source-iam-permissions) and other future features in Q Apps. To allow Amazon Q to invoke the API operations required to integrate your application environment, deploy your chat web experience, use an external IdP, and use Amazon Q Apps you must use the following IAM policies. **Topics** + [ # IAM role for an Amazon Q Business web experience using IAM Identity Center ](web-experience-iam-role-idc.md) + [ # IAM role for an Amazon Q Business web experience using IAM Federation ](web-experience-iam-role-iam.md) + [ # IAM permissions for using Amazon Q Apps ](deploy-q-apps-iam-permissions.md) # IAM role for an Amazon Q Business web experience using IAM Identity Center IAM Identity Center web experience **Important** This page only applies to Amazon Q Business web experiences connected to IAM Identity Center-integrated Amazon Q Business applications. **Policy history** + **Latest policy update:** — December 3, 2024 The following table list and describes the changes to this policy over time. | Change | Description | Date | | --- | --- | --- | | Amazon Q Business now supports deleting attachments | To enable delete attachments support on chats, modify your *Web experience IAM role* by adding the permission `qbusiness:DeleteAttachment`. The scoping for this new permission should be similar to other `qbusiness:` conversation permissions. With this change, users can remove attached files in conversations. | 2/27/2025 | | Amazon Q Business plugin actions support | To allow Amazon Q Business to list plugin actions and to allow end users to discover plugins in their web experience, modify the existing *Web experience IAM role* by adding the following permissions: `qbusiness:ListPluginActions`, `qbusiness:ListPluginTypeMetadata`, and `qbusiness:ListPluginTypeActions`. The scoping for this new permission should be similar to other `qbusiness:` conversation permissions. With this change, Amazon Q Business can list plugin actions and web experience users can discover plugins in their web experience. For more information, see [Prerequisites for configuring Amazon Q Business built-in plugins](basic-plugins-prereqs.md). | 12/03/2024 | | Amazon Quick plugin support | To allow the Quick plugin to include visuals from Amazon Quick, modify the existing *Web experience IAM role* to add permission for `quicksight:GenerateEmbedUrlForRegisteredUserWithIdentity`. With this change, web experience users can view visuals from Quick. For more information about the Quick plugin, see [Using the Quick plugin to get insights from structured data](quicksight-plugin.md). | 12/03/2024 | | Embedded visual content support | To enable extracting semantic meaning from embedded visual content, modify the existing *Web experience IAM role* by adding the permission `qbusiness:GetMedia`. The scoping for this new permission should be similar to other `qbusiness:` conversation permissions. With this change, if you enable content extraction for a data source, web experience users can ask questions and get answers related to the images. When an end user asks a question, Amazon Q Business retrieves relevant answers from the text and the images. Answers include the images and links for the documents that contain them. For more information, see [Extracting semantic meaning from embedded visual content with Amazon Q Business](extracting-meaning-from-images.md). | 12/01/2024 | | Recent files support | To enable recent files support on web experiences, modify the existing *Web experience IAM role* by adding the permission `qbusiness:ListAttachments`. The scoping for this new permission should be similar to other `qbusiness:` conversation permissions. With this change, users can find and reuse any recently attached files in new conversations without uploading the files again. Additionally, users can now drag and drop files they want to upload directly into any conversation inside their Amazon Q web experience. | 11/21/2024 | **Note** To find the IAM role ARN for your web experience you can go to ****Amazon Q Business** → **Applications** → *choose your application* **Name** → **Web experience settings**** in the Amazon Q Business console. The following section lists the IAM policies required to allow you to invoke the API operations required to integrate your application environment with IAM Identity Center. To allow an Amazon Q Business web experience to invoke the API operations required to integrate your application environment and deploy your web experience with an IAM Identity Center instance, use the following policy: **Note** To make use of the Clickable URL feature, add the following permissions to the IAM role for your Amazon Q web experience. ``` { "Sid": "QBusinessGetDocumentContentPermission", "Effect": "Allow", "Action": ["qbusiness:GetDocumentContent"], "Resource": [ "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}", "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/*" ] } ``` To allow Amazon Q to assume this role, use the following trust policy: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "QBusinessTrustPolicy", "Effect": "Allow", "Principal": { "Service": "application.qbusiness.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ], "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnEquals": { "aws:SourceArn": "arn:aws:qbusiness:us-east-1:111122223333:application/application-id" } } } ] } ``` ------ # IAM role for an Amazon Q Business web experience using IAM Federation IAM Federation web experience **Important** This page only applies to Amazon Q Business web experiences connected to IAM Federated Amazon Q Business applications. **Policy history** + **Latest policy update:** — December 3, 2024 The following table list and describes the changes to this policy over time. | Change | Description | Date | | --- | --- | --- | | Amazon Q Business now supports deleting attachments | To enable delete attachments support on chats, modify your *Web experience IAM role* by adding the permission `qbusiness:DeleteAttachment`. The scoping for this new permission should be similar to other `qbusiness:` conversation permissions. With this change, users can remove attached files in conversations. | 2/27/2025 | | Amazon Q Business plugin actions support | To allow Amazon Q Business to list plugin actions and to allow end users to discover plugins in their web experience, modify the existing *Web experience IAM role* by adding the following permissions: `qbusiness:ListPluginActions`, `qbusiness:ListPluginTypeMetadata`, and `qbusiness:ListPluginTypeActions`. The scoping for this new permission should be similar to other `qbusiness:` conversation permissions. With this change, Amazon Q Business can list plugin actions and web experience users can discover plugins in their web experience. For more information, see [Prerequisites for configuring Amazon Q Business built-in plugins](basic-plugins-prereqs.md). | 12/03/2024 | | Embedded visual content support | To enable extracting semantic meaning from embedded visual content, modify the existing *Web experience IAM role* by adding the permission `qbusiness:GetMedia`. The scoping for this new permission should be similar to other `qbusiness:` conversation permissions. With this change, if you enable content extraction for a data source, web experience users can ask questions and get answers related to the images. When an end user asks a question, Amazon Q Business retrieves relevant answers from the text and the images. Answers include the images and links for the documents that contain them. For more information, see [Extracting semantic meaning from embedded visual content with Amazon Q Business](extracting-meaning-from-images.md). | 12/01/2024 | | Recent files support | To enable recent files support on web experiences, modify the existing *Web experience IAM role* by adding the permission `qbusiness:ListAttachments`. The scoping for this new permission should be similar to other `qbusiness:` conversation permissions. With this change, users can find and reuse any recently attached files in new conversations without uploading the files again. Additionally, users can now drag and drop files they want to upload directly into any conversation inside their Amazon Q web experience. | 11/21/2024 | **Note** To find the IAM role ARN for your web experience you can go to ****Amazon Q Business** → **Applications** → *choose your application* **Name** → **Web experience settings**** in the Amazon Q Business console. The following IAM policies allow you to invoke the API operations required for an application environment using Identity Federation through IAM (IAM Federation) to manage user access or deploy a web experience using an external IdP. **Note** You must create and update an IAM policy for your Amazon Q Business application (both console and API) before you begin creating it. Amazon Q Business doesn't auto-create IAM roles for your IAM Federation application if you use the console. To allow an Amazon Q Business web experience to invoke the API operations required to integrate your application environment and deploy your web experience with an AWS Identity and Access Management instance, use the following policy: **Note** To make use of the Clickable URL feature, add the following permissions to the IAM role for your Amazon Q web experience. ``` { "Sid": "QBusinessGetDocumentContentPermission", "Effect": "Allow", "Action": ["qbusiness:GetDocumentContent"], "Resource": [ "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}", "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/*" ] } ``` ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "QBusinessConversationPermissions", "Effect": "Allow", "Action": [ "qbusiness:Chat", "qbusiness:ChatSync", "qbusiness:ListMessages", "qbusiness:ListConversations", "qbusiness:PutFeedback", "qbusiness:DeleteConversation", "qbusiness:GetWebExperience", "qbusiness:GetApplication", "qbusiness:ListPlugins", "qbusiness:GetChatControlsConfiguration", "qbusiness:ListRetrievers", "qbusiness:ListPluginActions", "qbusiness:ListAttachments", "qbusiness:GetMedia", "qbusiness:DeleteAttachment" ], "Resource": "arn:aws:qbusiness:us-east-1:111122223333:application/application-id" }, { "Sid": "QBusinessPluginDiscoveryPermissions", "Effect": "Allow", "Action": [ "qbusiness:ListPluginTypeMetadata", "qbusiness:ListPluginTypeActions" ], "Resource": "*" }, { "Sid": "QBusinessRetrieverPermission", "Effect": "Allow", "Action": [ "qbusiness:GetRetriever" ], "Resource": [ "arn:aws:qbusiness:us-east-1:111122223333:application/application-id", "arn:aws:qbusiness:us-east-1:111122223333:application/application-id/retriever/*" ] }, { "Sid": "QBusinessAutoSubscriptionPermission", "Effect": "Allow", "Action": [ "user-subscriptions:CreateClaim" ], "Condition": { "Bool": { "user-subscriptions:CreateForSelf": "true" }, "StringEquals": { "aws:CalledViaLast": "qbusiness.amazonaws.com" } }, "Resource": [ "*" ] }, { "Sid": "QBusinessKMSDecryptPermissions", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-east-1:111122223333:key/key-id" ], "Condition": { "StringLike": { "kms:ViaService": [ "qbusiness.us-east-1.amazonaws.com", "qapps.us-east-1.amazonaws.com" ] } } }, { "Sid": "QAppsResourceAgnosticPermissions", "Effect": "Allow", "Action": [ "qapps:CreateQApp", "qapps:PredictQApp", "qapps:PredictProblemStatementFromConversation", "qapps:PredictQAppFromProblemStatement", "qapps:ListQApps", "qapps:ListLibraryItems", "qapps:CreateSubscriptionToken" ], "Resource": "arn:aws:qbusiness:us-east-1:111122223333:application/application-id" }, { "Sid": "QAppsAppUniversalPermissions", "Effect": "Allow", "Action": [ "qapps:DisassociateQAppFromUser" ], "Resource": "arn:aws:qapps:us-east-1:111122223333:application/application-id/qapp/*" }, { "Sid": "QAppsAppOwnerPermissions", "Effect": "Allow", "Action": [ "qapps:GetQApp", "qapps:CopyQApp", "qapps:UpdateQApp", "qapps:DeleteQApp", "qapps:ImportDocument", "qapps:CreateLibraryItem", "qapps:UpdateLibraryItem", "qapps:StartQAppSession" ], "Resource": "arn:aws:qapps:us-east-1:111122223333:application/application-id/qapp/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:UserIsAppOwner": "true" } } }, { "Sid": "QAppsPublishedAppPermissions", "Effect": "Allow", "Action": [ "qapps:GetQApp", "qapps:CopyQApp", "qapps:AssociateQAppWithUser", "qapps:GetLibraryItem", "qapps:CreateLibraryItemReview", "qapps:AssociateLibraryItemReview", "qapps:DisassociateLibraryItemReview", "qapps:StartQAppSession" ], "Resource": "arn:aws:qapps:us-east-1:111122223333:application/application-id/qapp/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:AppIsPublished": "true" } } }, { "Sid": "QAppsAppSessionModeratorPermissions", "Effect": "Allow", "Action": [ "qapps:ImportDocument", "qapps:GetQAppSession", "qapps:GetQAppSessionMetadata", "qapps:UpdateQAppSession", "qapps:UpdateQAppSessionMetadata", "qapps:StopQAppSession" ], "Resource": "arn:aws:qapps:us-east-1:111122223333:application/application-id/qapp/*/session/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:UserIsSessionModerator": "true" } } }, { "Sid": "QAppsSharedAppSessionPermissions", "Effect": "Allow", "Action": [ "qapps:ImportDocument", "qapps:GetQAppSession", "qapps:GetQAppSessionMetadata", "qapps:UpdateQAppSession" ], "Resource": "arn:aws:qapps:us-east-1:111122223333:application/application-id/qapp/*/session/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:SessionIsShared": "true" } } } ] } ``` ------ **To allow Amazon Q to assume this role for a web experience using SAML-compliant identity provider for user management, use the following trust policy:** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": "sts:AssumeRoleWithSAML", "Sid": "SAMLAssumeRoleAccess", "Effect": "Allow", "Condition": { "StringEquals": { "SAML:aud": "https://q-web-experience-domain/saml" } }, "Principal": { "Federated": "arn:aws:iam::111122223333:saml-provider/[[saml_provider]]" } }, { "Action": "sts:TagSession", "Sid": "SAMLTagSessionAccess", "Effect": "Allow", "Condition": { "StringLike": { "aws:RequestTag/Email": "*" } }, "Principal": { "Federated": "arn:aws:iam::111122223333:saml-provider/[[saml_provider]]" } } ] } ``` ------ **To allow Amazon Q to assume this role for a web experience using an OIDC-compliant identity provider for user management, use the following trust policy:** **To allow an Amazon Q Business web experience to access AWS KMS to decrypt an OIDC client secret stored in Secrets Manager for an OIDC-based identity provider:** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowsAmazonQToGetSecret", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id" ] }, { "Sid": "AllowsAmazonQToDecryptSecret", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-east-1:111122223333:key/key-id" ], "Condition": { "StringLike": { "kms:ViaService": [ "secretsmanager.*.amazonaws.com" ] } } } ] } ``` ------ **To allow Amazon Q to assume the role to decrypt an OIDC client secret stored in Secrets Manager, use the following trust policy:** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowsAmazonQToAssumeRoleForServicePrincipal", "Effect": "Allow", "Principal": { "Service": "application.qbusiness.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:qbusiness:us-east-1:111122223333:application/application-id" } } } ] } ``` ------ # IAM permissions for using Amazon Q Apps Amazon Q Apps If the users of your deployed web experience want to create lightweight, purpose-built Amazon Q Apps within your broader Amazon Q Business application environment, you must include the following policy permissions. **Note** This Amazon Q Apps IAM policy released on July 10, 2024 supports the ability for users to view and specify approved *data sources* at the card-level and use other future features. To use these features, you must update all roles for Amazon Q Apps that have been created prior to this date with this new policy. | Change | Description | Date | | --- | --- | --- | | Deprecated some IAM actions related to file upload | The `qapps:ImportDocumentToQApp`, `qapps:ImportDocumentToQAppSession`, and `qapps:CreatePresignedUrl` IAM actions are deprecated. The `qapps:ImportDocument` action now serves as the single file upload action. | 05/22/2025 | | Added Permission to ` CreatePresignedUrl ` | This new API allows users to leverage the improved file limits in Amazon Q Apps. You can now upload files with size up to 10MB (per file card). | 11/22/2024 | | Added Permissions to ` DescribeQAppPermissions ` and `UpdateQAppPermissions` | These new APIs allows users [privately share Amazon Q Apps](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/qapps-private-sharing.html) to leverage the improved file limits in Amazon Q Apps. You can now upload files with size up to 10MB (per file card). | 11/22/2024 | | Added permissions related to management of persistent sessions. | These new APIs allows users to start, manage and terminate long running collaborative [data collection sessions](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/q-apps-forms.html) to leverage the improved file limits in Amazon Q Apps. You can now upload files with size up to 10MB (per file card). | 11/22/2024 | **Topics** + [ ## Capabilities available with Amazon Q Apps ](#q-apps-actions) + [ ## IAM permissions for users to view and specify approved data sources in Amazon Q Apps ](#deploy-data-source-iam-permissions) **If you want to use Amazon Q Apps, your web experience IAM role needs the following additional permissions:** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "QAppsResourceAgnosticPermissions", "Effect": "Allow", "Action": [ "qapps:CreateQApp", "qapps:PredictQApp", "qapps:PredictProblemStatementFromConversation", "qapps:PredictQAppFromProblemStatement", "qapps:ListQApps", "qapps:ListLibraryItems", "qapps:CreateSubscriptionToken" ], "Resource": "arn:aws:qbusiness:us-east-1:111122223333:application/application-id" }, { "Sid": "QAppsAppUniversalPermissions", "Effect": "Allow", "Action": [ "qapps:DisassociateQAppFromUser" ], "Resource": "arn:aws:qapps:us-east-1:111122223333:application/application-id/qapp/*" }, { "Sid": "QAppsAppOwnerPermissions", "Effect": "Allow", "Action": [ "qapps:GetQApp", "qapps:CopyQApp", "qapps:UpdateQApp", "qapps:DeleteQApp", "qapps:ImportDocument", "qapps:CreateLibraryItem", "qapps:UpdateLibraryItem", "qapps:StartQAppSession", "qapps:DescribeQAppPermissions", "qapps:UpdateQAppPermissions" ], "Resource": "arn:aws:qapps:us-east-1:111122223333:application/application-id/qapp/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:UserIsAppOwner": "true" } } }, { "Sid": "QAppsPublishedAppPermissions", "Effect": "Allow", "Action": [ "qapps:GetQApp", "qapps:CopyQApp", "qapps:AssociateQAppWithUser", "qapps:GetLibraryItem", "qapps:CreateLibraryItemReview", "qapps:AssociateLibraryItemReview", "qapps:DisassociateLibraryItemReview", "qapps:StartQAppSession", "qapps:DescribeQAppPermissions" ], "Resource": "arn:aws:qapps:us-east-1:111122223333:application/application-id/qapp/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:AppIsPublished": "true" } } }, { "Sid": "QAppsAppSessionModeratorPermissions", "Effect": "Allow", "Action": [ "qapps:ImportDocument", "qapps:GetQAppSession", "qapps:GetQAppSessionMetadata", "qapps:UpdateQAppSession", "qapps:UpdateQAppSessionMetadata", "qapps:StopQAppSession", "qapps:ListQAppSessionData", "qapps:ExportQAppSessionData" ], "Resource": "arn:aws:qapps:us-east-1:111122223333:application/application-id/qapp/*/session/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:UserIsSessionModerator": "true" } } }, { "Sid": "QAppsSharedAppSessionPermissions", "Effect": "Allow", "Action": [ "qapps:ImportDocument", "qapps:GetQAppSession", "qapps:GetQAppSessionMetadata", "qapps:UpdateQAppSession", "qapps:ListQAppSessionData" ], "Resource": "arn:aws:qapps:us-east-1:111122223333:application/application-id/qapp/*/session/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:SessionIsShared": "true" } } } ] } ``` ------ ## Capabilities available with Amazon Q Apps Capabilities with Q Apps The Amazon Q Apps IAM policy allows your web experience users permissions to do the following: + **Amazon Q Apps capabilities:** + Create a Q App ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_CreateQApp.html)) + Get the status and other information on a Q App ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_GetQApp.html)) + Update a Q App ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_UpdateQApp.html)) + List all created Q Apps ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_ListQApps.html)) + Delete a Q App ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_DeleteQApp.html)) + Start a Q App run (session) ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_StartQAppSession.html)) + Stop a Q App run (session) ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_StopQAppSession.html)) + Upload files to a Q App run (session) ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_ImportDocument.html)) + Converts a conversation into a (*text string*) problem statement ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_PredictQApp.html)) + Convert a problem statement into a proposed Q App ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_PredictQApp.html)) + **Amazon Q Apps library capabilities:** + Publish a Q App by adding items to your Q Apps library ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_CreateLibraryItem.html)) + Get the status and other information on a Q App (item) in your Q Apps library ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_GetLibraryItem.html)) + Update a published Q App (item) in your Q Apps library ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_UpdateLibraryItem.html)) + List all Q Apps (items) from your Q Apps library ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_ListLibraryItems.html)) + Delete a Q App (item) from your Q Apps library ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_DeleteLibraryItem.html)) + Like (rate) a Q App item from your Q Apps library ([API](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_qapps_AssociateLibraryItemReview.html)) ## IAM permissions for users to view and specify approved data sources in Amazon Q Apps Data sources **(Optional) You must add the following permissions to the Amazon Q Apps policy to allow Q Apps users to view and specify approved data sources** in their app. **Note** If you are using permissions for Amazon Q Apps created prior to July 10, 2024, you must update your role with the new [Amazon Q Apps](#deploy-q-apps-iam-permissions) permissions for your users to have access to use the [permissions to view and specify approved data sources](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/deploy-q-apps-iam-permissions.html#deploy-data-source-iam-permissions) and other future features in Q Apps. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "QBusinessIndexPermission", "Effect": "Allow", "Action": [ "qbusiness:ListIndices" ], "Resource": "arn:aws:qbusiness:us-east-1:111122223333:application/application-id" }, { "Sid": "QBusinessDataSourcePermission", "Effect": "Allow", "Action": [ "qbusiness:ListDataSources" ], "Resource": [ "arn:aws:qbusiness:us-east-1:111122223333:application/application-id", "arn:aws:qbusiness:us-east-1:111122223333:application/application-id/index/*" ] } ] } ``` ------ **Note** If any of these permissions are removed, then you run the risk of your web experience users not being able to create and run their own Q Apps properly.