About assigning permissions to a custom role

When you create a custom role, you need to decide what tasks and actions you want that role to be able to perform. The availability of these tasks and actions is controlled by permissions.

Before you create a new role, review this topic to determine the set of permissions that you want to add to your new role.

Minimum permissions

To ensure that the user assigned to a custom role can access basic console functionality, including Device Details, grant every custom role the following permissions:

  • Device Fields - View
  • Device reports - View

Note that when you select a Manage permission its associated View permission is also selected.

Feature permissions

To grant permissions for specific features, refer to the information in the following table:

NOTE  Depending on the Absolute product licenses associated with your account, some permissions may not be available.

Feature

To grant...

That allow a user to...

Select the following permissions...

Agent Management

Manage capabilities

Assign an agent version

Version Control - Manage

Download the agent

Agent Installer - Perform

Version Control - Manage

View capabilities

View available agent versions

View agent versions assigned to your policy groups

Version Control - Manage

Application Persistence (AP)

Manage capabilities

Configure and activate AP policies in Policies > Policy Groups > Settings and Policies > Persistence

Policies - Manage

Licenses - Manage

View capabilities

View policies in Policies > Persistence

View AP reports

Export AP reports

View AP dashboard widgets

Policies - View

Device reports - View

Device reports - Export

Dashboard Inventory - View

Applications

Manage capabilities

Activate Installed Software policies

Policies - Manage

Licenses - Manage

View capabilities

View Applications page in Assets and Device Details

Export an application's Applications page in Assets

Software reports - View

Software reports - Export

Custom Data Manage capabilities

Configure and activate a Custom Data policy in Policies > Custom Data

Custom Data Collection - Manage

Policies - Manage

View capabilities Add Custom Data columns in reports and pages Custom Data Collection - View
Chromebook Settings

Manage

capabilities

Add Google accounts

Select Organizational Units

Delete Google accounts

Policies - Manage

Dashboard

View capabilities

View and customize Device Usage widget

View and customize all other widgets

Dashboard Security - View

Dashboard Inventory - View

Device Usage

 

Manage capabilities

 

Activate Device Usage policies

Policies - Manage

Licenses - Manage

Create and manage Device Analytics reports

Device Analytics reports - Manage

Device Fields

Manage capabilities

Add and delete custom fields

Device Fields Definition - Manage

Edit data in custom fields

Device Fields - Manage

Import a file of custom field data

Device Fields - Assign

Export custom field data

Device Fields - Export

Device Freeze (Absolute 7 version only)

Manage capabilities

Submit Freeze requests

Freeze Device - Perform

Submit Remove Freeze requests

View Unfreeze Codes in reports and Device Details

Remove Freeze - Perform

Manage Device Freeze Messages in the Settings area

Freeze Device - View

Create and manage Offline Freeze rules

Rules - Manage

Freeze Device - Perform

Remove Freeze - Perform

View capabilities

View and track the progress of Freeze and Remove Freeze requests, and devices frozen by Offline Freeze rules

Event History reports - View and Export

View status details for Freeze requests, Remove Freeze requests, and Offline Freeze rules in reports and Device Details

Device reports - View

One of the following: Freeze Device - View, Freeze Device - Perform, or Remove Freeze - Perform

Device Groups

Manage capabilities

Create device groups and add devices to them

Device Groups and folders - Manage

Endpoint Data Discovery (EDD)

Manage capabilities

Configure and activate EDD policies

Create and manage custom EDD rules

Policies - Manage

Licenses - Manage

Endpoint Data Discovery - Manage

Perform EDD scan

Publish custom EDD rules

Endpoint Data Discovery - Publish

Protect at-risk files using AIP

Microsoft AIP - Perform (View permission is selected automatically)

View capabilities

View custom EDD rules

Endpoint Data Discovery - View

View EDD reports and Device Details -EDD tabs

View matches

Endpoint Data Discovery reports - View

Export EDD reports

Endpoint Data Discovery reports - Export

View AIP status on Device Details - EDD Summary tab

Microsoft AIP - View

Geolocation

Manage capabilities

Activate Geolocation Tracking policies

Policies - Manage

Licenses - Manage

View capabilities

View the geographical location of your devices

Geolocation - View

NOTE  To enable users to zoom in to street level locations on the map, also grant the Address-Level View permission.

Geofences Manage capabilities Create and manage geofences Geofences - Manage
History - Actions Manage capabilities Cancel pending actions in Action History

At least one of the following:

Wipe Device - Perform

Reach Script - Run

View capabilities

View device actions in Action History

Export device actions

At least one of the following:

Wipe Device - View

Reach Script - View

History - Events

View capabilities

View recent user, device, and system events

Audit Event History - View

Investigations

Manage capabilities

Submit theft reports

View submitted and closed theft reports

Investigation - Manage

View capabilities

View submitted and closed theft reports

Investigation - View

Manage Supervisor Password

Manage capabilities

Create, change, or remove a device's firmware supervisor password

Manage Supervisor Password - Perform

Event History reports- View and Export

Missing Devices

Manage capabilities

Report devices missing

View devices reported missing

Report missing devices found

Missing Device - Manage

View capabilities

View devices reported missing

Missing Device - View

Policies Groups and Policies

Manage capabilities

Create policy groups

Assign licenses to policy groups

Add and remove devices in policy groups

Configure and activate policies

View Policies page in a device's Device Details

Policies - Manage

Licenses - Manage

View capabilities

View policies and licenses on a policy group's Settings page

Policies - View

Licenses - View

Reach Script

Administrative capabilities

Upload scripts

Work with the Script Library

Reach Script - Manage and Run

Manage capabilities

Run scripts

Cancel scripts

Set temporary script location

Reach Script - Run (View permission is selected automatically)

View capabilities

View and track the status of Script requests in Event History

Event History reports - View and Export

View, track, and export the status of Script requests in Action History

View temporary script location

Reach Script - View

Rules

 

Manage capabilities Create and manage custom rules Rules - Manage
Create and manage Offline Freeze rules

Rules - Manage

Freeze Device - Perform

Remove Freeze - Perform

  Create and manage location rules and geofences Rules - Manage
View capabilities View existing rules Rules - View
    View geofences Rules - View

Service Agreement (EUSA)

Signing capabilities

Accept End User License and Service Agreement, as required

Service Agreement - Perform

SIEM integration Manage capabilities

Install the SIEM Connector

Configure SIEM events

SIEM integration - Perform
View capabilities View configured SIEM events SIEM integration - View

Single Sign-On

Manage capabilities

Configure and enable Single Sign-On

Authentication - Manage

Software reports

Manage capabilities

Activate Software policies

Policies - Manage

Licenses - Manage

View capabilities

View reports

Export reports

Software reports - View

Software reports - Export

Two-Factor Authentication

Manage capabilities

Configure and enable Two-Factor Authentication

Authentication - Manage

Unenroll Device

Manage capabilities

Unenroll devices

Unenroll Device - Perform

View capabilities

View and track the status of Unenroll Device requests

Event History reports - View and Export

User Management

Manage capabilities for users

Invite new users

Edit user profiles

Delete users

Assign users to a role (applies only to those roles that the role can manage)

View roles and their permissions

Users - Manage and Assign

Roles - View

Manage capabilities for roles

Create custom roles

Duplicate roles

Edit permissions of custom roles

Edit the list of roles a role can manage

Roles - Manage

View capabilities

View users and roles in the User Management area

Users - View

Roles - View

Web Usage

 

 

 

Manage capabilities

Activate Web Usage policies

Policies - Manage

Licenses - Manage

Configure weekly time ranges

Web Usage - Manage

 

Manage websites included in Web Usage Web Usage Site Comparison - Manage

View capabilities

View Web Usage reports

Web Usage - View

View usage for individual devices

Web Usage - View

Web Usage - View Devices

Export Web Usage reports

Web Usage - View

Web Usage - Export

View Web Usage chart Web Usage Site Comparison - View
Export Web Usage chart Web Usage Site Comparison - Export
Wipe Manage capabilities

Perform the Wipe (cryptographic erasure) security action

Cancel pending Wipe security requests in Action History

Wipe Device - Perform

View capabilities

View, track, and export Wipe requests in Action History

Wipe Device - View