Default user roles and their permissions

Absolute includes the following default user roles, which are derived from the Classic roles:

  • System Administrators are the only users in Absolute that have all permissions, including the ability to configure authentication settings, and create custom roles and assign their permissions. As a result, the user assigned to this role has a high degree of power.
  • By default, the first user of your Absolute account is assigned the System Administrator role.

  • Administrators manage their organization's devices and IT assets, and report device loss or theft. Administrators also create and manage various system communications, such as end user messaging, system notifications, and alerts and suspicious alert events. Administrators have access to all devices in an account.
  • Administrator + Unenroll Device users have the same permissions as an Administrator, but with the added permission to unenroll devices from your Absolute account.
  • Security Administrators exist in those organizations that choose to designate certain Administrators as Security Administrators to manage the device and data security of assets. This user role has more access rights than Administrators.
  • Security Administrators are authorized to configure, target, and start File Retrieval, Device Freeze, and Data Delete services. Security Administrators use the Absolute console to track and manage devices, both within the organization's local area network and outside of it.

  • Power Users have access rights to most features excluding security features. Administrators can restrict Power Users permissions to specific Identifiers or Device Groups.
  • Power Users are typically granted access to the devices in a particular Classic Group, but they can also be granted access to all devices.

  • Power User + Unenroll Device users have the same permissions as a Power User, but with the added permission to unenroll devices from your Absolute account.
  • Security Power Users exist in those organizations that choose to designate certain Powers Users as Security Power Users to manage the device and data security of assets. This user role has more access rights than Power Users.
  • Security Power Users are authorized to configure, target, and start File Retrieval, Device Freeze, and Data Delete services for devices in their assigned Device Group. Security Power Users use the Absolute console to track and manage devices within the organization's local area network.

  • Guest Users have limited access to information and reports. These users cannot alter or assign permissions, and cannot alter user details. Members of the Guest User group can only browse Investigation Reports they've created and can only view reports they've saved.
  • Guest Users are typically granted access to the devices in a particular Classic group, but they can also be granted access to all devices.

Permissions by feature and default user role

NOTE   Depending on the Absolute product licenses associated with your account, some features may not be available.

Permissions for the various features in the Absolute console depend on your user role:

Features and permissions

Administrator

Security Administrator

Power User

Security Power User

Guest User

Permissions for Security Power Users, Power Users, and Guest Users apply to devices in the user's assigned Classic group only. If a user is assigned to all devices in your account, permissions apply to all devices.

Dashboard

View available inventory-related dashboard widgets

P

P

P

P

P

View available security-related dashboard widgets

P

P

û

P

û

Assets

View and manage active devices on the All Devices page

P

P

P

P

P

View and manage missing devices on the Missing Devices page

P

P

P

P

P

View the location of devices in map view

P

P

P

P

û

View installed applications on the Applications page

P

P

û

û

û

Create and manage device groups and folders

P

P

P

P

û

View device groups and folders created by other users

P

P

Pa

Pa

Pa

Manage device groups and folders created by other users

P

P

Pa

Pa

û

Create and manage Geofences

P

P

P

P

û

View Theft reports

P

P

P

P

P

Reports

View and export all default reports and Classic reports

P

P

P

P

P

Create Device Analytics reports

P

P

P

P

P

Create, view, and export own custom reports

P

P

P

P

P

View custom reports created by other users

û

û

û

û

û

View usage of individual devices in Web Usage reports

P

P

û

û

û

Configure weekly time ranges in Web Usage reports

P

P

û

û

û

Manage websites included in Web Usage chart

P

P

P

P

View only

Policies

View, create, and manage policy groups

P

P

û

û

û

Assign licenses to policy groups

P

P

û

û

û

Configure and activate policies

P

P

û

û

û

Persistence: view policy configuration of third party applications

P

P

û

û

û

Create and manage alerts / View alert events

P

P

P

P

P

Create and manage rules

P

P

û

û

View only

Create and manage Offline Freeze rules

û

P

û

P

û

Create, manage, and publish EDD Rules

P

P

û

û

û

Custom Data: create and manage the Custom Data policy P P View only View only View only

Remediation

Reach Script: run and cancel scripts

P

P

û

P

û

Reach Script: edit temporary script location View only P û View only û

Reach Script: manage scripts (upload and save to library)

û

P

û

û

û

Microsoft AIPMicrosoft Azure Information Protection (AIP) enables organizations to enforce policies governing the control and distribution of confidential or proprietary information. Depending on the Absolute products associated with your account, you may be able to use the Absolute console to protect at-risk files detected during an EDD scan.: Protect files / Remove protection

P

P

û

û

û

Device Actions

Unenroll Device

P

[Administrator + Unenroll Device role only]

P

P

[Power User + Unenroll Device role only]

P

û

Perform EDD scan

P

P

û

û

û

Submit Freeze, Conditional Freeze, and Remove Freeze requests

û

P

û

P

û

Delete Data

û

P

û

P

û

Manage Supervisor Passwordb

û

û

û

û

û

Report Missing or Stolen

P

P

P

P

P

Report Found

P

P

P

P

P

Wipe Device

û

P

û

P

û

History

Event History: view recent events

P

P

û

P

û

Action History: view and cancel recent Script actions

P

P

û

P

û

Action History: view and cancel recent Wipe actions

û

P

û

P

û

Settings

Action Preferences > Run Script View only P û View only û

Accept Service Agreement

P

P

View only

View only

View only

Agent Management > Assign agent versions

P

P

û

û

û

Agent Management > Install agent (Windows and Mac)

P

P

û

û

û

Agent Removal Requests

View only

P

View only

P

û

Authentication Settings

P

P

View only

View only

View only

Configure Authentication (SSO and 2FA)b

û

û

û

û

û

Classic Account Settings

P

P

View only

View only

View only

Data > View and Edit Device Fields

P

P

P

P

View only

Data > Manage Device Fields

P

P

û

û

û

Perform Data Delete

û

P

û

P

û

Disable Pre-Authorization

û

P

û

û

û

Download Packages

P

P

û

û

û

File List Summary Report

P

P

û

P

û

File Retrieval Summary Report

û

P

û

P

û

Import and export Classic groups

P

P

Export only

Export only

Export only

SIEM integration: configure eventsb

û

û

û

û

û

SIEM integration: view configured events

P

P

P

P

P

Script Library

û

P

û

û

û

User Management: view users and roles

P

P

P

P

û

User Management: create and manage user profiles for other users

P

[All roles except Security Administrator]

P

[All roles]

P

[Guest Users only]

P

[All roles except Administrator and Security Administrator]

û

User Management: assign users to roles

P

[All roles except Security Administrator]

P

[All roles]

P

[Guest Users only]

P

[All roles except Administrator and Security Administrator]

û

User Management: create and manage custom rolesb

û

û

û

û

û

a Applies only to users with access to all devices

b Only System Administrators are granted this permission