User Role - More Ganularity

  • 11 August 2021
  • 6 replies

Userlevel 1

Is it possible to assign a role that enable the user to execute policies, but not allow them to add/delete/edit policies?

It would also be helpful to assign permissions based on Group membership or some other construct where devices belong to an organisational unit. - For example, delegating controls to a regional IT team, or to a team that supports end-user devices, but should not be able to manage servers.

6 replies

Hey, Andrew - those are solid ideas. I’ve been going through our feature requests & didn’t see anything related, so I’ll pass this along to our Product/feedback team(s). You can also submit feature requests directly right here, if you prefer.

@Andrew_Read - after sending this over yesterday, I got this reply from our SE team: “…As far as bifurcating the environments, the customer could achieve this with the multi-org capability we have today: they would have the servers in one organization with the accompanying policies and users to manage them, and workstations their respective IT admins in the other organization and they will be mutually exclusive.” – so maybe that can help for part of this, but we’re working on it!

Userlevel 1

Thanks for looking into this. To avoid complexity, I’ll take a pass on bifurcating our environments.

I’ve submitted the feature request via the link provided now.

Any update on this? I’m also a bit surprised there isn’t more permission granularity or group level permissions.

Userlevel 5
Badge +1

Any update on this? I’m also a bit surprised there isn’t more permission granularity or group level permissions.

Have you checked this area of the console out? which is documented here


For example these three roles hit on the above conversation -

Helpdesk Operator could read most relevant areas.

Patch Operator could manage patch policies and execute patch/worklet policies

Zone Operator could do what Patch Operator could, but also edit worklets.

Yes, I’ve seen this and that’s fine as far as preconfigured roles go, but I would prefer to have these as starting points and have the ability to add/remove individual permissions to create custom roles. Also, I would like to see the ability to assign permissions at the group level rather than just at the zone level.