Creating and managing custom roles

If you are a Super Administrator or Domain Administrator, you can create custom roles to meet your needs. You create a custom role and select which administrators to assign the role to, and can later edit the role.
You can also control access within the domain by creating a custom role and giving limited access to a scope of groups and devices. You cannot exclude child groups of a selected group from the permissions.
Custom roles have the following limitations when you restrict device group access.
Limitations for custom roles
Type
Description
Access limitations
Users assigned to the custom role have view access to the entire domain, but actions on devices or device groups that they have not been granted access to are disabled in the user interface. For example, they can manage only devices added to groups that are specified in their role permissions. Areas in the user interface that may be disabled include:
  • My Tasks
  • Devices
  • Investigate
  • Discovered Items
  • Policies
  • Incidents and Alerts
  • Quick Setup
Policy limitations
Users assigned to the custom role cannot apply policies or policy groups to any device groups to which they do not have role access.
For example, if a Super Administrator, Domain Administrator, or Limited Administrator updates a policy that is targeted to several device groups but has access to only one of the device groups, the updated policy must be applied to the device group individually.
For more information, see:
To create a custom role
  1. Go to
    Endpoint
    >
    Settings
    >
    Administrators and Roles
    .
  2. On the
    Roles
    tab, click
    Create Role
    .
  3. In the
    Create Role
    window, type a name and description for the new role, and then click
    Create
    .
  4. On the role
    Details
    page, under
    Groups
    , do one of the following:
    1. Enable
      Allow access to all Device Groups
      . This selection is the default.
    2. Disable
      Allow access to all Device Groups
      to control access within the domain by allowing Limited Administrators to act only on a subset of devices within that domain.
  5. If you disable the
    Allow access to all Device Groups
    option, on the
    Select Device Groups
    page, under
    Group Hierarchy
    , do the following:
    1. Check the device groups that you want to assign to the role. You can view device group information on the
      Managed Devices
      and
      Policies
      tabs.
      Selecting a device group automatically selects all child device groups in the same hierarchy.
    2. Click
      OK
      .
  6. The
    Select Groups
    button now appears next to the
    Allow access to all Device Groups
    option. You can also see how many device groups that you selected for the role. Do either of the following:
    1. To edit the device groups, click
      Select Groups
      . Make your changes, and then click
      OK
      .
    2. To grant the role access to all groups again, reenable
      Allow access to all Device Groups
      , and then click
      Yes
      in the message warning.
  7. Scroll through the options on the
    Details
    page, and check the privileges that you want to associate with the custom role.
    If you disabled
    Allow access to all Device Groups
    , privileges highlighted with a yellow dot indicate access that is restricted to the selected device groups.
  8. Click
    Save
    .
  1. To edit a custom role
  2. Go to
    Endpoint
    >
    Settings
    >
    Administrators and Roles
    .
  3. On the
    Roles
    tab, select the name of the custom role that you want to edit.
    You cannot edit a default role, but you can duplicate it and then edit the duplicate, which becomes a new custom role. At the top of the
    Details
    page, click
    Duplicate
    .
  4. Under
    Groups
    , do the following:
    1. Enable or disable the
      Allow access to all Device Groups
      option.
    2. If you disabled the option, click
      Select Groups
      to make edits to the device groups.
  5. Check or uncheck each privilege that you want to enable or disable.
    If you disabled
    Allow access to all Device Groups
    , privileges highlighted with a yellow dot indicate access that is restricted to the selected device groups.
  6. Click
    Save
    .
  7. If you want to assign the role to an administrator, at the top of the
    Details
    page, click
    Assign Role
    , and then follow the steps in this procedure:
  8. To remove the custom role, at the top of the
    Details
    page, click
    Delete Role
    , and then follow the prompts.