morpheus-cli 5.5.1.5 → 5.5.2

data/lib/morpheus/cli/commands/roles.rb

@@ -6,14 +6,21 @@ class Morpheus::Cli::Roles
   include Morpheus::Cli::ProvisioningHelper
   include Morpheus::Cli::WhoamiHelper
   register_subcommands :list, :get, :add, :update, :remove, 
-    :'list-permissions', :'update-feature-access', :'update-global-group-access', 
-    :'update-group-access', :'update-global-cloud-access', :'update-cloud-access', 
-    :'update-global-instance-type-access', :'update-instance-type-access', 
-    :'update-global-blueprint-access', :'update-blueprint-access', 
-    :'update-global-catalog-item-type-access', :'update-catalog-item-type-access', 
-    :'update-persona-access', 
-    :'update-global-vdi-pool-access', :'update-vdi-pool-access',
-    :'update-global-report-type-access', :'update-report-type-access'
+    :'list-permissions', :'update-feature-access', :'update-default-feature-access',
+    :'update-group-access', :'update-global-group-access', :'update-default-group-access',
+    :'update-global-cloud-access', :'update-cloud-access', :'update-default-cloud-access',
+    :'update-global-instance-type-access', :'update-instance-type-access', :'update-default-instance-type-access',
+    :'update-global-blueprint-access', :'update-blueprint-access', :'update-default-blueprint-access',
+    :'update-global-catalog-item-type-access', :'update-catalog-item-type-access', :'update-default-catalog-item-type-access',
+    :'update-persona-access', :'update-default-persona-access',
+    :'update-global-vdi-pool-access', :'update-vdi-pool-access', :'update-default-vdi-pool-access',
+    :'update-global-report-type-access', :'update-report-type-access', :'update-default-report-type-access',
+    :'update-global-task-access', :'update-task-access', :'update-default-task-access',
+    :'update-global-workflow-access', :'update-workflow-access', :'update-default-workflow-access'
+  set_subcommands_hidden(
+    subcommands.keys.select{|c|
+    c.include?('update-global')
+  })
   alias_subcommand :details, :get
   set_default_subcommand :list
 
@@ -39,6 +46,9 @@ class Morpheus::Cli::Roles
     options = {}
     optparse = Morpheus::Cli::OptionParser.new do |opts|
       opts.banner = subcommand_usage("[search phrase]")
+      opts.on( '--tenant TENANT', "Tenant Filter for list of Roles." ) do |val|
+        options[:tenant] = val
+      end
       build_standard_list_options(opts, options)
       opts.footer = "List roles."
     end
@@ -57,6 +67,9 @@ class Morpheus::Cli::Roles
       return 0, nil
     end
     load_whoami()
+    if options[:tenant]
+      params[:tenant] = options[:tenant]
+    end
     json_response = @roles_interface.list(account_id, params)
 
     render_response(json_response, options, "roles") do
@@ -82,13 +95,13 @@ class Morpheus::Cli::Roles
     options = {}
     optparse = Morpheus::Cli::OptionParser.new do |opts|
       opts.banner = subcommand_usage("[role]")
-      opts.on('-p','--permissions', "Display Permissions") do |val|
+      opts.on('-p','--permissions', "Display Permissions [deprecated]") do |val|
         options[:include_feature_access] = true
       end
-      opts.on('-f','--feature-access', "Display Permissions [deprecated]") do |val|
+      opts.add_hidden_option('-p,')
+      opts.on('-f','--feature-access', "Display Feature Access") do |val|
         options[:include_feature_access] = true
       end
-      opts.add_hidden_option('--feature-access')
       opts.on('-g','--group-access', "Display Group Access") do
         options[:include_group_access] = true
       end
@@ -105,7 +118,11 @@ class Morpheus::Cli::Roles
         options[:include_catalog_item_type_access] = true
       end
       opts.on(nil,'--personas', "Display Persona Access") do
-        options[:include_personas_access] = true
+        options[:include_persona_access] = true
+      end
+      opts.add_hidden_option('--personas')
+      opts.on(nil,'--persona-access', "Display Persona Access") do
+        options[:include_persona_access] = true
       end
       opts.on(nil,'--vdi-pool-access', "Display VDI Pool Access") do
         options[:include_vdi_pool_access] = true
@@ -113,16 +130,19 @@ class Morpheus::Cli::Roles
       opts.on(nil,'--report-type-access', "Display Report Type Access") do
         options[:include_report_type_access] = true
       end
+      opts.on(nil,'--workflow-access', "Display Workflow Access") do
+        options[:include_workflow_access] = true
+      end
+      opts.on(nil,'--task-access', "Display Task Access") do
+        options[:include_task_access] = true
+      end
       opts.on('-a','--all', "Display All Access Lists") do
-        options[:include_feature_access] = true
-        options[:include_group_access] = true
-        options[:include_cloud_access] = true
-        options[:include_instance_type_access] = true
-        options[:include_blueprint_access] = true
-        options[:include_catalog_item_type_access] = true
-        options[:include_personas_access] = true
-        options[:include_vdi_pool_access] = true
-        options[:include_report_type_access] = true
+        options[:include_all_access] = true
+      end
+      opts.on('--account-id ID', String, "Clarify Owner of Role") do |val|
+        if has_complete_access
+          options[:account_id] = val.to_s
+        end
       end
       build_standard_get_options(opts, options)
       opts.footer = <<-EOT
@@ -142,65 +162,51 @@ EOT
   def _get(id, options={})
     args = [id] # heh
     params = {}
+    account = find_account_from_options(options)
+    account_id = account ? account['id'] : nil
 
-    
-      account = find_account_from_options(options)
-      account_id = account ? account['id'] : nil
-
-      params.merge!(parse_query_options(options))
-
-      @roles_interface.setopts(options)
-      if options[:dry_run]
-        if args[0].to_s =~ /\A\d{1,}\Z/
-          print_dry_run @roles_interface.dry.get(account_id, args[0].to_i)
-        else
-          print_dry_run @roles_interface.dry.list(account_id, {name: args[0]})
-        end
-        return
-      end
+    params.merge!(parse_query_options(options))
 
-      # role = find_role_by_name_or_id(account_id, args[0])
-      # exit 1 if role.nil?
-      # refetch from show action, argh
-      # json_response = @roles_interface.get(account_id, role['id'])
-      # role = json_response['role']
-      load_whoami()
-      json_response = nil
-      role = nil
+    @roles_interface.setopts(options)
+    if options[:dry_run]
       if args[0].to_s =~ /\A\d{1,}\Z/
-        json_response = @roles_interface.get(account_id, args[0].to_i)
-        role = json_response['role']
+        print_dry_run @roles_interface.dry.get(account_id, args[0].to_i)
       else
-        role = find_role_by_name_or_id(account_id, args[0])
-        exit 1 if role.nil?
-        # refetch from show action, argh
-        json_response = @roles_interface.get(account_id, role['id'])
-        role = json_response['role']
+        print_dry_run @roles_interface.dry.list(account_id, {name: args[0]})
       end
+      return
+    end
+
+    load_whoami()
+    json_response = nil
+    role = nil
+    if args[0].to_s =~ /\A\d{1,}\Z/
+      json_response = @roles_interface.get(account_id, args[0].to_i)
+      role = json_response['role']
+    else
+      role = find_role_by_name_or_id(account_id, args[0])
+      exit 1 if role.nil?
+      # refetch from show action, argh
+      json_response = @roles_interface.get(account_id, role['id'])
+      role = json_response['role']
+    end
+
+    render_response(json_response, options, 'role') do
 
-      render_response(json_response, options, 'role') do
-      
       print cyan
       print_h1 "Role Details", options
       print cyan
       columns = @is_master_account ? role_column_definitions : subtenant_role_column_definitions
       print_description_list(columns, role, options)
 
-      # print_h2 "Role Instance Limits", options
-      # print cyan
-      # print_description_list({
-      #   "Max Storage"  => lambda {|it| (it && it['maxStorage'].to_i != 0) ? Filesize.from("#{it['maxStorage']} B").pretty : "no limit" },
-      #   "Max Memory"  => lambda {|it| (it && it['maxMemory'].to_i != 0) ? Filesize.from("#{it['maxMemory']} B").pretty : "no limit" },
-      #   "CPU Count"  => lambda {|it| (it && it['maxCpu'].to_i != 0) ? it['maxCpu'] : "no limit" }
-      # }, role['instanceLimits'])
-
       print_h2 "Permissions", options
       print cyan
-      if options[:include_feature_access]
+      if options[:include_feature_access] || options[:include_all_access]
         rows = json_response['featurePermissions'].collect do |it|
           {
             code: it['code'],
             name: it['name'],
+            subCategory: it['subCategory'],
             access: format_access_string(it['access']),
           }
         end
@@ -214,24 +220,28 @@ EOT
           phrase_regexp = /#{Regexp.escape(options[:phrase])}/i
           rows = rows.select {|row| row[:code].to_s =~ phrase_regexp || row[:name].to_s =~ phrase_regexp }
         end
-        print as_pretty_table(rows, [:code, :name, :access], options)
+        print as_pretty_table(rows, [:code, :name, :subCategory, :access], options)
         # print reset,"\n"
       else
-        print cyan,"Use --permissions to list feature permissions","\n"
+        print cyan,"Use --feature-access to list feature access","\n"
       end
 
       has_group_access = true
       has_cloud_access = true
-      print_h2 "Global Access", options
+      print_h2 "Default Access", options
       global_access_columns = {
         "Groups" => lambda {|it| get_access_string(it['globalSiteAccess']) },
         "Clouds" => lambda {|it| get_access_string(it['globalZoneAccess']) },
         "Instance Types" => lambda {|it| get_access_string(it['globalInstanceTypeAccess']) },
         "Blueprints" => lambda {|it| get_access_string(it['globalAppTemplateAccess'] || it['globalBlueprintAccess']) },
+        "Personas" => lambda {|it| get_access_string(it['globalPersonaAccess']) },
+        "Report Types" => lambda {|it| get_access_string(it['globalReportTypeAccess']) },
         "Catalog Item Types" => lambda {|it| get_access_string(it['globalCatalogItemTypeAccess']) },
         "VDI Pools" => lambda {|it| get_access_string(it['globalVdiPoolAccess']) },
-        "Report Types" => lambda {|it| get_access_string(it['globalReportTypeAccess']) },
+        "Workflows" => lambda {|it| get_access_string(it['globalTaskSetAccess']) },
+        "Tasks" => lambda {|it| get_access_string(it['globalTaskAccess']) },
       }
+
       if role['roleType'].to_s.downcase == 'account'
         global_access_columns.delete("Groups")
         has_group_access = false
@@ -239,15 +249,16 @@ EOT
         global_access_columns.delete("Clouds")
         has_cloud_access = false
       end
+
       print as_pretty_table([json_response], global_access_columns, options)
 
       if has_group_access
         #print_h2 "Group Access: #{get_access_string(json_response['globalSiteAccess'])}", options
         print cyan
-        if json_response['globalSiteAccess'] == 'custom'
+        if json_response['sites'].find {|it| !it['access'].nil?}
           print_h2 "Group Access", options
-          if options[:include_group_access]
-            rows = json_response['sites'].collect do |it|
+          if options[:include_group_access] || options[:include_all_access]
+            rows = json_response['sites'].select {|it| !it['access'].nil?}.collect do |it|
               {
                 name: it['name'],
                 access: format_access_string(it['access'], ["none","read","full"]),
@@ -263,15 +274,15 @@ EOT
           # print cyan,bold,"Group Access: #{get_access_string(json_response['globalSiteAccess'])}",reset,"\n"
         end
       end
-      
+
       if has_cloud_access
         print cyan
         #puts "Cloud Access: #{get_access_string(json_response['globalZoneAccess'])}"
         #print "\n"
-        if json_response['globalZoneAccess'] == 'custom'
+        if json_response['sites'].find{|it| !it['access'].nil?}
           print_h2 "Cloud Access", options
-          if options[:include_cloud_access]
-            rows = json_response['zones'].collect do |it|
+          if options[:include_cloud_access] || options[:include_all_access]
+            rows = json_response['zones'].select {|it| !it['access'].nil?}.collect do |it|
               {
                 name: it['name'],
                 access: format_access_string(it['access'], ["none","read","full"]),
@@ -293,195 +304,226 @@ EOT
       # print "\n"
       instance_type_global_access = json_response['globalInstanceTypeAccess']
       instance_type_permissions = role['instanceTypes'] ? role['instanceTypes'] : (json_response['instanceTypePermissions'] || [])
-      if instance_type_global_access == 'custom'
+
+      # if have any custom, then we want to show the flag indicator
+      # if including, show
+
+      if options[:include_instance_type_access] || options[:include_all_access]
         print_h2 "Instance Type Access", options
-        if options[:include_instance_type_access]
-          rows = instance_type_permissions.collect do |it|
-            {
-              name: it['name'],
-              access: format_access_string(it['access'], ["none","read","full"]),
-            }
-          end
-          print as_pretty_table(rows, [:name, :access], options)
-        else
-          print cyan,"Use -i, --instance-type-access to list custom access","\n"
+        rows = instance_type_permissions.collect do |it|
+          {
+            name: it['name'],
+            access: format_access_string(it['access'], ["none","read","full"]),
+          }
         end
-        # print reset,"\n"
-      else
-        # print "\n"
-        # print cyan,bold,"Instance Type Access: #{get_access_string(json_response['globalInstanceTypeAccess'])}",reset,"\n"
+        print as_pretty_table(rows, [:name, :access], options)
+      elsif instance_type_permissions.find {|it| !it['access'].nil?}
+        print_h2 "Instance Type Access", options
+        print cyan,"Use -i, --instance-type-access to list custom access","\n"
       end
 
       blueprint_global_access = json_response['globalAppTemplateAccess'] || json_response['globalBlueprintAccess']
       blueprint_permissions = (role['appTemplates'] || role['blueprints']) ? (role['appTemplates'] || role['blueprints']) : (json_response['appTemplatePermissions'] || json_response['blueprintPermissions'] || [])
       print cyan
-      # print_h2 "Blueprint Access: #{get_access_string(json_response['globalAppTemplateAccess'])}", options
-      # print "\n"
-      if blueprint_global_access == 'custom'
+      if options[:include_blueprint_access] || options[:include_all_access]
         print_h2 "Blueprint Access", options
-        if options[:include_blueprint_access]
-          rows = blueprint_permissions.collect do |it|
-            {
-              name: it['name'],
-              access: format_access_string(it['access'], ["none","read","full"]),
-            }
-          end
-          print as_pretty_table(rows, [:name, :access], options)
-        else
-          print cyan,"Use -b, --blueprint-access to list custom access","\n"
+        rows = blueprint_permissions.select {|it| !it['access'].nil?}.collect do |it|
+          {
+            name: it['name'],
+            access: format_access_string(it['access'], ["none","read","full"]),
+          }
         end
-        # print reset,"\n"
-      else
-        # print "\n"
-        # print cyan,bold,"Blueprint Access: #{get_access_string(json_response['globalAppTemplateAccess'])}",reset,"\n"
+        print as_pretty_table(rows, [:name, :access], options)
+      elsif blueprint_permissions.find {|it| !it['access'].nil?}
+        print_h2 "Blueprint Access", options
+        print cyan,"Use -b, --blueprint-access to list custom access","\n"
       end
-      
+
       catalog_item_type_global_access = json_response['globalCatalogItemTypeAccess']
       catalog_item_type_permissions = role['catalogItemTypes'] ? role['catalogItemTypes'] : (json_response['catalogItemTypePermissions'] || [])
       print cyan
-      # print_h2 "catalog_item_type Access: #{get_access_string(json_response['globalCatalogItemTypeAccess'])}", options
-      # print "\n"
-      if catalog_item_type_global_access == 'custom'
+      if options[:include_catalog_item_type_access] || options[:include_all_access]
         print_h2 "Catalog Item Type Access", options
-        if options[:include_catalog_item_type_access]
-          rows = catalog_item_type_permissions.collect do |it|
-            {
-              name: it['name'],
-              access: format_access_string(it['access'], ["none","read","full"]),
-            }
-          end
-          print as_pretty_table(rows, [:name, :access], options)
-        else
-          print cyan,"Use --catalog-item-type-access to list custom access","\n"
+        rows = catalog_item_type_permissions.select {|it| !it['access'].nil?}.collect do |it|
+          {
+            name: it['name'],
+            access: format_access_string(it['access'], ["none","read","full"]),
+          }
         end
-      else
-        # print "\n"
-        # print cyan,bold,"Catalog Item Type Access: #{get_access_string(json_response['globalCatalogItemTypeAccess'])}",reset,"\n"
+        print as_pretty_table(rows, [:name, :access], options)
+      elsif catalog_item_type_permissions.find {|it| !it['access'].nil?}
+        print_h2 "Catalog Item Type Access", options
+        print cyan,"Use --catalog-item-type-access to list access","\n"
       end
-      
+
+      persona_global_access = json_response['globalPersonaAccess']
       persona_permissions = role['personas'] ? role['personas'] : (json_response['personaPermissions'] || [])
-      # if options[:include_personas_access]
       print cyan
-      if persona_permissions
+      if options[:include_persona_access] || options[:include_all_access]
         print_h2 "Persona Access", options
         rows = persona_permissions.collect do |it|
           {
             name: it['name'],
-            access: format_access_string(it['access'], ["none","read","full"]),
+            access: format_access_string(it['access'], ["none","full"]),
           }
         end
-        print as_pretty_table(rows, [:name, :access], options)        
+        print as_pretty_table(rows, [:name, :access], options)
+      elsif persona_permissions.find {|it| !it['access'].nil?}
+        print_h2 "Persona Access", options
+        print cyan,"Use --persona-access to list access","\n"
       end
 
-      # print reset,"\n"
-      
       vdi_pool_global_access = json_response['globalVdiPoolAccess']
       vdi_pool_permissions = role['vdiPools'] ? role['vdiPools'] : (json_response['vdiPoolPermissions'] || [])
       print cyan
-      if vdi_pool_global_access == 'custom'
+      if options[:include_vdi_pool_access] || options[:include_all_access]
         print_h2 "VDI Pool Access", options
-        if options[:include_vdi_pool_access]
-          rows = vdi_pool_permissions.collect do |it|
-            {
-              name: it['name'],
-              access: format_access_string(it['access'], ["none","full"]),
-            }
-          end
-          print as_pretty_table(rows, [:name, :access], options)
-        else
-          print cyan,"Use --vdi-pool-access to list custom access","\n"
+        rows = vdi_pool_permissions.select {|it| !it['access'].nil?}.collect do |it|
+          {
+            name: it['name'],
+            access: format_access_string(it['access'], ["none","full"]),
+          }
         end
-      else
-        # print "\n"
-        # print cyan,bold,"VDI Pool Access: #{get_access_string(json_response['globalVdiPoolAccess'])}",reset,"\n"
+        print as_pretty_table(rows, [:name, :access], options)
+      elsif vdi_pool_permissions.find {|it| !it['access'].nil?}
+        print_h2 "VDI Pool Access", options
+        print cyan,"Use --vdi-pool-access to list custom access","\n"
       end
 
       report_type_global_access = json_response['globalReportTypeAccess']
       report_type_permissions = role['reportTypes'] ? role['reportTypes'] : (json_response['reportTypePermissions'] || [])
       print cyan
-      if report_type_global_access == 'custom'
+      if options[:include_report_type_access] || options[:include_all_access]
         print_h2 "Report Type Access", options
-        if options[:include_report_type_access]
-          rows = report_type_permissions.collect do |it|
-            {
-              name: it['name'],
-              access: format_access_string(it['access'], ["none","full"]),
-            }
-          end
-          print as_pretty_table(rows, [:name, :access], options)
-        else
-          print cyan,"Use --report-type-access to list custom access","\n"
+        rows = report_type_permissions.select {|it| !it['access'].nil?}.collect do |it|
+          {
+            name: it['name'],
+            access: format_access_string(it['access'], ["none","full"]),
+          }
         end
-      else
-        # print "\n"
-        # print cyan,bold,"Report Type Access: #{get_access_string(json_response['globalReportTypeAccess'])}",reset,"\n"
+        print as_pretty_table(rows, [:name, :access], options)
+      elsif report_type_permissions.find {|it| !it['access'].nil?}
+        print_h2 "Report Type Access", options
+        print cyan,"Use --report-type-access to list custom access","\n"
       end
 
-    end
-    print reset,"\n"
+      task_global_access = json_response['globalTaskAccess']
+      task_permissions = role['tasks'] ? role['tasks'] : (json_response['taskPermissions'] || [])
+      print cyan
+      if options[:include_task_access] || options[:include_all_access]
+        print_h2 "Task Access", options
+        rows = task_permissions.collect do |it|
+          {
+            name: it['name'],
+            access: format_access_string(it['access'], ["none","full"]),
+          }
+        end
+        print as_pretty_table(rows, [:name, :access], options)
+      elsif task_permissions.find {|it| !it['access'].nil?}
+        print_h2 "Task Access", options
+        print cyan,"Use --task-access to list custom access","\n"
+      end
 
-    return 0, nil
+      workflow_global_access = json_response['globalTaskSetAccess']
+      workflow_permissions = role['taskSets'] ? role['taskSets'] : (json_response['taskSetPermissions'] || [])
+      print cyan
+      if options[:include_workflow_access] || options[:include_all_access]
+        print_h2 "Workflow", options
+        rows = workflow_permissions.select {|it| !it['access'].nil?}.collect do |it|
+          {
+            name: it['name'],
+            access: format_access_string(it['access'], ["none","full"]),
+          }
+        end
+        print as_pretty_table(rows, [:name, :access], options)
+      elsif workflow_permissions.find {|it| !it['access'].nil?}
+        print_h2 "Workflow", options
+        print cyan,"Use --workflow-access to list custom access","\n"
+      end
+      print reset,"\n"
+      return 0, nil
+    end
   end
 
   def list_permissions(args)
     options = {}
+    available_categories = ['feature', 'group', 'cloud', 'instance-type', 'blueprint', 'report-type', 'persona', 'catalog-item-type', 'vdi-pool', 'workflow', 'task']
     optparse = Morpheus::Cli::OptionParser.new do |opts|
-      opts.banner = subcommand_usage("[role]")
+      opts.banner = subcommand_usage("[role] [category]")
       build_common_options(opts, options, [:list, :json, :yaml, :csv, :fields, :dry_run, :remote])
-      opts.footer = "List the permissions for a role.\n" +
-                    "[role] is required. This is the name or id of a role."
+      opts.footer = "List the access for a role.\n" +
+        "[role] is required. This is the name or id of a role.\n" +
+        "[category] is optional. Available categories: #{ored_list(available_categories)}"
     end
+
     optparse.parse!(args)
-    verify_args!(args:args, optparse:optparse, count:1)
+    verify_args!(args:args, optparse:optparse, min: 1, max:2)
     connect(options)
-    
-      account = find_account_from_options(options)
-      account_id = account ? account['id'] : nil
 
-      # role = find_role_by_name_or_id(account_id, args[0])
-      # exit 1 if role.nil?
+    category = args[1].to_s.downcase if args[1]
 
-      @roles_interface.setopts(options)
-      if options[:dry_run]
-        if args[0].to_s =~ /\A\d{1,}\Z/
-          print_dry_run @roles_interface.dry.get(account_id, args[0].to_i)
-        else
-          print_dry_run @roles_interface.dry.list(account_id, {name: args[0]})
-        end
-        return
-      end
+    if !category.nil? && !available_categories.include?(category)
+      raise_command_error("invalid category: #{category}", args, optparse)
+    end
+
+    account = find_account_from_options(options)
+    account_id = account ? account['id'] : nil
 
-      json_response = nil
+    @roles_interface.setopts(options)
+    if options[:dry_run]
       if args[0].to_s =~ /\A\d{1,}\Z/
-        json_response = @roles_interface.get(account_id, args[0].to_i)
-        role = json_response['role']
+        print_dry_run @roles_interface.dry.get(account_id, args[0].to_i)
       else
-        role = find_role_by_name_or_id(account_id, args[0])
-        exit 1 if role.nil?
-        # refetch from show action, argh
-        json_response = @roles_interface.get(account_id, role['id'])
-        role = json_response['role']
+        print_dry_run @roles_interface.dry.list(account_id, {name: args[0]})
       end
+      return
+    end
+
+    if args[0].to_s =~ /\A\d{1,}\Z/
+      role = @roles_interface.get(account_id, args[0].to_i)
+    else
+      role = find_role_by_name_or_id(account_id, args[0])
+      exit 1 if role.nil?
+      role = @roles_interface.get(account_id, role['id'])
+    end
 
-      role_permissions = json_response['featurePermissions']
+    available_categories.reject! {|category| category == 'cloud'} if role['role']['roleType'] == 'user'
+    available_categories.reject! {|category| category == 'group'} if role['role']['roleType'] == 'account'
 
-      if options[:json]
-        puts as_json(role_permissions, options)
-        return 0
-      elsif options[:yaml]
-        puts as_yaml(role_permissions, options)
-        return 0
-      elsif options[:csv]
-        puts records_as_csv(role_permissions)
-        return 0
-      end
+    permission_name = -> (s) {
+      return 'sites' if s == 'group'
+      return 'zones' if s == 'cloud'
+      s = 'task-set' if s == 'workflow'
+      s = 'app-template' if s == 'blueprint'
+      s.split('-').map.with_index{|s,i| i == 0 ? s : s.capitalize}.join + 'Permissions'
+    }
+    permission_label = -> (s) {s.split('-').collect{|s| s.capitalize}.join(' ') + ' Permissions'}
 
-      print cyan
-      print_h1 "Role Permissions: [#{role['id']}] #{role['authority']}", options
+    if category.nil?
+      permissions = available_categories.collect{|category| role[permission_name.call(category)].map{|perm| perm.merge({'category' => permission_label.call(category)})}}.flatten
+    else
+      permissions = role[permission_name.call(category)]
+    end
 
-      print cyan
-      if role_permissions && role_permissions.size > 0
-        rows = role_permissions.collect do |it|
+    if options[:json]
+      puts as_json(permissions, options)
+      return 0
+    elsif options[:yaml]
+      puts as_yaml(permissions, options)
+      return 0
+    elsif options[:csv]
+      puts records_as_csv(permissions, :include_fields => ['category', 'id', 'code', 'name', 'access', 'sub category'])
+      return 0
+    end
+
+    print cyan
+    print_h1 "Role: [#{role['role']['id']},#{role['role']['owner']['name']}] #{role['role']['authority']}", options
+
+    (category.nil? ? available_categories : [category]).each do |category|
+      print_h2 "#{permission_label.call(category)}", options
+      permissions = role[permission_name.call(category)]
+      if permissions.size > 0
+        rows = permissions.collect do |it|
           {
             code: it['code'],
             name: it['name'],
@@ -502,10 +544,8 @@ EOT
       else
         puts "No permissions found"
       end
-
-      print reset,"\n"
-      return 0
-    
+    end
+    print reset,"\n"
   end
 
   def add(args)
@@ -518,74 +558,139 @@ EOT
         options[:permissions] ||= {}
         parse_access_csv(options[:permissions], val, args, optparse)
       end
-      opts.on('--global-group-access ACCESS', String, "Update the global group (site) access: [none|read|custom|full]" ) do |val|
+      opts.add_hidden_option('--permissions')
+      opts.on('--feature-access CODE=ACCESS', String, "Set feature permission access by permission code. Example: dashboard=read,operations-wiki=full" ) do |val|
+        options[:permissions] ||= {}
+        parse_access_csv(options[:permissions], val, args, optparse)
+      end
+      opts.on('--global-group-access ACCESS', String, "Update the global group (site) access: [none|read|full]" ) do |val|
+        params['globalSiteAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-group-access')
+      opts.on('--default-group-access ACCESS', String, "Update the default group (site) access: [none|read|full]" ) do |val|
         params['globalSiteAccess'] = val.to_s.downcase
       end
       opts.on('--groups ID=ACCESS', String, "Set group (site) to a custom access by group id. Example: 1=none,2=full,3=read" ) do |val|
         options[:group_permissions] ||= {}
         parse_access_csv(options[:group_permissions], val, args, optparse)
       end
-      opts.on('--global-cloud-access ACCESS', String, "Update the global cloud (zone) access: [none|custom|full]" ) do  |val|
+      opts.on('--global-cloud-access ACCESS', String, "Update the global cloud (zone) access: [none|read|full]" ) do  |val|
+        params['globalZoneAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-cloud-access')
+      opts.on('--default-cloud-access ACCESS', String, "Update the default cloud (zone) access: [none|read|full]" ) do  |val|
         params['globalZoneAccess'] = val.to_s.downcase
       end
       opts.on('--clouds ID=ACCESS', String, "Set cloud (zone) to a custom access by cloud id. Example: 1=none,2=full,3=read" ) do |val|
         options[:cloud_permissions] ||= {}
         parse_access_csv(options[:cloud_permissions], val, args, optparse)
       end
-      opts.on('--global-instance-type-access ACCESS', String, "Update the global instance type access: [none|custom|full]" ) do  |val|
+      opts.on('--global-instance-type-access ACCESS', String, "Update the global instance type access: [none|full]" ) do  |val|
+        params['globalInstanceTypeAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-instance-type-access')
+      opts.on('--default-instance-type-access ACCESS', String, "Update the default instance type access: [none|full]" ) do  |val|
         params['globalInstanceTypeAccess'] = val.to_s.downcase
       end
       opts.on('--instance-types CODE=ACCESS', String, "Set instance type to a custom access instance type code. Example: nginx=full,apache=none" ) do |val|
         options[:instance_type_permissions] ||= {}
         parse_access_csv(options[:instance_type_permissions], val, args, optparse)
       end
-      opts.on('--global-blueprint-access ACCESS', String, "Update the global blueprint access: [none|custom|full]" ) do  |val|
+      opts.on('--global-blueprint-access ACCESS', String, "Update the global blueprint access: [none|full]" ) do  |val|
+        params['globalAppTemplateAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-blueprint-access')
+      opts.on('--default-blueprint-access ACCESS', String, "Update the default blueprint access: [none|full]" ) do  |val|
         params['globalAppTemplateAccess'] = val.to_s.downcase
       end
       opts.on('--blueprints ID=ACCESS', String, "Set blueprint to a custom access by blueprint id. Example: 1=full,2=none" ) do |val|
         options[:blueprint_permissions] ||= {}
         parse_access_csv(options[:blueprint_permissions], val, args, optparse)
       end
-      opts.on('--global-catalog-item-type-access ACCESS', String, "Update the global catalog item type access: [none|custom|full]" ) do  |val|
+      opts.on('--global-catalog-item-type-access ACCESS', String, "Update the global catalog item type access: [none|full]" ) do  |val|
+        params['globalCatalogItemTypeAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-catalog-item-type-access')
+      opts.on('--default-catalog-item-type-access ACCESS', String, "Update the default catalog item type access: [none|full]" ) do  |val|
         params['globalCatalogItemTypeAccess'] = val.to_s.downcase
       end
       opts.on('--catalog-item-types CODE=ACCESS', String, "Set catalog item type to a custom access by catalog item type id. Example: 1=full,2=none" ) do |val|
         options[:catalog_item_type_permissions] ||= {}
         parse_access_csv(options[:catalog_item_type_permissions], val, args, optparse)
       end
+      opts.on('--default-persona-access ACCESS', String, "Update the default persona access: [none|full]" ) do  |val|
+        params['globalPersonaAccess'] = val.to_s.downcase
+      end
       opts.on('--personas CODE=ACCESS', String, "Set persona to a custom access by persona code. Example: standard=full,serviceCatalog=full,vdi=full" ) do |val|
         options[:persona_permissions] ||= {}
         parse_access_csv(options[:persona_permissions], val, args, optparse)
       end
-      opts.on('--global-vdi-pool-access-access ACCESS', String, "Update the global VDI pool access: [none|custom|full]" ) do  |val|
+      opts.on('--global-vdi-pool-access-access ACCESS', String, "Update the global VDI pool access: [none|full]" ) do  |val|
+        params['globalVdiPoolAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-vdi-pool-access-access')
+      opts.on('--default-vdi-pool-access-access ACCESS', String, "Update the default VDI pool access: [none|full]" ) do  |val|
         params['globalVdiPoolAccess'] = val.to_s.downcase
       end
       opts.on('--vdi-pools ID=ACCESS', String, "Set VDI pool to a custom access by VDI pool id. Example: 1=full,2=none" ) do |val|
         options[:vdi_pool_permissions] ||= {}
         parse_access_csv(options[:vdi_pool_permissions], val, args, optparse)
       end
-      opts.on('--global-report-type-access ACCESS', String, "Update the global report type access: [none|custom|full]" ) do  |val|
+      opts.on('--global-report-type-access ACCESS', String, "Update the global report type access: [none|full]" ) do  |val|
+        params['globalReportTypeAccess'] = val.to_s.downcase
+      end
+      opts.on('--default-report-type-access ACCESS', String, "Update the default report type access: [none|full]" ) do  |val|
         params['globalReportTypeAccess'] = val.to_s.downcase
       end
+      opts.add_hidden_option('--default-report-type-access')
       opts.on('--report-types CODE=ACCESS', String, "Set report type to a custom access by report type code. Example: appCost=none,guidance=full" ) do |val|
         options[:report_type_permissions] ||= {}
         parse_access_csv(options[:report_type_permissions], val, args, optparse)
       end
+      opts.on('--global-task-access ACCESS', String, "Set the global task access: [none|full]" ) do  |val|
+        params['globalTaskAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-task-access')
+      opts.on('--default-task-access ACCESS', String, "Set the default task access: [none|full]" ) do  |val|
+        params['globalTaskAccess'] = val.to_s.downcase
+      end
+      opts.on('--tasks ID=ACCESS', String, "Set task to a custom access by task id. Example: 1=none,2=full" ) do |val|
+        options[:task_permissions] ||= {}
+        parse_access_csv(options[:task_permissions], val, args, optparse)
+      end
+      opts.on('--global-workflow-access ACCESS', String, "Set the default workflow access: [none|full]" ) do  |val|
+        params['globalTaskSetAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-workflow-access')
+      opts.on('--default-workflow-access ACCESS', String, "Set the default workflow access: [none|full]" ) do  |val|
+        params['globalTaskSetAccess'] = val.to_s.downcase
+      end
+      opts.on('--workflows ID=ACCESS', String, "Set workflow to a custom access by workflow id. Example: 1=none,2=full" ) do |val|
+        options[:workflow_permissions] ||= {}
+        parse_access_csv(options[:workflow_permissions], val, args, optparse)
+      end
       opts.on('--reset-permissions', "Reset all feature permission access to none. This can be used in conjunction with --permissions to recreate the feature permission access for the role." ) do
         options[:reset_permissions] = true
       end
-      opts.on('--reset-all-access', "Reset all access to none including permissions, global groups, instance types, etc. This can be used in conjunction with --permissions to recreate the feature permission access for the role." ) do
+      opts.add_hidden_option('--reset-permissions')
+      opts.on('--reset-feature-access', "Reset all feature permission access to none. This can be used in conjunction with --feature-access to recreate the feature permission access for the role." ) do
+        options[:reset_permissions] = true
+      end
+      opts.on('--reset-all-access', "Reset all access to none including permissions, global groups, instance types, etc. This can be used in conjunction with --feature-access to recreate the feature permission access for the role." ) do
         options[:reset_all_access] = true
+      end
+      opts.on('--owner ID', String, "Set the owner/tenant/account for the role by account id. Only master tenants with full permission for Tenant and Role may use this option." ) do |val|
+        params['owner'] = val
       end
             opts.footer = <<-EOT
 Create a new role.
 [name] is required. This is a unique name (authority) for the new role.
 All the role permissions and access values can be configured.
-Use --permissions "CODE=ACCESS,CODE=ACCESS" to update access levels for specific feature permissions identified by code. 
-Use --global-instance-type-access custom --instance-types "CODE=ACCESS,CODE=ACCESS" to customize instance type access.
+Use --feature-access "CODE=ACCESS,CODE=ACCESS" to update access levels for specific feature permissions identified by code. 
+Use --default-instance-type-access custom --instance-types "CODE=ACCESS,CODE=ACCESS" to customize instance type access.
 Only the specified permissions,instance types, etc. are updated.
-Use --reset-permissions to set access to "none" for all unspecified feature permissions.
-Use --reset-all-access to set access to "none" for all unspecified feature permissions and global access values for groups, instance types, etc.
+Use --reset-feature-access to set access to "none" for all unspecified feature permissions.
+Use --reset-all-access to set access to "none" for all unspecified feature permissions and default access values for groups, instance types, etc.
 EOT
       build_common_options(opts, options, [:options, :payload, :json, :dry_run, :remote])
     end
@@ -619,21 +724,35 @@ EOT
         v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'description', 'fieldLabel' => 'Description', 'type' => 'text', 'displayOrder' => 2}], options[:options])
         role_payload['description'] = v_prompt['description']
 
-        if @is_master_account
-          v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'roleType', 'fieldLabel' => 'Type', 'type' => 'select', 'selectOptions' => role_type_options, 'defaultValue' => 'user', 'displayOrder' => 3}], options[:options])
+        if params['owner']
+          if @is_master_account && has_complete_access
+            role_payload['owner'] = params['owner']
+          else
+            print_red_alert "You do not have the necessary authority to use owner option"
+            return
+          end
+        elsif @is_master_account && has_complete_access
+          v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'owner', 'fieldLabel' => 'Owner', 'type' => 'select', 'selectOptions' => role_owner_options, 'defaultValue' => current_account['id'], 'displayOrder' => 3}], options[:options])
+          role_payload['owner'] = v_prompt['owner']
+        else
+          role_payload['owner'] = current_account['id']
+        end  
+
+        if @is_master_account && role_payload['owner'] == current_account['id']
+          v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'roleType', 'fieldLabel' => 'Type', 'type' => 'select', 'selectOptions' => role_type_options, 'defaultValue' => 'user', 'displayOrder' => 4}], options[:options])
           role_payload['roleType'] = v_prompt['roleType']
         else
           role_payload['roleType'] = 'user'
         end
 
-        v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'baseRole', 'fieldLabel' => 'Copy From Role', 'type' => 'text', 'displayOrder' => 4}], options[:options])
+        v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'baseRole', 'fieldLabel' => 'Copy From Role', 'type' => 'select', 'selectOptions' => base_role_options(role_payload), 'displayOrder' => 5}], options[:options])
         if v_prompt['baseRole'].to_s != ''
           base_role = find_role_by_name_or_id(account_id, v_prompt['baseRole'])
           exit 1 if base_role.nil?
           role_payload['baseRoleId'] = base_role['id']
         end
 
-        if @is_master_account
+        if @is_master_account && role_payload['owner'] == current_account['id']
           if role_payload['roleType'] == 'user'
             v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'multitenant', 'fieldLabel' => 'Multitenant', 'type' => 'checkbox', 'defaultValue' => 'off', 'description' => 'A Multitenant role is automatically copied into all existing subaccounts as well as placed into a subaccount when created. Useful for providing a set of predefined roles a Customer can use', 'displayOrder' => 5}], options[:options])
             role_payload['multitenant'] = ['on','true'].include?(v_prompt['multitenant'].to_s)
@@ -752,6 +871,32 @@ EOT
           end
           params['reportTypes'] = perms_array
         end
+        if options[:task_permissions]
+          perms_array = []
+          options[:task_permissions].each do |k,v|
+            task_id = k
+            access_value = v.to_s.empty? ? "none" : v.to_s
+            if task_id =~ /\A\d{1,}\Z/
+              perms_array << {"id" => task_id.to_i, "access" => access_value}
+            else
+              perms_array << {"name" => task_id, "access" => access_value}
+            end
+          end
+          params['tasks'] = perms_array
+        end
+        if options[:workflow_permissions]
+          perms_array = []
+          options[:workflow_permissions].each do |k,v|
+            workflow_id = k
+            access_value = v.to_s.empty? ? "none" : v.to_s
+            if workflow_id =~ /\A\d{1,}\Z/
+              perms_array << {"id" => workflow_id.to_i, "access" => access_value}
+            else
+              perms_array << {"name" => workflow_id, "access" => access_value}
+            end
+          end
+          params['workflows'] = perms_array
+        end
         if options[:reset_permissions]
           params["resetPermissions"] = true
         end
@@ -790,6 +935,10 @@ EOT
       if account
         details_options.push "--account-id", account['id'].to_s
       end
+
+      if role_payload['owner']
+        details_options.push "--account-id", role_payload['owner'].to_s
+      end
       get(details_options)
 
     rescue RestClient::Exception => e
@@ -808,35 +957,60 @@ EOT
         options[:permissions] ||= {}
         parse_access_csv(options[:permissions], val, args, optparse)
       end
-      opts.on('--global-group-access ACCESS', String, "Update the global group (site) access: [none|read|custom|full]" ) do |val|
+      opts.add_hidden_option('--permissions')
+      opts.on('--feature-access CODE=ACCESS', String, "Set feature permission access by permission code. Example: dashboard=read,operations-wiki=full" ) do |val|
+        options[:permissions] ||= {}
+        parse_access_csv(options[:permissions], val, args, optparse)
+      end
+      opts.on('--global-group-access ACCESS', String, "Update the global group (site) access: [none|read|full]" ) do |val|
+        params['globalSiteAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-group-access')
+      opts.on('--default-group-access ACCESS', String, "Update the default group (site) access: [none|read|full]" ) do |val|
         params['globalSiteAccess'] = val.to_s.downcase
       end
       opts.on('--groups ID=ACCESS', String, "Set group (site) to a custom access by group id. Example: 1=none,2=full,3=read" ) do |val|
         options[:group_permissions] ||= {}
         parse_access_csv(options[:group_permissions], val, args, optparse)
       end
-      opts.on('--global-cloud-access ACCESS', String, "Update the global cloud (zone) access: [none|custom|full]" ) do  |val|
+      opts.on('--global-cloud-access ACCESS', String, "Update the global cloud (zone) access: [none|read|full]" ) do  |val|
+        params['globalZoneAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-cloud-access')
+      opts.on('--default-cloud-access ACCESS', String, "Update the default cloud (zone) access: [none|read|full]" ) do  |val|
         params['globalZoneAccess'] = val.to_s.downcase
       end
       opts.on('--clouds ID=ACCESS', String, "Set cloud (zone) to a custom access by cloud id. Example: 1=none,2=full,3=read" ) do |val|
         options[:cloud_permissions] ||= {}
         parse_access_csv(options[:cloud_permissions], val, args, optparse)
       end
-      opts.on('--global-instance-type-access ACCESS', String, "Update the global instance type access: [none|custom|full]" ) do  |val|
+      opts.on('--global-instance-type-access ACCESS', String, "Update the global instance type access: [none|full]" ) do  |val|
+        params['globalInstanceTypeAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-instance-type-access')
+      opts.on('--default-instance-type-access ACCESS', String, "Update the default instance type access: [none|full]" ) do  |val|
         params['globalInstanceTypeAccess'] = val.to_s.downcase
       end
       opts.on('--instance-types CODE=ACCESS', String, "Set instance type to a custom access instance type code. Example: nginx=full,apache=none" ) do |val|
         options[:instance_type_permissions] ||= {}
         parse_access_csv(options[:instance_type_permissions], val, args, optparse)
       end
-      opts.on('--global-blueprint-access ACCESS', String, "Update the global blueprint access: [none|custom|full]" ) do  |val|
+      opts.on('--global-blueprint-access ACCESS', String, "Update the global blueprint access: [none|full]" ) do  |val|
+        params['globalAppTemplateAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-blueprint-access')
+      opts.on('--default-blueprint-access ACCESS', String, "Update the default blueprint access: [none|full]" ) do  |val|
         params['globalAppTemplateAccess'] = val.to_s.downcase
       end
       opts.on('--blueprints ID=ACCESS', String, "Set blueprint to a custom access by blueprint id. Example: 1=full,2=none" ) do |val|
         options[:blueprint_permissions] ||= {}
         parse_access_csv(options[:blueprint_permissions], val, args, optparse)
       end
-      opts.on('--global-catalog-item-type-access ACCESS', String, "Update the global catalog item type access: [none|custom|full]" ) do  |val|
+      opts.on('--global-catalog-item-type-access ACCESS', String, "Update the global catalog item type access: [none|full]" ) do  |val|
+        params['globalCatalogItemTypeAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-catalog-item-type-access')
+      opts.on('--default-catalog-item-type-access ACCESS', String, "Update the default catalog item type access: [none|full]" ) do  |val|
         params['globalCatalogItemTypeAccess'] = val.to_s.downcase
       end
       opts.on('--catalog-item-types CODE=ACCESS', String, "Set catalog item type to a custom access by catalog item type id. Example: 1=full,2=none" ) do |val|
@@ -847,24 +1021,58 @@ EOT
         options[:persona_permissions] ||= {}
         parse_access_csv(options[:persona_permissions], val, args, optparse)
       end
-      opts.on('--global-vdi-pool-access-access ACCESS', String, "Update the global VDI pool access: [none|custom|full]" ) do  |val|
+      opts.on('--global-vdi-pool-access ACCESS', String, "Update the global VDI pool access: [none|full]" ) do  |val|
+        params['globalVdiPoolAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-vdi-pool-access')
+      opts.on('--default-vdi-pool-access ACCESS', String, "Update the default VDI pool access: [none|full]" ) do  |val|
         params['globalVdiPoolAccess'] = val.to_s.downcase
       end
       opts.on('--vdi-pools ID=ACCESS', String, "Set VDI pool to a custom access by VDI pool id. Example: 1=full,2=none" ) do |val|
         options[:vdi_pool_permissions] ||= {}
         parse_access_csv(options[:vdi_pool_permissions], val, args, optparse)
       end
-      opts.on('--global-report-type-access ACCESS', String, "Update the global report type access: [none|custom|full]" ) do  |val|
+      opts.on('--global-report-type-access ACCESS', String, "Update the global report type access: [none|full]" ) do  |val|
+        params['globalReportTypeAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-report-type-access')
+      opts.on('--default-report-type-access ACCESS', String, "Update the default report type access: [none|full]" ) do  |val|
         params['globalReportTypeAccess'] = val.to_s.downcase
       end
       opts.on('--report-types CODE=ACCESS', String, "Set report type to a custom access by report type code. Example: appCost=none,guidance=full" ) do |val|
         options[:report_type_permissions] ||= {}
         parse_access_csv(options[:report_type_permissions], val, args, optparse)
       end
+      opts.on('--global-task-access ACCESS', String, "Update the global task access: [none|full]" ) do  |val|
+        params['globalTaskAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-task-access')
+      opts.on('--default-task-access ACCESS', String, "Update the default task access: [none|full]" ) do  |val|
+        params['globalTaskAccess'] = val.to_s.downcase
+      end
+      opts.on('--tasks ID=ACCESS', String, "Set task to a custom access by task id. Example: 1=none,2=full" ) do |val|
+        options[:task_permissions] ||= {}
+        parse_access_csv(options[:task_permissions], val, args, optparse)
+      end
+      opts.on('--global-workflow-access ACCESS', String, "Update the global workflow access: [none|full]" ) do  |val|
+        params['globalTaskSetAccess'] = val.to_s.downcase
+      end
+      opts.add_hidden_option('--global-workflow-access')
+      opts.on('--default-workflow-access ACCESS', String, "Update the default workflow access: [none|full]" ) do  |val|
+        params['globalTaskSetAccess'] = val.to_s.downcase
+      end
+      opts.on('--workflows ID=ACCESS', String, "Set workflow to a custom access by workflow id. Example: 1=none,2=full" ) do |val|
+        options[:workflow_permissions] ||= {}
+        parse_access_csv(options[:workflow_permissions], val, args, optparse)
+      end
       opts.on('--reset-permissions', "Reset all feature permission access to none. This can be used in conjunction with --permissions to recreate the feature permission access for the role." ) do
         options[:reset_permissions] = true
       end
-      opts.on('--reset-all-access', "Reset all access to none including permissions, global groups, instance types, etc. This can be used in conjunction with --permissions to recreate the feature permission access for the role." ) do
+      opts.add_hidden_option('--reset-permissions')
+      opts.on('--reset-feature-access', "Reset all feature permission access to none. This can be used in conjunction with --feature-access to recreate the feature permission access for the role." ) do
+        options[:reset_permissions] = true
+      end
+      opts.on('--reset-all-access', "Reset all access to none including permissions, global groups, instance types, etc. This can be used in conjunction with --feature-access to recreate the feature permission access for the role." ) do
         options[:reset_all_access] = true
       end
       build_standard_update_options(opts, options)
@@ -872,10 +1080,10 @@ EOT
 Update a role.
 [role] is required. This is the name (authority) or id of a role.
 All the role permissions and access values can be configured.
-Use --permissions "CODE=ACCESS,CODE=ACCESS" to update access levels for specific feature permissions identified by code. 
-Use --global-instance-type-access custom --instance-types "CODE=ACCESS,CODE=ACCESS" to customize instance type access.
+Use --feature-access "CODE=ACCESS,CODE=ACCESS" to update access levels for specific feature permissions identified by code. 
+Use --default-instance-type-access custom --instance-types "CODE=ACCESS,CODE=ACCESS" to customize instance type access.
 Only the specified permissions,instance types, etc. are updated.
-Use --reset-permissions to set access to "none" for all unspecified feature permissions.
+Use --reset-feature-access to set access to "none" for all unspecified feature permissions.
 Use --reset-all-access to set access to "none" for all unspecified feature permissions and global access values for groups, instance types, etc.
 EOT
     end
@@ -1016,6 +1224,32 @@ EOT
           end
           params['reportTypes'] = perms_array
         end
+        if options[:task_permissions]
+          perms_array = []
+          options[:task_permissions].each do |k,v|
+            task_id = k
+            access_value = v.to_s.empty? ? "none" : v.to_s
+            if task_id =~ /\A\d{1,}\Z/
+              perms_array << {"id" => task_id.to_i, "access" => access_value}
+            else
+              perms_array << {"name" => task_id, "access" => access_value}
+            end
+          end
+          params['tasks'] = perms_array
+        end
+        if options[:workflow_permissions]
+          perms_array = []
+          options[:workflow_permissions].each do |k,v|
+            workflow_id = k
+            access_value = v.to_s.empty? ? "none" : v.to_s
+            if workflow_id =~ /\A\d{1,}\Z/
+              perms_array << {"id" => workflow_id.to_i, "access" => access_value}
+            else
+              perms_array << {"name" => workflow_id, "access" => access_value}
+            end
+          end
+          params['taskSets'] = perms_array
+        end
         if options[:reset_permissions]
           params["resetPermissions"] = true
         end
@@ -1099,7 +1333,7 @@ EOT
 
   def update_feature_access(args)
     options = {}
-    allowed_access_values = ['full', 'user', 'read', 'none'] # just for display , veries per permission
+    allowed_access_values = ["full", "full_decrypted", "group", "listfiles", "managerules", "no", "none", "provision", "read", "rolemappings", "user", "view", "yes"]
     permission_code = nil
     access_value = nil
     optparse = Morpheus::Cli::OptionParser.new do |opts|
@@ -1168,15 +1402,19 @@ EOT
   end
 
   def update_global_group_access(args)
-    usage = "Usage: morpheus roles update-global-group-access [role] [full|read|custom|none]"
+    puts "#{yellow}DEPRECATED#{reset}"
+    update_default_group_access(args)
+  end
+
+  def update_default_group_access(args)
     options = {}
     optparse = Morpheus::Cli::OptionParser.new do |opts|
-      opts.banner = subcommand_usage("[role] [full|read|custom|none]")
+      opts.banner = subcommand_usage("[role] [access]")
       build_common_options(opts, options, [:json, :dry_run, :remote])
       opts.footer = <<-EOT
-Update global group access for a role.
+Update default group access for a role.
 [role] is required. This is the name (authority) or id of a role.
-[access] is required. This is the access level to assign: full, read, custom or none.
+[access] is required. This is the access level to assign: full, read, or none.
 Only applicable to User roles.
 EOT
     end
@@ -1188,7 +1426,7 @@ EOT
     end
     name = args[0]
     access_value = args[1].to_s.downcase
-    if !['full', 'read', 'custom', 'none'].include?(access_value)
+    if !['full', 'read', 'none'].include?(access_value)
       puts optparse
       exit 1
     end
@@ -1212,7 +1450,7 @@ EOT
         print JSON.pretty_generate(json_response)
         print "\n"
       else
-        print_green_success "Role #{role['authority']} global group access updated"
+        print_green_success "Role #{role['authority']} default group access updated"
       end
     rescue RestClient::Exception => e
       print_rest_exception(e, options)
@@ -1226,7 +1464,7 @@ EOT
     group_id = nil
     access_value = nil
     do_all = false
-    allowed_access_values = ['full', 'read', 'none']
+    allowed_access_values = ['full', 'read', 'none', 'default']
     optparse = Morpheus::Cli::OptionParser.new do |opts|
       opts.banner = subcommand_usage("[role] [group] [access]")
       opts.on( '-g', '--group GROUP', "Group name or id" ) do |val|
@@ -1244,7 +1482,6 @@ Update role access for a group or all groups.
 [role] is required. This is the name or id of a role.
 --group or --all is required. This is the name or id of a group.
 --access is required. This is the new access value: #{ored_list(allowed_access_values)}
-Only applicable to User roles and when global group access is set to "custom".
 EOT
       
     end
@@ -1279,14 +1516,6 @@ EOT
       role = find_role_by_name_or_id(account_id, name)
       return 1 if role.nil?
 
-      role_json = @roles_interface.get(account_id, role['id'])
-      if role_json['globalSiteAccess'] != 'custom'
-        print "\n", red, "Global Group Access is currently: #{role_json['globalSiteAccess'].capitalize}"
-        print "\n", "You must first set it to Custom via `morpheus roles update-global-group-access \"#{name}\" custom`"
-        print "\n\n", reset
-        exit 1
-      end
-
       group = nil
       if !do_all
         group = find_group_by_name_or_id_for_provisioning(group_id)
@@ -1326,15 +1555,19 @@ EOT
   end
 
   def update_global_cloud_access(args)
-    usage = "Usage: morpheus roles update-global-cloud-access [role] [full|custom|none]"
+    puts "#{yellow}DEPRECATED#{reset}"
+    update_default_cloud_access(args)
+  end
+
+  def update_default_cloud_access(args)
     options = {}
     optparse = Morpheus::Cli::OptionParser.new do |opts|
-      opts.banner = subcommand_usage("[role] [full|custom|none]")
+      opts.banner = subcommand_usage("[role] [access]")
       build_common_options(opts, options, [:json, :dry_run, :remote])
-            opts.footer = <<-EOT
-Update global cloud access for a role.
+      opts.footer = <<-EOT
+Update default cloud access for a role.
 [role] is required. This is the name (authority) or id of a role.
-[access] is required. This is the access level to assign: full, custom or none.
+[access] is required. This is the access level to assign: full, read or none.
 Only applicable to Tenant roles.
 EOT
     end
@@ -1346,7 +1579,7 @@ EOT
     end
     name = args[0]
     access_value = args[1].to_s.downcase
-    if !['full', 'custom', 'none'].include?(access_value)
+    if !['full', 'read', 'none'].include?(access_value)
       puts optparse
       exit 1
     end
@@ -1370,7 +1603,7 @@ EOT
         print JSON.pretty_generate(json_response)
         print "\n"
       else
-        print_green_success "Role #{role['authority']} global cloud access updated"
+        print_green_success "Role #{role['authority']} default cloud access updated"
       end
     rescue RestClient::Exception => e
       print_rest_exception(e, options)
@@ -1383,7 +1616,7 @@ EOT
     cloud_id = nil
     access_value = nil
     do_all = false
-    allowed_access_values = ['full', 'read', 'none']
+    allowed_access_values = ['full', 'read', 'none', 'default']
     optparse = Morpheus::Cli::OptionParser.new do |opts|
       opts.banner = subcommand_usage("[role]")
       opts.on( '-c', '--cloud CLOUD', "Cloud name or id" ) do |val|
@@ -1401,7 +1634,6 @@ Update role access for a cloud or all clouds.
 [role] is required. This is the name or id of a role.
 --cloud or --all is required. This is the name or id of a cloud.
 --access is required. This is the new access value: #{ored_list(allowed_access_values)}
-Only applicable to Tenant roles and when global cloud access is set to "custom".
 EOT
     end
     optparse.parse!(args)
@@ -1436,12 +1668,6 @@ EOT
       exit 1 if role.nil?
 
       role_json = @roles_interface.get(account_id, role['id'])
-      if role_json['globalZoneAccess'] != 'custom'
-        print "\n", red, "Global Cloud Access is currently: #{role_json['globalZoneAccess'].capitalize}"
-        print "\n", "You must first set it to Custom via `morpheus roles update-global-cloud-access \"#{name}\" custom`"
-        print "\n\n", reset
-        exit 1
-      end
 
       cloud = nil
       if !do_all
@@ -1481,15 +1707,19 @@ EOT
   end
 
   def update_global_instance_type_access(args)
-    usage = "Usage: morpheus roles update-global-instance-type-access [role] [full|custom|none]"
+    puts "#{yellow}DEPRECATED#{reset}"
+    update_default_instance_type_access(args)
+  end
+
+  def update_default_instance_type_access(args)
     options = {}
     optparse = Morpheus::Cli::OptionParser.new do |opts|
-      opts.banner = subcommand_usage("[role] [full|custom|none]")
+      opts.banner = subcommand_usage("[role] [access]")
       build_common_options(opts, options, [:json, :dry_run, :remote])
             opts.footer = <<-EOT
-Update global instance type access for a role.
+Update default instance type access for a role.
 [role] is required. This is the name (authority) or id of a role.
-[access] is required. This is the access level to assign: full, custom or none.
+[access] is required. This is the access level to assign: full or none.
 EOT
     end
     optparse.parse!(args)
@@ -1500,7 +1730,7 @@ EOT
     end
     name = args[0]
     access_value = args[1].to_s.downcase
-    if !['full', 'custom', 'none'].include?(access_value)
+    if !['full', 'none'].include?(access_value)
       puts optparse
       exit 1
     end
@@ -1525,7 +1755,7 @@ EOT
         print JSON.pretty_generate(json_response)
         print "\n"
       else
-        print_green_success "Role #{role['authority']} global instance type access updated"
+        print_green_success "Role #{role['authority']} default instance type access updated"
       end
     rescue RestClient::Exception => e
       print_rest_exception(e, options)
@@ -1538,7 +1768,7 @@ EOT
     instance_type_name = nil
     access_value = nil
     do_all = false
-    allowed_access_values = ['full', 'none']
+    allowed_access_values = ['full', 'none', 'default']
     optparse = Morpheus::Cli::OptionParser.new do |opts|
       opts.banner = subcommand_usage("[role] [type] [access]")
       opts.on( '--instance-type INSTANCE_TYPE', String, "Instance Type name" ) do |val|
@@ -1587,13 +1817,6 @@ EOT
       return 1 if role.nil?
 
       role_json = @roles_interface.get(account_id, role['id'])
-      if role_json['globalInstanceTypeAccess'] != 'custom'
-        print "\n", red, "Global Instance Type Access is currently: #{role_json['globalInstanceTypeAccess'].capitalize}"
-        print "\n", "You must first set it to Custom via `morpheus roles update-global-instance-type-access \"#{name}\" custom`"
-        print "\n\n", reset
-        return 1
-      end
-
       instance_type = nil
       if !do_all
         instance_type = find_instance_type_by_name(instance_type_name)
@@ -1632,15 +1855,19 @@ EOT
   end
 
   def update_global_blueprint_access(args)
-    usage = "Usage: morpheus roles update-global-blueprint-access [role] [full|custom|none]"
+    puts "#{yellow}DEPRECATED#{reset}"
+    update_default_blueprint_access(args)
+  end
+
+  def update_default_blueprint_access(args)
     options = {}
     optparse = Morpheus::Cli::OptionParser.new do |opts|
-      opts.banner = subcommand_usage("[role] [full|custom|none]")
+      opts.banner = subcommand_usage("[role] [access]")
       build_common_options(opts, options, [:json, :dry_run, :remote])
             opts.footer = <<-EOT
-Update global blueprint access for a role.
+Update default blueprint access for a role.
 [role] is required. This is the name (authority) or id of a role.
-[access] is required. This is the access level to assign: full, custom or none.
+[access] is required. This is the access level to assign: full or none.
 EOT
     end
     optparse.parse!(args)
@@ -1651,7 +1878,7 @@ EOT
     end
     name = args[0]
     access_value = args[1].to_s.downcase
-    if !['full', 'custom', 'none'].include?(access_value)
+    if !['full', 'none'].include?(access_value)
       puts optparse
       exit 1
     end
@@ -1676,7 +1903,7 @@ EOT
         print JSON.pretty_generate(json_response)
         print "\n"
       else
-        print_green_success "Role #{role['authority']} global blueprint access updated"
+        print_green_success "Role #{role['authority']} default blueprint access updated"
       end
     rescue RestClient::Exception => e
       print_rest_exception(e, options)
@@ -1689,7 +1916,7 @@ EOT
     blueprint_id = nil
     access_value = nil
     do_all = false
-    allowed_access_values = ['full', 'none']
+    allowed_access_values = ['full', 'none', 'default']
     optparse = Morpheus::Cli::OptionParser.new do |opts|
       opts.banner = subcommand_usage("[role] [blueprint] [access]")
       opts.on( '--blueprint ID', String, "Blueprint ID or Name" ) do |val|
@@ -1741,12 +1968,6 @@ EOT
       role_json = @roles_interface.get(account_id, role['id'])
       blueprint_global_access = role_json['globalAppTemplateAccess'] || role_json['globalBlueprintAccess']
       blueprint_permissions = role_json['appTemplatePermissions'] || role_json['blueprintPermissions'] || []
-      if blueprint_global_access != 'custom'
-        print "\n", red, "Global Blueprint Access is currently: #{blueprint_global_access.to_s.capitalize}"
-        print "\n", "You must first set it to Custom via `morpheus roles update-global-blueprint-access \"#{name}\" custom`"
-        print "\n\n", reset
-        return 1
-      end
 
       # hacky, but support name or code lookup via the list returned in the show payload
       blueprint = nil
@@ -1796,15 +2017,19 @@ EOT
   end
 
   def update_global_catalog_item_type_access(args)
-    usage = "Usage: morpheus roles update-global-catalog-item-type-access [role] [full|custom|none]"
+    puts "#{yellow}DEPRECATED#{reset}"
+    update_default_catalog_item_type_access(args)
+  end
+
+  def update_default_catalog_item_type_access(args)
     options = {}
     optparse = Morpheus::Cli::OptionParser.new do |opts|
-      opts.banner = subcommand_usage("[role] [full|custom|none]")
+      opts.banner = subcommand_usage("[role] [access]")
       build_common_options(opts, options, [:json, :dry_run, :remote])
             opts.footer = <<-EOT
-Update global catalog item type access for a role.
+Update default catalog item type access for a role.
 [role] is required. This is the name (authority) or id of a role.
-[access] is required. This is the access level to assign: full, custom or none.
+[access] is required. This is the access level to assign: full or none.
 EOT
     end
     optparse.parse!(args)
@@ -1815,7 +2040,7 @@ EOT
     end
     name = args[0]
     access_value = args[1].to_s.downcase
-    if !['full', 'custom', 'none'].include?(access_value)
+    if !['full', 'none'].include?(access_value)
       puts optparse
       exit 1
     end
@@ -1840,7 +2065,7 @@ EOT
         print JSON.pretty_generate(json_response)
         print "\n"
       else
-        print_green_success "Role #{role['authority']} global catalog item type access updated"
+        print_green_success "Role #{role['authority']} default catalog item type access updated"
       end
     rescue RestClient::Exception => e
       print_rest_exception(e, options)
@@ -1853,7 +2078,7 @@ EOT
     catalog_item_type_id = nil
     access_value = nil
     do_all = false
-    allowed_access_values = ['full', 'none']
+    allowed_access_values = ['full', 'none', 'default']
     optparse = Morpheus::Cli::OptionParser.new do |opts|
       opts.banner = subcommand_usage("[role] [catalog-item-type] [access]")
       opts.on( '--catalog-item-type ID', String, "Catalog Item Type ID or Name" ) do |val|
@@ -1905,12 +2130,6 @@ EOT
       role_json = @roles_interface.get(account_id, role['id'])
       catalog_item_type_global_access = role_json['globalCatalogItemTypeAccess']
       catalog_item_type_permissions = role_json['catalogItemTypePermissions'] || role_json['catalogItemTypes'] []
-      if catalog_item_type_global_access != 'custom'
-        print "\n", red, "Global Catalog Item Type Access is currently: #{catalog_item_type_global_access.to_s.capitalize}"
-        print "\n", "You must first set it to Custom via `morpheus roles update-global-catalog-item-type-access \"#{name}\" custom`"
-        print "\n\n", reset
-        return 1
-      end
 
       # hacky, but support name or code lookup via the list returned in the show payload
       catalog_item_type = nil
@@ -1957,13 +2176,64 @@ EOT
     end
   end
 
+  def update_default_persona_access(args)
+    options = {}
+    optparse = Morpheus::Cli::OptionParser.new do |opts|
+      opts.banner = subcommand_usage("[role] [access]")
+      build_common_options(opts, options, [:json, :dry_run, :remote])
+      opts.footer = <<-EOT
+Update default persona access for a role.
+[role] is required. This is the name (authority) or id of a role.
+[access] is required. This is the access level to assign: full or none.
+      EOT
+    end
+    optparse.parse!(args)
+
+    if args.count < 2
+      puts optparse
+      exit 1
+    end
+    name = args[0]
+    access_value = args[1].to_s.downcase
+    if !['full', 'none'].include?(access_value)
+      puts optparse
+      exit 1
+    end
+
+    connect(options)
+    begin
+      account = find_account_from_options(options)
+      account_id = account ? account['id'] : nil
+      role = find_role_by_name_or_id(account_id, name)
+      exit 1 if role.nil?
+
+      params = {permissionCode: 'Persona', access: access_value}
+      @roles_interface.setopts(options)
+      if options[:dry_run]
+        print_dry_run @roles_interface.dry.update_permission(account_id, role['id'], params)
+        return
+      end
+      json_response = @roles_interface.update_permission(account_id, role['id'], params)
+
+      if options[:json]
+        print JSON.pretty_generate(json_response)
+        print "\n"
+      else
+        print_green_success "Role #{role['authority']} default persona access updated"
+      end
+    rescue RestClient::Exception => e
+      print_rest_exception(e, options)
+      exit 1
+    end
+  end
+
   def update_persona_access(args)
     options = {}
     persona_id = nil
     name = nil
     access_value = nil
     do_all = false
-    allowed_access_values = ['full', 'none']
+    allowed_access_values = ['full', 'none', 'default']
     optparse = Morpheus::Cli::OptionParser.new do |opts|
       opts.banner = subcommand_usage("[role] [persona] [access]")
       opts.on( '--persona CODE', String, "Persona Code" ) do |val|
@@ -2049,22 +2319,26 @@ EOT
   end
 
   def update_global_vdi_pool_access(args)
-    usage = "Usage: morpheus roles update-global-vdi-pool-access [role] [full|custom|none]"
+    puts "#{yellow}DEPRECATED#{reset}"
+    update_default_vdi_pool_access(args)
+  end
+
+  def update_default_vdi_pool_access(args)
     options = {}
     optparse = Morpheus::Cli::OptionParser.new do |opts|
-      opts.banner = subcommand_usage("[role] [full|custom|none]")
+      opts.banner = subcommand_usage("[role] [access]")
       build_common_options(opts, options, [:json, :dry_run, :remote])
             opts.footer = <<-EOT
-Update global VDI pool access for a role.
+Update default VDI pool access for a role.
 [role] is required. This is the name (authority) or id of a role.
-[access] is required. This is the access level to assign: full, custom or none.
+[access] is required. This is the access level to assign: full or none.
 EOT
     end
     optparse.parse!(args)
     verify_args!(args:args, optparse:optparse, count: 2)
     name = args[0]
     access_value = args[1].to_s.downcase
-    if !['full', 'custom', 'none'].include?(access_value)
+    if !['full', 'none'].include?(access_value)
       raise_command_error("invalid access value: #{args[1]}", args, optparse)
     end
 
@@ -2088,7 +2362,7 @@ EOT
         print JSON.pretty_generate(json_response)
         print "\n"
       else
-        print_green_success "Role #{role['authority']} global vdi pool access updated"
+        print_green_success "Role #{role['authority']} default vdi pool access updated"
       end
     rescue RestClient::Exception => e
       print_rest_exception(e, options)
@@ -2101,7 +2375,7 @@ EOT
     vdi_pool_id = nil
     access_value = nil
     do_all = false
-    allowed_access_values = ['full', 'none']
+    allowed_access_values = ['full', 'none', 'default']
     optparse = Morpheus::Cli::OptionParser.new do |opts|
       opts.banner = subcommand_usage("[role] [vdi-pool] [access]")
       opts.on( '--vdi-pool ID', String, "VDI Pool ID or Name" ) do |val|
@@ -2121,8 +2395,6 @@ EOT
     end
     optparse.parse!(args)
 
-    # usage: update-vdi-pool-access [role] [access] --all
-    #        update-vdi-pool-access [role] [vdi-pool] [access]
     name = args[0]
     if do_all
       verify_args!(args:args, optparse:optparse, min:1, max:2)
@@ -2155,12 +2427,6 @@ EOT
       role_json = @roles_interface.get(account_id, role['id'])
       vdi_pool_global_access = role_json['globalVdiPoolAccess']
       vdi_pool_permissions = role_json['vdiPoolPermissions'] || role_json['vdiPools'] || []
-      if vdi_pool_global_access != 'custom'
-        print "\n", red, "Global VDI Pool Access is currently: #{vdi_pool_global_access.to_s.capitalize}"
-        print "\n", "You must first set it to Custom via `morpheus roles update-global-vdi-pool-access \"#{name}\" custom`"
-        print "\n\n", reset
-        return 1
-      end
 
       # hacky, but support name or code lookup via the list returned in the show payload
       vdi_pool = nil
@@ -2208,26 +2474,29 @@ EOT
   end
 
   def update_global_report_type_access(args)
-    usage = "Usage: morpheus roles update-global-report-type-access [role] [full|custom|none]"
+    puts "#{yellow}DEPRECATED#{reset}"
+    update_default_report_type_access(args)
+  end
+
+  def update_default_report_type_access(args)
     options = {}
     optparse = Morpheus::Cli::OptionParser.new do |opts|
-      opts.banner = subcommand_usage("[role] [full|custom|none]")
+      opts.banner = subcommand_usage("[role] [access]")
       build_common_options(opts, options, [:json, :dry_run, :remote])
       opts.footer = <<-EOT
-Update global report type access for a role.
+Update default report type access for a role.
 [role] is required. This is the name (authority) or id of a role.
-[access] is required. This is the access level to assign: full, custom or none.
+[access] is required. This is the access level to assign: full or none.
 EOT
     end
     optparse.parse!(args)
     verify_args!(args:args, optparse:optparse, count: 2)
     name = args[0]
     access_value = args[1].to_s.downcase
-    if !['full', 'custom', 'none'].include?(access_value)
+    if !['full', 'none'].include?(access_value)
       raise_command_error("invalid access value: #{args[1]}", args, optparse)
     end
 
-
     connect(options)
     begin
       account = find_account_from_options(options)
@@ -2247,7 +2516,7 @@ EOT
         print JSON.pretty_generate(json_response)
         print "\n"
       else
-        print_green_success "Role #{role['authority']} global report type access updated"
+        print_green_success "Role #{role['authority']} default report type access updated"
       end
     rescue RestClient::Exception => e
       print_rest_exception(e, options)
@@ -2260,7 +2529,7 @@ EOT
     report_type_id = nil
     access_value = nil
     do_all = false
-    allowed_access_values = ['full', 'none']
+    allowed_access_values = ['full', 'none', 'default']
     optparse = Morpheus::Cli::OptionParser.new do |opts|
       opts.banner = subcommand_usage("[role] [report-type] [access]")
       opts.on( '--report-type ID', String, "Report Type ID or Name" ) do |val|
@@ -2314,12 +2583,6 @@ EOT
       role_json = @roles_interface.get(account_id, role['id'])
       report_type_global_access = role_json['globalReportTypeAccess']
       report_type_permissions = role_json['reportTypePermissions'] || role_json['reportTypes'] || []
-      if report_type_global_access != 'custom'
-        print "\n", red, "Global Report Type Access is currently: #{report_type_global_access.to_s.capitalize}"
-        print "\n", "You must first set it to Custom via `morpheus roles update-global-report-type-access \"#{name}\" custom`"
-        print "\n\n", reset
-        return 1
-      end
 
       # hacky, but support name or code lookup via the list returned in the show payload
       report_type = nil
@@ -2366,6 +2629,311 @@ EOT
     end
   end
 
+  def update_global_task_access(args)
+    puts "#{yellow}DEPRECATED#{reset}"
+    update_default_task_access(args)
+  end
+
+  def update_default_task_access(args)
+    options = {}
+    optparse = Morpheus::Cli::OptionParser.new do |opts|
+      opts.banner = subcommand_usage("[role] [access]")
+      build_common_options(opts, options, [:json, :dry_run, :remote])
+      opts.footer = <<-EOT
+Update default task access for a role.
+[role] is required. This is the id of a role.
+[access] is required. This is the access level to assign: full or none.
+      EOT
+    end
+    optparse.parse!(args)
+    verify_args!(args:args, optparse:optparse, count: 2)
+    name = args[0]
+    access_value = args[1].to_s.downcase
+    if !['full', 'none'].include?(access_value)
+      raise_command_error("invalid access value: #{args[1]}", args, optparse)
+    end
+
+    connect(options)
+    begin
+      account = find_account_from_options(options)
+      account_id = account ? account['id'] : nil
+      role = find_role_by_name_or_id(account_id, name)
+      exit 1 if role.nil?
+      # note: ReportTypes being plural is odd, the others are singular
+      params = {permissionCode: 'Task', access: access_value}
+      @roles_interface.setopts(options)
+      if options[:dry_run]
+        print_dry_run @roles_interface.dry.update_permission(account_id, role['id'], params)
+        return
+      end
+      json_response = @roles_interface.update_permission(account_id, role['id'], params)
+
+      if options[:json]
+        print JSON.pretty_generate(json_response)
+        print "\n"
+      else
+        print_green_success "Role #{role['authority']} default task access updated"
+      end
+    rescue RestClient::Exception => e
+      print_rest_exception(e, options)
+      exit 1
+    end
+  end
+
+  def update_task_access(args)
+    options = {}
+    task_id = nil
+    access_value = nil
+    do_all = false
+    allowed_access_values = ['full', 'none', 'default']
+    optparse = Morpheus::Cli::OptionParser.new do |opts|
+      opts.banner = subcommand_usage("[role] [task] [access]")
+      opts.on( '--task ID', String, "Task ID, code or name" ) do |val|
+        report_type_id = val
+      end
+      opts.on( nil, '--all', "Update all tasks at once." ) do
+        do_all = true
+      end
+      opts.on( '--access VALUE', String, "Access value [#{allowed_access_values.join('|')}]" ) do |val|
+        access_value = val
+      end
+      build_common_options(opts, options, [:json, :dry_run, :remote])
+      opts.footer = "Update role access for a task or all tasks.\n" +
+        "[role] is required. This is the name, code or id of a task.\n" +
+        "--task or --all is required. This is the name, code or id of a task.\n" +
+        "--access is required. This is the new access value: #{ored_list(allowed_access_values)}"
+    end
+    optparse.parse!(args)
+
+    name = args[0]
+    if do_all
+      verify_args!(args:args, optparse:optparse, min:1, max:2)
+      access_value = args[1] if args[1]
+    else
+      verify_args!(args:args, optparse:optparse, min:1, max:3)
+      task_id = args[1] if args[1]
+      access_value = args[2] if args[2]
+    end
+    if !task_id && !do_all
+      raise_command_error("missing required argument: [task] or --all", args, optparse)
+    end
+    if !access_value
+      raise_command_error("missing required argument: [access]", args, optparse)
+    end
+    access_value = access_value.to_s.downcase
+    if !allowed_access_values.include?(access_value)
+      raise_command_error("invalid access value: #{access_value}", args, optparse)
+      puts optparse
+      return 1
+    end
+
+    connect(options)
+    begin
+      account = find_account_from_options(options)
+      account_id = account ? account['id'] : nil
+      role = find_role_by_name_or_id(account_id, name)
+      return 1 if role.nil?
+
+      role_json = @roles_interface.get(account_id, role['id'])
+      task_permissions = role_json['taskPermissions'] || role_json['tasks'] || []
+
+      # hacky, but support name or code lookup via the list returned in the show payload
+      task = nil
+      if !do_all
+        if task_id.to_s =~ /\A\d{1,}\Z/
+          task = task_permissions.find {|b| b['id'] == task_id.to_i }
+        else
+          task = task_permissions.find {|b| b['name'] == task_id || b['code'] == task_id }
+        end
+        if task.nil?
+          print_red_alert "Task not found: '#{task_id}'"
+          return 1
+        end
+      end
+
+      params = {}
+      if do_all
+        params['allTasks'] = true
+      else
+        params['taskId'] = task['id']
+      end
+      params['access'] = access_value == 'default' ? nil : access_value
+      @roles_interface.setopts(options)
+      if options[:dry_run]
+        print_dry_run @roles_interface.dry.update_task(account_id, role['id'], params)
+        return
+      end
+      json_response = @roles_interface.update_task(account_id, role['id'], params)
+
+      if options[:json]
+        print JSON.pretty_generate(json_response)
+        print "\n"
+      else
+        if do_all
+          print_green_success "Role #{role['authority']} access updated for all tasks"
+        else
+          print_green_success "Role #{role['authority']} access updated for task #{task['name']}"
+        end
+      end
+      return 0
+    rescue RestClient::Exception => e
+      print_rest_exception(e, options)
+      exit 1
+    end
+  end
+
+  def update_global_workflow_access(args)
+    puts "#{yellow}DEPRECATED#{reset}"
+    update_default_workflow_access(args)
+  end
+
+  def update_default_workflow_access(args)
+    options = {}
+    optparse = Morpheus::Cli::OptionParser.new do |opts|
+      opts.banner = subcommand_usage("[role] [access]")
+      build_common_options(opts, options, [:json, :dry_run, :remote])
+      opts.footer = <<-EOT
+Update default workflow access for a role.
+[role] is required. This is the id of a role.
+[access] is required. This is the access level to assign: full or none.
+      EOT
+    end
+    optparse.parse!(args)
+    verify_args!(args:args, optparse:optparse, count: 2)
+    name = args[0]
+    access_value = args[1].to_s.downcase
+    if !['full', 'none'].include?(access_value)
+      raise_command_error("invalid access value: #{args[1]}", args, optparse)
+    end
+
+    connect(options)
+    begin
+      account = find_account_from_options(options)
+      account_id = account ? account['id'] : nil
+      role = find_role_by_name_or_id(account_id, name)
+      exit 1 if role.nil?
+      params = {permissionCode: 'TaskSet', access: access_value}
+      @roles_interface.setopts(options)
+      if options[:dry_run]
+        print_dry_run @roles_interface.dry.update_permission(account_id, role['id'], params)
+        return
+      end
+      json_response = @roles_interface.update_permission(account_id, role['id'], params)
+
+      if options[:json]
+        print JSON.pretty_generate(json_response)
+        print "\n"
+      else
+        print_green_success "Role #{role['authority']} default workflow access updated"
+      end
+    rescue RestClient::Exception => e
+      print_rest_exception(e, options)
+      exit 1
+    end
+  end
+
+  def update_workflow_access(args)
+    options = {}
+    workflow_id = nil
+    access_value = nil
+    do_all = false
+    allowed_access_values = ['full', 'none', 'default']
+    optparse = Morpheus::Cli::OptionParser.new do |opts|
+      opts.banner = subcommand_usage("[role] [workflow] [access]")
+      opts.on( '--workflow ID', String, "Workflow ID, code or Name" ) do |val|
+        workflow_id = val
+      end
+      opts.on( nil, '--all', "Update all workflows at once." ) do
+        do_all = true
+      end
+      opts.on( '--access VALUE', String, "Access value [#{allowed_access_values.join('|')}]" ) do |val|
+        access_value = val
+      end
+      build_common_options(opts, options, [:json, :dry_run, :remote])
+      opts.footer = "Update role access for a workflow or all workflows.\n" +
+        "[role] is required. This is the name or id of a role.\n" +
+        "--workflow or --all is required. This is the name, code or id of a workflow.\n" +
+        "--access is required. This is the new access value: #{ored_list(allowed_access_values)}"
+    end
+    optparse.parse!(args)
+
+    name = args[0]
+    if do_all
+      verify_args!(args:args, optparse:optparse, min:1, max:2)
+      access_value = args[1] if args[1]
+    else
+      verify_args!(args:args, optparse:optparse, min:1, max:3)
+      workflow_id = args[1] if args[1]
+      access_value = args[2] if args[2]
+    end
+    if !workflow_id && !do_all
+      raise_command_error("missing required argument: [workflow] or --all", args, optparse)
+    end
+    if !access_value
+      raise_command_error("missing required argument: [access]", args, optparse)
+    end
+    access_value = access_value.to_s.downcase
+    if !allowed_access_values.include?(access_value)
+      raise_command_error("invalid access value: #{access_value}", args, optparse)
+      puts optparse
+      return 1
+    end
+
+    connect(options)
+    begin
+      account = find_account_from_options(options)
+      account_id = account ? account['id'] : nil
+      role = find_role_by_name_or_id(account_id, name)
+      return 1 if role.nil?
+
+      role_json = @roles_interface.get(account_id, role['id'])
+      workflow_permissions = role_json['taskSetPermissions'] || role_json['taskSets'] || []
+
+      # hacky, but support name or code lookup via the list returned in the show payload
+      workflow = nil
+      if !do_all
+        if workflow_id.to_s =~ /\A\d{1,}\Z/
+          workflow = workflow_permissions.find {|b| b['id'] == workflow_id.to_i }
+        else
+          workflow = workflow_permissions.find {|b| b['name'] == workflow_id }
+        end
+        if workflow.nil?
+          print_red_alert "Workflow not found: '#{workflow_id}'"
+          return 1
+        end
+      end
+
+      params = {}
+      if do_all
+        params['allTaskSets'] = true
+      else
+        params['taskSetId'] = workflow['id']
+      end
+      params['access'] = access_value == 'default' ? nil : access_value
+      @roles_interface.setopts(options)
+      if options[:dry_run]
+        print_dry_run @roles_interface.dry.update_task_set(account_id, role['id'], params)
+        return
+      end
+      json_response = @roles_interface.update_task_set(account_id, role['id'], params)
+
+      if options[:json]
+        print JSON.pretty_generate(json_response)
+        print "\n"
+      else
+        if do_all
+          print_green_success "Role #{role['authority']} access updated for all workflows"
+        else
+          print_green_success "Role #{role['authority']} access updated for workflow #{workflow['name']}"
+        end
+      end
+      return 0
+    rescue RestClient::Exception => e
+      print_rest_exception(e, options)
+      exit 1
+    end
+  end
+
   private
   
   def add_role_option_types
@@ -2396,6 +2964,27 @@ EOT
     ]
   end
 
+  def role_owner_options
+    @options_interface.options_for_source("tenants", {})['data']
+  end
+
+  def base_role_options(role_payload)
+    params = {"tenantId" => role_payload['owner'], "userId" => current_user['id'], "roleType" => role_payload['roleType'] }
+    @options_interface.options_for_source("copyFromRole", params)['data']
+  end
+
+  def has_complete_access
+    has_access = false
+    if @is_master_account
+      admin_accounts = @user_permissions.select { |it| it['code'] == 'admin-accounts' && it['access'] == 'full'}
+      admin_roles = @user_permissions.select { |it| it['code'] == 'admin-roles' && it['access'] == 'full' }
+      if admin_accounts != nil && admin_roles != nil
+        has_access = true
+      end
+    end
+    has_access 
+  end
+
   def parse_access_csv(output, val, args, optparse)
     output ||= {}
     val.split(",").each do |value_pair|