SAFR Server or SAFR Cloud allows you to create users restricted access to the system.  Creating users and the roles that can be granted to users are defined in https://docs.real.com/guides/safrdocs/Manage_Users_Preferences.html

Permissions are split into write/read/delete for either events or people.  There are also privileges to enable modification of configuration split into basic and full settings.

In special cases, it may be necessary to know what API in involved in an action to know what privilege is required.   For example, the SMS Watchlist alarm requires uses POST /alarms API call.  We can see from the COVI Swagger page that CONFIG_PRIVILEGE is required for POST /alarm.  

From there we can find that at least ENGINEER role is required.