Default user roles and their permissions
Absolute includes the following default user roles:
-
System Administrators are the only users in Absolute that have all permissions, including the ability to configure authentication settings, and create custom roles and assign their permissions. As a result, the user assigned to this role has a high degree of power.
By default, the first user of your Absolute account is assigned the System Administrator role.
This role has access to all devices in an account.
-
Security Administrators exist in those organizations that choose to designate certain Administrators as Security Administrators to manage the device and data security of assets. This user role has more access rights than Administrators.
Security Administrators are authorized to submit Freeze, File Delete, and Wipe actions. Security Administrators use the Secure Endpoint Console to track and manage devices, both within the organization's local area network and outside of it.
This role has access to all devices in an account.
-
Administrator + Unenroll Device users have the same permissions as an Administrator, but with the added permission to unenroll devices from your Absolute account.
This role has access to all devices in an account.
-
Administrators manage their organization's devices and IT assets, and report device loss
This role has access to all devices in an account.
-
Security Power Users exist in those organizations that choose to designate certain Powers Users as Security Power Users to manage the device and data security of assets. This user role has more access rights than Power Users.
Security Power Users are authorized to submit Freeze, File Delete, and Wipe actions for devices in their assigned Device Group. Security Power Users use the Secure Endpoint Console to track and manage devices within the organization's local area network.
This role is typically granted access to the devices in one or more device groups, but they can also be granted access to all devices.
-
Power User + Unenroll Device users have the same permissions as a Power User, but with the added permission to unenroll devices from your Absolute account.
This role is typically granted access to the devices in one or more device groups, but they can also be granted access to all devices.
-
Power Users have access rights to most features excluding security features. Administrators can restrict Power Users permissions to specific devices or device groups.
This role is typically granted access to the devices in one or more device groups, but they can also be granted access to all devices.
-
Guest Users have limited access to information and reports. These users can't submit device actions, but they can report devices missing
This role is typically granted access to the devices in one or more device groups, but they can also be granted access to all devices.
Permissions by feature and default user role
Depending on the Absolute product licenses associated with your account, some features may not be available.
Permissions for the various features in the Secure Endpoint Console depend on your user role:
| ✔ | The role is granted the permissions that are required to perform the action |
| ✘ | The role is not granted the permissions that are required to perform the action |
| Features and permissions | Security Administrator | Administrator | Security Power User | Power User | Guest User |
|---|---|---|---|---|---|
|
System Administrators are granted all permissions. Permissions for Security Power Users, Power Users, and Guest Users apply to devices in the user's assigned device groups only. If a user is assigned to all devices in your account, permissions apply to all devices. |
|||||
| Dashboard | |||||
| View available inventory-related dashboard widgets | ✔ | ✔ | ✔ | ✔ | ✔ |
| View available security-related dashboard widgets | ✔ | ✔ | ✔ | ✘ | ✘ |
| Use AI Assistant | ✔ | ✔ | ✘ | ✘ | ✘ |
| Devices | |||||
| View and manage active devices on the Devices page | ✔ | ✔ | ✔ | ✔ | ✔ |
| View and manage missing devices on the Missing Devices page | ✔ | ✔ | ✔ | ✔ | ✔ |
| View the location of devices in map view | ✔ | ✔ | ✔ | ✔ | ✘ |
| View device usage | ✔ | ✔ | ✔ | ✔ | ✔ |
| Create and manage device groups and folders | ✔ | ✔ | ✔ | ✔ | ✘ |
| Create and manage permission groups | ✔ | ✔ | ✘ | ✘ | ✘ |
| Applications | |||||
| View installed applications on the Applications page | ✔ | ✔ | ✔ | ✔ | ✔ |
| Reports | |||||
| View and export all predefined reports | ✔ | ✔ | ✔1 | ✔1 | ✔2 |
| Create, export, and share own reports | ✔ | ✔ | ✔ | ✔ | ✔ |
| View reports shared by other users | ✔ | ✔ | ✔1 | ✔1 | ✔2 |
| View Device Freeze Status report | ✔ | ✘ | ✔ | ✘ | ✘ |
| Create Device Analytics reports | ✔ | ✔ | ✔ | ✔ | ✔ |
| Configure weekly time ranges in Web Usage reports | ✔ | ✔ | ✘ | ✘ | ✘ |
| Manage websites included in Web Usage chart | ✔ | ✔ | ✔ | ✔ | View only |
| Policies | |||||
| View, create, and manage policy groups | ✔ | ✔ | ✘ | ✘ | ✘ |
| Assign licenses to policy groups | ✔ | ✔ | ✘ | ✘ | ✘ |
| Configure and activate policies | ✔ | ✔ | ✘ | ✘ | ✘ |
| Resilience: view policy configuration of third party applications | ✔ | ✔ | ✘ | ✘ | ✘ |
| Rules: create and manage rules and geofences | ✔ | ✔ | View only | View only | View only |
| Rules: create and manage Offline Freeze rules | ✔ | ✘ | ✔ | ✘ | ✘ |
| Create, manage, and publish EDD Rules | ✔ | ✔ | ✘ | ✘ | ✘ |
| Custom Data: create and manage the Custom Data policy | ✔ | ✔ | View only | View only | View only |
| Remediation | |||||
| Reach Script: run and cancel scripts | ✔ | ✔ | ✔ | ✘ | ✘ |
| Reach Script: edit temporary script location | ✔ | View only | View only | ✘ | ✘ |
| Reach Script: manage scripts (upload and save to library) | ✔ | ✘ | ✘ | ✘ | ✘ |
| Device Actions | |||||
| Unenroll | ✔ |
✔ [Administrator + Unenroll Device role only] |
✔ |
✔ [Power User + Unenroll Device role only] |
✘ |
| Perform EDD scan | ✔ | ✔ | ✘ | ✘ | ✘ |
| Freeze and Remove freeze | ✔ | ✘ | ✔ | ✘ | ✘ |
| Delete file | ✔ | ✘ | ✔ | ✘ | ✘ |
| Send message | ✔ | ✔ | ✔ | ✔ | ✘ |
| Manage supervisor password3 | ✘ | ✘ | ✘ | ✘ | ✘ |
| Report missing |
✔ | ✔ | ✔ | ✔ | ✔ |
| Report found | ✔ | ✔ | ✔ | ✔ | ✔ |
| Wipe | ✔ | ✘ | ✔ | ✘ | ✘ |
| Run playbooks | ✔ | ✔ | ✘ | ✘ | ✘ |
| Investigations | |||||
| View theft reports | ✔ | ✔ | ✔ | ✔ | ✔ |
| View contacts | ✔ | ✔ | ✔ | ✔ | ✔ |
| History | |||||
| Events: view and export recent events | ✔ | ✔ | ✘ | ✘ | ✘ |
| Action Requests: view recent Unenroll actions | ✔ |
✔ [Administrator + Unenroll Device role only] |
✔ |
✔ [Power User + Unenroll Device role only] |
✘ |
| Action Requests: view and cancel recent Script actions | ✔ | ✔ | ✔ | ✘ | ✘ |
| Action Requests: view and cancel recent Delete File actions | ✔ | ✔ | ✔ | ✘ | ✘ |
| Action Requests: view and cancel recent Send Message actions | ✔ | ✔ | ✔ | ✔ | ✘ |
| Action Requests: view and cancel recent Wipe actions | ✔ | ✘ | ✔ | ✘ | ✘ |
| Actions: view recent Unenroll actions by device | ✔ |
✔ [Administrator + Unenroll Device role only] |
✔ |
✔ [Power User + Unenroll Device role only] |
✘ |
| Actions: view recent Script actions by device | ✔ | ✔ | ✔ | ✘ | ✘ |
| Actions: view recent Delete File actions by device | ✔ | ✔ | ✔ | ✘ | ✘ |
| Actions: view recent Send Message actions by device | ✔ | ✔ | ✔ | ✔ | ✘ |
| Actions: view recent Wipe actions by device | ✔ | ✘ | ✔ | ✘ | ✘ |
| Settings | |||||
| Account settings | ✔ | View only | View only | ✘ | ✘ |
| Accept Service Agreement | ✔ | ✔ | View only | View only | View only |
| Agent management > Assign agent versions | ✔ | ✔ | ✘ | ✘ | ✘ |
| Agent management > Install agent (Windows and Mac) | ✔ | ✔ | ✘ | ✘ | ✘ |
| API management | ✔ | ✔ | ✔ | ✔ | ✔ |
|
Authentication settings (SSO, SCIM integration, and 2FA)3 |
View status only | View status only | View status only | View status only | View status only |
| Custom fields > View and Edit Device Fields | ✔ | ✔ | ✔ | ✔ | View only |
| Custom fields > Manage Device Fields | ✔ | ✔ | ✘ | ✘ | ✘ |
| Contact list | ✔ | View only | View only | View only | View only |
| License management | ✔ | ✔ | ✘ | ✘ | ✘ |
| Messages: manage Freeze message templates | ✔ | View only | ✔ | View only | ✘ |
| Messages: manage End User Messaging message templates | ✔ | ✔ | ✔ | ✔ | View only |
| SIEM integration: configure events3 | ✘ | ✘ | ✘ | ✘ | ✘ |
| SIEM integration: view configured events | ✔ | ✔ | ✔ | ✔ | ✔ |
| Script library | ✔ | ✘ | ✘ | ✘ | ✘ |
| User management: view users and roles | ✔ | ✔ | ✔ | ✔ | ✘ |
| User management: create and manage user profiles for other users |
✔ [All roles] |
✔ [All roles except Security Administrator] |
✔ [All roles except Administrator and Security Administrator] |
✔ [Guest Users only] |
✘ |
| User management: assign users to roles |
✔ [All roles] |
✔ [All roles except Security Administrator] |
✔ [All roles except Administrator and Security Administrator] |
✔ [Guest Users only] |
✘ |
| User management: create and manage custom roles3 | ✘ | ✘ | ✘ | ✘ | ✘ |
| User management: configure Dual Approval Settings | ✔ | ✘ | ✘ | ✘ | ✘ |
| Utilities: download tools | ✔ | ✔ | ✔ | ✔ | ✔ |
| Vulnerabilities: view and manage vulnerabilities | ✔ | ✔ | ✘ | ✘ | ✘ |
| Workflows: view and manage workflows | ✔ | View only | View only | ✘ | ✘ |
| Workflows: run workflows | ✔ | ✘ | ✔ | ✘ | ✘ |
1 Does not apply to reports in the Data Visibility report category or the Web Subscriptions report
2 Does not apply to reports in the Data Visibility report category, or any of the following reports: Upcoming Offline Device Freeze, Device Freeze Status, Event History, and Web Subscriptions
3 Only System Administrators are granted this permission.
