About assigning permissions to a custom role
When you create a custom role, you need to decide what tasks and actions you want that role to be able to perform. The availability of these tasks and actions is controlled by permissions.
Before you create a new role, review this topic to determine the set of permissions that you want to add to your new role.
Minimum permissions
To ensure that the user assigned to a custom role can access basic console functionality, including Device Details, grant every custom role the following permissions:
- Device Fields - View
- Device reports - View
Note that when you select a Manage permission its associated View permission is also selected.
Feature permissions
To grant permissions for specific features, refer to the information in the following table:
Depending on the Absolute product licenses associated with your account, some permissions may not be available.
| Feature | To grant … | That allow a user to … | Select the following permissions … |
|---|---|---|---|
| Agent Management | Manage capabilities | Assign an agent version | Version Control - Manage |
| Download the agent |
Agent Installer - Perform Version Control - Manage |
||
| View capabilities |
View available agent versions View agent versions assigned to your policy groups |
Version Control - Manage | |
| AI Assistant | Manage capabilities | Configure the AI Assistant setting in Account Settings | AI Assistant - Manage |
| View capabilities | Use the AI Assistant |
AI Assistant -View (See Note) |
|
| API Management | Manage capabilities | Create, edit, and delete API tokens | API Credentials - Manage |
| Application Resilience | Manage capabilities | Configure and activate Application Resilience policies in Policies > Policy Groups > Settings and Policies > Resilience |
Policies - Manage Licenses - Manage |
| View capabilities |
View policies in Policies > Resilience View and export Application Resilience reports View Application Resilience dashboard widgets |
Policies - View Device reports - View Dashboard Inventory - View |
|
| Applications | Manage capabilities | Activate Installed Applications policies |
Policies - Manage Licenses - Manage |
| View capabilities |
View the Applications page and the Applications tab in Device Details Export an application's Applications page |
Software reports - View | |
| Custom Data | Manage capabilities |
Configure and activate the Custom Data policy in Policies > Custom Data Activate the Custom Data policy in Policies > Policy Groups |
Custom Data Collection - Manage Policies - Manage |
| Chromebook Settings | Manage capabilities |
Add Google accounts Select Organizational Units Delete Google accounts |
Policies - Manage |
| Dashboard | View capabilities | View and customize Device Usage widget | Dashboard Security - View |
| View and customize all other widgets | Dashboard Inventory - View | ||
| Device Usage | Manage capabilities | Activate Device Usage policies |
Policies - Manage Licenses - Manage |
| Create and manage Device Analytics reports | Device Analytics reports - Manage | ||
| View capabilities |
View and export Device Usage report and Usage page in Device Details |
Device reports - View | |
| Device Fields | Manage capabilities | Add and delete custom fields | Device Fields Definition - Manage |
| Edit data in custom fields | Device Fields - Manage | ||
| Import a file of custom field data | Device Fields - Assign | ||
| Device Freeze | Manage capabilities | Submit Freeze requests | Freeze Device - Perform |
|
Submit Remove Freeze requests View unfreeze codes in reports and Device Details Cancel pending Freeze requests in Action Requests |
Remove Freeze - Perform | ||
| Create and manage message templates in the Settings > Messages area | Freeze Device - Manage | ||
| Create and manage Offline Freeze rules |
Freeze Device - Perform Remove Freeze - Perform |
||
| View capabilities | View and track the progress of Freeze and Remove Freeze requests, and devices frozen by Offline Freeze rules | Audit Event History - View | |
| View status details for Freeze requests, Remove Freeze requests, and Offline Freeze rules in reports and Device Details |
Device reports - View One of the following:
|
||
| View, track, and export Freeze and Remove Freeze requests in Action Requests and Actions |
One of the following:
|
||
| View the Device Freeze Status report | Remove Freeze - Perform | ||
| View message templates in the Settings > Messages area | Freeze Device - View | ||
| Device Groups | Manage capabilities | Create an manage device groups | Device Groups and folders - Manage |
| Create and manage permission groups | Device Groups and folders - Edit permission groups | ||
| Dual Approval Settings | Manage capabilities | Manage Device Action approval limits for custom roles |
Dual Approval Settings- Manage User Management - View or Manage |
| View capabilities | View Device Action approval limits |
Dual Approval Settings - View User Management - View or Manage |
|
| Endpoint Data Discovery (EDD) | Manage capabilities |
Configure and activate EDD policies Create and manage custom EDD rules |
Policies - Manage Licenses - Manage Endpoint Data Discovery - Manage |
|
Perform EDD scan Publish custom EDD rules |
Endpoint Data Discovery - Publish | ||
| View capabilities | View custom EDD rules | Endpoint Data Discovery - View | |
|
View and export EDD reports View Device Details - EDD tabs View matches |
Endpoint Data Discovery reports - View | ||
| End User Messaging | Manage capabilities | Create and manage message templates in the Settings > Messages area | End User Messaging - Manage |
|
Submit Send Message requests Cancel pending Send Message requests in Action Requests |
End User Messaging - Perform | ||
| View capabilities |
View message templates in the Settings > Messages area View, track, and export Send Message requests in Action Requests and Actions |
End User Messaging - View | |
| Delete File | Manage capabilities |
Perform Delete File security actions Cancel pending File Delete requests in Action Requests |
Delete File - Perform |
| View capabilities | View, track, and export File Delete requests in Action Requests and Actions | Delete File - View | |
| Geolocation | Manage capabilities | Activate Geolocation Tracking policies |
Policies - Manage Licenses - Manage |
| Configure the Geolocation setting in Account Settings | Geolocation - Manage | ||
| View capabilities | View the geographical location of your devices |
Geolocation - View To enable users to view street level locations on the map, also grant the Address-level view permission. |
|
| History - Action Requests | View capabilities | View and export supported device action |
At least one of the following: Wipe Device - View Reach Script - View Delete File - View Unenroll - View End User Messaging - View Freeze - View Remove Freeze - View |
| History - Actions | Manage capabilities | Cancel pending actions |
At least one of the following: Wipe Device - Perform Reach Script - Run Delete File - Perform End User Messaging - Perform Freeze Device - Perform |
| View capabilities | View and export supported device actions |
At least one of the following: Wipe Device - View Reach Script - View Delete File - View Unenroll - View End User Messaging - View Freeze Device - View Remove Freeze - View |
|
| History - Events | View capabilities | View and export recent user, device, and system events | Audit Event History - View |
| Investigations | Manage capabilities |
Submit theft reports View submitted and closed theft reports |
Investigation - Manage |
| Create and manage the Investigation Report Contact list | Investigation Contact - Manage | ||
| View capabilities | View submitted and closed theft reports | Investigation - View | |
| View the Investigation Report Contact list | Investigation Contact - View | ||
| License management | Manage capabilities |
Update license auto-assignment settings Manage licenses assigned to devices |
Licenses - Manage |
| View capabilities |
View license status View licenses assigned to devices View unlicensed devices |
Licenses - View | |
| Manage Supervisor Password | Manage capabilities | Create, change, or remove a device's firmware supervisor password |
Manage Supervisor Password - Perform Event History reports - View |
| Missing Devices | Manage capabilities |
Report devices missing View devices reported missing Report missing devices found |
Missing Device - Manage |
| View capabilities |
View devices reported missing Export report of missing devices |
Missing Device - View | |
| Playbooks | Manage capabilities | Activate Playbooks policies |
Policies - Manage |
| Run playbooks |
Run playbook - Perform |
||
| View capabilities |
View Playbooks provisioning status in Device Details View Playbook requested banner in Device Details View playbook templates |
Run playbook -View | |
| Policy groups and policies | Manage capabilities |
Create policy groups Add and remove devices in policy groups Configure and activate policies |
Policies - Manage |
| View capabilities |
View policy groups and policies on the Policy Groups page View Policies page in a device's Device Details |
Policies - View | |
| Reach Script | Administrative capabilities |
Upload scripts Work with the script library |
Reach Script - Manage and Run |
| Manage capabilities |
Run scripts Cancel scripts |
Reach Script - Run (View permission is selected automatically) | |
|
Configure script startup folder and script signature validation in Account settings |
Reach Script - Manage | ||
| View capabilities | View, track, and export the status of Run Script requests in Event History | Event History reports - View | |
|
View, track, and export the status of Run Script requests in Action Requests and Actions View script startup folder and script signature validation in Account settings |
Reach Script - View | ||
| Rules | Manage capabilities | Create and manage custom rules | Rules - Manage |
| Create and manage Offline Freeze rules | |||
| Create and manage location rules and geofences | Rules - Manage | ||
| View capabilities | View existing rules | Rules - View | |
| View geofences | Rules - View | ||
| Service Agreement (EUSA) | Signing capabilities | Accept End User License and Service Agreement, as required | Service Agreement - Perform |
| SIEM integration | Manage capabilities |
Install the SIEM Connector Configure SIEM events |
SIEM integration - Perform |
| View capabilities | View configured SIEM events | SIEM integration - View | |
| Single Sign-On (SSO) | Manage capabilities | Configure and enable SSO | Authentication - Manage |
| Configure and enable SCIM integration |
SCIM integration - Manage |
||
| Automatically sync user information from an IdP |
SCIM integration - Perform Assign the Perform permission to the API token used by SCIM integration. |
||
| View capabilities | View the status of SSO and SCIM integration on the Authentication Settings page | No permission required | |
| View SSO identity provider details |
Authentication - View |
||
| View SCIM integration configuration details | SCIM integration - View | ||
| Two-Factor Authentication (2FA) | Manage capabilities | Configure and enable 2FA | Authentication - Manage |
| View capabilities | View 2FA status on the Authentication Settings page | No permission required | |
| Unenroll Device | Manage capabilities | Unenroll devices | Unenroll Device - Perform |
| View capabilities | View, track, and export the status of Unenroll requests in Action Requests and Actions | Unenroll Device - View | |
| User Management | Manage capabilities for users |
Invite new users Edit user profiles Delete users Assign users to a role (applies only to those roles that the role can manage) View roles and their permissions |
Users - Manage and Assign Roles - View |
| Manage capabilities for roles |
Create custom roles Duplicate roles Edit permissions of custom roles Edit the list of roles a role can manage |
Roles - Manage | |
| View capabilities | View users and roles in the User Management area |
Users - View Roles - View |
|
| Vulnerabilities | Manage capabilities | Manage vulnerabilities |
Either of the following:
|
| View capabilities | View vulnerabilities |
Either of the following:
|
|
| Web Usage | Manage capabilities | Activate Web Usage policies |
Policies - Manage Licenses - Manage |
| Configure weekly time ranges | Web Usage - Manage | ||
| Manage websites included in Web Usage | Web Usage Site Comparison - Manage | ||
| View capabilities |
View and export Web Usage reports |
Web Usage - View | |
| View usage for individual devices |
Web Usage - View Web Usage - View Devices |
||
| View and export Web Usage chart | Web Usage Site Comparison - View | ||
| Wipe | Manage capabilities |
Perform Wipe security actions Cancel pending Cryptographic Wipe security requests in Action Requests |
Wipe Device - Perform Delete File - Perform Granting the Wipe permission to a role automatically grants the Delete File - Perform permission. |
| View capabilities | View, track, and export Wipe requests in Action Requests and Actions | Wipe Device - View | |
| Workflows | Manage capabilities | Manage workflows | Workflows - Manage |
| Run workflows | Workflows - Run | ||
| View capabilities | View workflows | Workflows - View |
