Table Of Administrative Rights

The following table describes the administrative rights (also referred to as permissions) you can assign to a role. Users cannot log in to Admin Portal unless they have at least one of the following administrative rights.

If an administrator attempts to perform a task in Admin Portal for which they do not have the associated administrative right, Admin Portal displays an error message. In addition, Admin Portal does not display data if it’s not pertinent to the administrator’s privileges. For example, if the administrator has the Application Management privilege only, Admin Portal does not display any devices on the Devices page.

List of Administrative Rights

Administrative right Associated permissions
Application Management Access to any activities that originate on the Apps page, such as the ability to add, modify, or remove applications. From the Application Settings dialog box, this right also grants the ability to change which roles are assigned to a specific application.
Computer Login and Privilege Elevation Logging on to Windows, Linux, or UNIX computers where a agent is installed. This administrative right is only applicable for the computers that are members of an identity platform role with this right.
Device Enroll On Behalf Of Permissions to enroll devices on behalf of another user.
Device Management (Limited) Use of all the commands that originate from the Devices page except the following:

All devices:

    • Wipe Device
    • Unenroll Device
    • Samsung devices only:
    • Device Lockout
  • Remove Container

The purpose of this permission is to provide limited device management rights to, for example, helpdesk staff. This allows users with this permission to help users but prevents them from performing any destructive actions to a device or a container.

Device Management (All) Use of all the commands that originate from the Devices page, such as the ability to update policies, lock, reset the passcode, wipe, unenroll, delete, or view device details.

Note: The user must have the Device Management permission to run the APNS Certificate, Mass Deployment, and Exchange ActiveSync Server Settings options on the Settings page in Admin Portal.

Linux System Enrollment Permission for non-admin users to enroll Linux machines.
Privileged Access Service User Portal If you add this administrative right to a role, members of the role can see the system and account login tiles that have been added to the User Portal with the Portal Login permission. This administrative right is primarily for users who only need limited access with the ability to log on to selected systems with a privileged account but who should not be allowed to check out or rotate passwords. Members of a role with this right cannot perform any administration tasks on the accounts or systems they can access from their User Portal.
Privileged Access Service Administrator If you add this administrative right to a role, members of the role can add new objects—systems, domains, databases, services, or accounts—to the Infrastructure Services. Members of a role with this right become the default owner of the objects that they add. If there’s more than one member of the role, each administrator is only the owner of the objects he adds by default. Members of a role with this right can perform all administrative tasks on the objects they own. However, this right also allows administrators to take ownership of any objects stored in the Infrastructure Services because they have the Grant permission that allows them to assign any permissions.
Privileged Access Service Power User If you add this administrative right to a role, members of the role can see all objects you add to the Infrastructure Services in the Admin Portal. By default, however, members of a role with this right are not granted the Login, Checkout, or Rotate permissions. The system, domain, database, service, or account owner (or a member of the System Administrator role) must explicitly grant the appropriate permissions. Members of this role cannot add new objects to the Infrastructure Services.
Privileged Access Service User If you add this administrative right to a role, members of the role can see the objects on which they have been granted View permissions in the Admin Portal. This administrative right is primarily for users who need some administrative access to a selected set of objects. Members of a role with this right are granted the Login, Checkout, and Rotate password permissions. Members of a role with this right can only perform these tasks for the accounts or systems where they have the View permission. Members of this role cannot add new objects to the Infrastructure Services.
Read Only System Administrator Access to all of the Admin Portal tabs, however, the user cannot make any changes. An error message is displayed when the user attempts to save the change.

Note: If you enable read-only access for a support technician, the identity platform creates a temporary account that it adds as a member to this role.

Register and Administer connectors Register a Connector in your identity platform account.

During the connector installation, the wizard prompts you to enter the account of a user that has the Register connectors right. This must be a Directory account. Make sure the account you specify is a member of a role with this permission.

Report Management Create, delete, and run reports.
Role Management Access to any activities that originate on the Roles page, such as the ability to add, modify, or delete roles; this includes the ability to assign rights.
User Management Permission to use the Add User and Bulk User Import buttons to add users and modify Directory user properties. Additionally, this permission allows users to import and delete OATH tokens.

See Adding roles for instructions on how to add administrative rights to a role.

Updated on February 4, 2019

Related Articles