Default system roles and permissions
You can assign these default system roles to users:
- Superuser: Full system access with all permissions, except access to Product Keys.
- Administrator: Access to most system features, excluding user management and billing.
- Standard: Limited system access with mixed permissions, mainly for viewing items and using features.
- Client: Basic system access focused on client management and viewing options.
If these roles don't meet you needs, create your own roles.
Custom roles
- Roles based on Superuser, Administrator, or Standard can edit all permissions except the Security (Superuser only).
- Roles based on the Client have editable permissions. To see which permissions you can edit, check the items marked Optional in the Client: Custom Options column of the tables below.
Security best practices
- Always use Client N-sight RMM logins with Client Groups so customers only see their own devices and information.
-
Before sharing credentials, log in with the customer account to confirm they can only view their own details.
General
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| General Settings | View and edit the general account settings | Allow | Allow | Deny | Deny | Deny |
| Users | Allow | Deny | Deny | Deny | Deny | |
| User Accounts | Add, edit and delete user accounts | Allow | Deny | Deny | Deny | Deny |
| Security | Reset 2FA for users. Superuser Role only. | Allow | Deny | Deny | Deny | Deny |
| Roles & Permissions | Add, edit and delete user roles | Allow | Deny | Deny | Deny | Deny |
| Client groups | Add, edit and delete client groups | Allow | Deny | Deny | Deny | Deny |
| Identity Providers Setup | Allow users access to the Identity Providers Setup wizard. | Allow | Deny | Deny | Deny | Deny |
| Clients | Add, edit and delete clients | Allow | Allow | Deny | Deny | Deny |
| Sites | Add, edit and delete sites | Allow | Allow | Deny | Deny | Deny |
| Devices | Add, edit and delete devices (Client cannot Add devices) | Allow | Allow | Allow | Deny | Optional |
| Agents | Allow | Allow | Allow | Deny | Deny | |
| Download | Download agents and add devices | Allow | Allow | Allow | Deny | Deny |
| Site Installation Package | Configure and download a site installation package | Allow | Allow | Allow | Deny | Deny |
| Agent Auto-update Settings | View and update the Agent versions on servers and workstations | Allow | Allow | Allow | Deny | Deny |
| Quick Links | Allow | Allow | Deny | Deny | Deny | |
| Take Control | Show or hide the Take Control quick link in the Product Bar | Allow | Allow | Deny | Deny | Deny |
| MSP Manager | Show or hide the MSP Manager quick link in the Product Bar | Allow | Allow | Deny | Deny | Deny |
| Cove | Show or hide the Cove Data Protection (Cove) quick link in the Product Bar | Allow | Allow | Deny | Deny | Deny |
| External Links | Allow | Allow | Group | Deny | Deny | |
| Settings | Edit the external links settings | Allow | Allow | Deny | Deny | Deny |
| Usage | Show the external links drop-down menu | Allow | Allow | Allow | Deny | Deny |
| Help | Allow | Allow | Allow | Deny | Optional | |
| System Help | Show the link to the helpfile section | Allow | Allow | Allow | Deny | Optional |
| Support Tickets | Submit help tickets to customer support via the Help drop-down menu | Allow | Allow | Allow | Deny | Optional |
| Release Notes | Show link to the release notes section | Allow | Allow | Allow | Deny | Optional |
| Billing | Allow | Deny | Deny | Deny | Deny | |
| Report | View billing related reports | Allow | Deny | Deny | Deny | Deny |
| PSA Integration | Allow | Allow | Group | Deny | Optional | |
| Settings | Set up and configure a PSA integration | Allow | Allow | Deny | Deny | Deny |
| Usage | Create, edit and view PSA tickets and information | Allow | Allow | Allow | Deny | Optional |
| Asset Tracking
The Asset Tracking section is Client Group aware. When Client Groups are configured, users only see Assets specific to their assigned Clients. |
View and use the Asset Tracking section | Allow | Allow | Allow | Deny | Optional |
| Product Keys | Display the Windows and Microsoft Office Keys in the device Summary tab | Deny | Deny | Deny | Deny | Optional |
| Wall Chart | View and edit the Wall Chart settings | Allow | Allow | Deny | Deny | Deny |
| Community | Access the Community websites | Allow | Allow | Allow | Deny | Deny |
Alerting
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| Alert Routing & Policies | Set server and workstation alert routing and alert policy settings | Allow | Allow | Deny | Deny | Deny |
| Email Templates | View and edit email templates | Allow | Allow | Deny | Deny | Deny |
| Email & SMS Alerts | Allow | Allow | Allow | Deny | Optional | |
| Devices | Show the email and SMS alert columns for Servers and Workstations in the North-pane | Allow | Allow | Allow | Deny | Optional |
| Checks | Show the email and SMS alert columns for checks in the South-pane | Allow | Allow | Allow | Deny | Optional |
Reporting
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| Dashboard Reports
Asset Tracking and most reports are client group aware. When Client Groups are configured, users only see reports specific to their assigned Clients. |
Allow | Allow | Group | Deny | Optional | |
| User Audit | View the User Audit Report | Allow | Allow | Allow | Deny | Deny |
| Added and Removed Devices | View the added and removed devices | Allow | Allow | Allow | Deny | Deny |
| Device Inventory | View the Device Inventory Report | Allow | Allow | Allow | Deny | Optional |
| Feature Policy | View the Feature Policy Report | Allow | Allow | Allow | Deny | Optional |
| Critical Events | View the Critical Events Report | Allow | Allow | Allow | Deny | Optional |
| Check Clearing | View the Check Clearing Report | Allow | Allow | Allow | Deny | Optional |
| Fault History | View the Fault History Report | Allow | Allow | Allow | Deny | Optional |
| Bandwidth and Performance History | View the Bandwidth History Report | Allow | Allow | Allow | Deny | Optional |
| Active Directory Users | View the Active Directory Report | Allow | Allow | Allow | Deny | Optional |
| Automated Tasks | View the Automated Task Report | Allow | Allow | Allow | Deny | Optional |
| Take Control | View the Take Control report | Allow | Allow | Allow | Deny | Optional |
| Patch Management | View the Patch Management report | Allow | Allow | Allow | Deny | Optional |
| Managed Antivirus | View the Managed Antivirus reports | Allow | Allow | Allow | Deny | Optional |
| Disk Encryption | Allow | Allow | Deny | Deny | Optional | |
| Disk Encryption Report | View the Disk Encryption Report | Allow | Allow | Deny | Deny | Optional |
| Recovery Key Report | View the Disk Encryption Recovery Key Report | Allow | Allow | Deny | Deny | Optional |
| Web Protection | View the Web Protection reports | Allow | Allow | Allow | Deny | Optional |
| Backup and Recovery | View the Backup & Recovery report | Allow | Allow | Allow | Deny | Optional |
| Mobile Device Management | View the MDM reports | Allow | Allow | Allow | Deny | Optional |
| Risk Intelligence | View the Risk Intelligence reports | Allow | Allow | Allow | Deny | Optional |
| Servers | Allow | Allow | Group | Deny | Optional | |
| Settings | Configure the settings and monthly content for the client server monitoring reports | Allow | Allow | Deny | Deny | Deny |
| Email Template | Configure the email template settings for the server monitoring reports | Allow | Allow | Deny | Deny | Deny |
| Monthly Content | Configure the daily, weekly and monthly reports and their email settings | Allow | Allow | Deny | Deny | Deny |
| Monthly Report | View and (re)send the monthly client server reports | Allow | Allow | Allow | Deny | Optional |
| Resend Daily | View and (re)send the daily client server reports | Allow | Allow | Allow | Deny | Optional |
| Resend Weekly | View and (re)send the weekly client server reports | Allow | Allow | Allow | Deny | Optional |
| Workstations | Allow | Allow | Group | Deny | Group | |
| Settings | Configure the settings for the client workstation reports | Allow | Allow | Deny | Deny | Deny |
| Email Template | Configure the email template settings for the workstation monitoring reports | Allow | Allow | Deny | Deny | Deny |
| Resend Daily | View and (re)send the client daily workstation reports | Allow | Allow | Allow | Deny | Optional |
| Resend Weekly | View and (re)send the client weekly workstation reports | Allow | Allow | Allow | Deny | Optional |
| Notes | Allow | Allow | Group | Deny | Deny | |
| Settings | Configure the settings for the notes report | Allow | Allow | Deny | Deny | Deny |
| Email Template | Configure the email template settings for notes report | Allow | Allow | Deny | Deny | Deny |
| Notes Report | View the notes report | Allow | Allow | Allow | Deny | Deny |
Mobile Apps
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| Mobile Apps | Access the mobile apps | Allow | Allow | Deny | Deny | Optional |
| Private Notes | View and add private check notes | Allow | Allow | Deny | Deny | Optional |
Ecoverse
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| Script Repository | Allow | Allow | Group | Deny | Optional | |
| Manage | Add, edit, delete and generally manage scripts in the Script Repository. | Allow | Allow | Deny | Deny | Optional |
| View | Access and view the Script Repository. | Allow | Allow | Deny | Deny | Optional |
| Run Script | Select and run a script in the Assets view. | Allow | Allow | Deny | Deny | Optional |
| New Patch Management | Allow | Allow | Group | Deny | Optional | |
| Configure | Add, edit, delete, and assign policies (coming soon). | Allow | Allow | Deny | Deny | Optional |
| Approve | View, approve, and install patches. | Allow | Allow | Deny | Deny | Optional |
| View | View available patches. | Allow | Allow | Allow | Deny | Optional |
| Vulnerability Management | Allow | Allow | Deny | Deny | Optional | |
| Vulnerabilities | Access Vulnerability Management. | Allow | Allow | Deny | Deny | Optional |
| Tag Management | Allow | Allow | Deny | Deny | Optional | |
| View definitions | Show tag definitions and identify customers or sites can use them. | Allow | Allow | Deny | Deny | Optional |
| Manage definitions | Create, edit, and delete tag definitions, and specify which customers or sites can use them. | Allow | Allow | Deny | Deny | Optional |
| Assign tags | Assign and remove tags to assets, and identify the tags that are assigned to an asset. | Allow | Allow | Deny | Deny | Optional |
Monitoring & Management
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| 24x7 & Daily Safety Checks | Allow | Allow | Group | Deny | Optional | |
| Settings | Add, edit and delete checks | Allow | Allow | Deny | Deny | Deny |
| Predefined SNMP Checks | View, add, edit and delete predefined SNMP checks | Allow | Allow | Allow | Deny | Deny |
| Usage | Run and clear checks | Allow | Allow | Allow | Deny | Optional |
| Automated Tasks | Allow | Allow | Group | Deny | Optional | |
| Settings | Add, edit and delete tasks for devices and sites | Allow | Allow | Deny | Deny | Deny |
| Usage | Run automated tasks | Allow | Allow | Allow | Deny | Optional |
| View | View automated tasks on the Tasks tab | Allow | Allow | Allow | Allow | Optional |
| Outages | Allow | Allow | Deny | Deny | Optional | |
| View | Show the outages tab | Allow | Allow | Allow | Deny | Optional |
| Details | Show the details of the outage | Allow | Allow | Deny | Deny | Deny |
| Monitoring Templates | Allow | Allow | Deny | Deny | Optional | |
| Settings | Add, edit and delete monitoring templates. Set default monitoring templates for new devices | Allow | Allow | Deny | Deny | Deny |
| Usage | Add and replace checks on devices using the monitoring templates | Allow | Allow | Deny | Deny | Optional |
| Custom Scripts | View, add, edit and delete custom scripts for checks and tasks | Allow | Allow | Deny | Deny | Deny |
| Maintenance Mode | Schedule maintenance mode and turn maintenance mode on and off | Allow | Allow | Allow | Deny | Deny |
| Critical Events | Add, edit, delete and apply critical events settings | Allow | Allow | Deny | Deny | Deny |
| Add notes to devices and checks | Allow | Allow | Allow | Group | Optional | |
| Usage | Add, edit and delete device notes and check notes | Allow | Allow | Allow | Deny | Deny |
| View | View client-facing notes | Allow | Allow | Allow | Allow | Optional |
| Pending Actions | Allow | Allow | Allow | Group | Optional | |
| Clients | View and cancel pending actions across clients | Allow | Allow | Allow | Deny | Deny |
| Devices | View and cancel pending actions for a device | Allow | Allow | Allow | Allow | Optional |
| Reboot | Reboot devices | Allow | Allow | Allow | Deny | Optional |
| Backup Device Configuration | Download a copy of the 24x7 and Daily Safety Check configuration on a device | Allow | Allow | Allow | Deny | Optional |
Device Management for Apple
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| Certificates | Manage certificates | Allow | Allow | Deny | Deny | Optional |
| Profile Library | Manage the profile library | Allow | Allow | Deny | Deny | Optional |
| Profile Deployment | Deploy profiles to devices using Device Management for Apple | Allow | Allow | Deny | Deny | Optional |
| Apple Business Manager | View and manage Apple Business Manager tokens | Allow | Allow | Deny | Deny | Optional |
| Apps & Books | View, manage, and distribute App Store purchases | Allow | Allow | Deny | Deny | Optional |
| Workstations | Allow | Allow | Group | Group | Group | |
| View | View workstations on the All Devices view | Allow | Allow | Allow | Allow | Allow |
| View Profiles | View Profiles on workstations | Allow | Allow | Deny | Deny | Optional |
| Install Profiles | Install Profiles on workstations | Allow | Allow | Deny | Deny | Optional |
| Remove Profiles | Remove Profiles from workstations | Allow | Allow | Deny | Deny | Optional |
| Lock | Send the command to workstations | Allow | Allow | Deny | Deny | Optional |
| Instant Restart | Send the command to workstations | Allow | Allow | Deny | Deny | Optional |
| Remote Wipe |
Send the command to workstations | Allow | Allow | Deny | Deny | Optional |
| Update Device Information | Send the command to workstations | Allow | Allow | Deny | Deny | Optional |
| Update OS Version | Send the command to workstations | Allow | Allow | Deny | Deny | Optional |
| Shutdown Device | Send the command to workstations | Allow | Allow | Deny | Deny | Optional |
| Enrollment options | View and manage the Device Management for Apple enrollment options | Allow | Allow | Deny | Deny | Optional |
| Command History | View the commands sent to workstations | Allow | Allow | Deny | Deny | Optional |
| Mobile Devices | Allow | Allow | Group | Group | Group | |
| View | View mobile devices on the All Devices view | Allow | Allow | Allow | Allow | Allow |
| View Profiles | View Profiles on mobile devices | Allow | Allow | Deny | Deny | Optional |
| Install Profiles | Install Profiles on mobile devices | Allow | Allow | Deny | Deny | Optional |
| Remove Profiles | Remove Profiles from mobile devices | Allow | Allow | Deny | Deny | Optional |
| Lock | Send the command to mobile devices | Allow | Allow | Deny | Deny | Optional |
| Instant Restart | Send the command to mobile devices | Allow | Allow | Deny | Deny | Optional |
| Remote Wipe |
Send the command to mobile devices | Allow | Allow | Deny | Deny | Optional |
| Clear Passcode | Send the command to mobile devices | Allow | Allow | Deny | Deny | Optional |
| Update Device Information | Send the command to mobile devices | Allow | Allow | Deny | Deny | Optional |
| Update OS Version | Send the command to mobile devices | Allow | Allow | Deny | Deny | Optional |
| Shutdown Device | Send the command to mobile devices | Allow | Allow | Deny | Deny | Optional |
| Unenrol | Unenrol mobile devices | Allow | Allow | Deny | Deny | Optional |
| Command History | View the commands sent to mobile devices | Allow | Allow | Deny | Deny | Optional |
Integrations
Features
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| Managed Antivirus | Allow | Allow | Group | Group | Optional | |
| Settings & Policies | Add, edit and delete Managed Antivirus policies and apply to devices. Use the CART tool | Allow | Allow | Deny | Deny | Optional |
| Usage | Run and cancel MAV scans, quarantine and release items from quarantine, update threat definitions, detect installed products | Allow | Allow | Allow | Deny | Optional |
| View | View MAV scan results | Allow | Allow | Allow | Allow | Optional |
| Recovery Key Management | Retrieve Disk Encryption Key | Allow | Allow | Deny | Deny | |
| Patch Management | Allow | Allow | Group | Group | Optional | |
| Settings & Policies | Add, edit and delete Patch Management policies and apply to devices | Allow | Allow | Deny | Deny | Optional |
| Usage | Install, approve, reprocess and ignore patches. Run the vulnerability check | Allow | Allow | Allow | Deny | Optional |
| View | View patches on the Patches tab | Allow | Allow | Allow | Allow | Optional |
| Web Protection | Allow | Allow | Group | Group | Optional | |
| Settings & Policies | Add, edit and delete Web Protection policies and apply to devices | Allow | Allow | Deny | Deny | Optional |
| Usage | Refresh Web Protection data and use the website lookup tool | Allow | Allow | Allow | Deny | Optional |
| View | View Web Protection browsing data | Allow | Allow | Allow | Allow | Optional |
| Backup & Recovery | Allow | Allow | Group | Group | Optional | |
| Settings & Policies | Add, edit and delete Backup & Recovery policies and apply to devices | Allow | Allow | Deny | Deny | Deny |
| Usage | Download the Backup Manager, run backups, restore backups, view changed and removed files | Allow | Allow | Allow | Deny | Optional |
| View | View backup files on the Backup tab, view changed and removed files | Allow | Allow | Allow | Allow | Optional |
| Network Discovery | Allow | Group | Deny | Deny | Optional | |
| Settings | Enable or disable Network Discovery at the policy or device level | Allow | Deny | Deny | Deny | Deny |
| Usage | Access the Networks tab, manage a network and use the Network Discovery feature | Allow | Allow | Deny | Deny | Deny |
| View | Show Networks tab on the North-pane | Allow | Allow | Deny | Deny | Optional |
|
Mobile Device Management
Mobile Device Management was retired on November 1, 2021 and replaced with Device Management for Apple . |
Allow | Allow | Group | Group | Optional | |
| Settings & Policies | Add, edit and delete mobile devices; view mobile device reports | Allow | Allow | Deny | Deny | Deny |
| Usage | Issue updates and commands for mobile devices under management | Allow | Allow | Allow | Deny | Optional |
| View | Show Mobile Devices tab on the North-pane | Allow | Allow | Allow | Allow | Optional |
| O365, Google Drive | Access the Services tab. Add, edit and delete services, and use the Services functions | Allow | Allow | Deny | Deny | Deny |
| Take Control | Allow | Allow | Group | Group | Optional | |
| Settings | Configure and install Take Control and Remote Access. Customize the remote support mail templates | Allow | Allow | Deny | Deny | Optional |
| Usage | Use Take Control to remote on to end-point devices that have Take Control installed | Allow | Allow | Allow | Deny | Optional |
| View | Show Take Control column on the North-pane | Allow | Allow | Allow | Allow | Optional |
| Attended Take Control | Use Take Control Fast Assist to start attended remote access sessions | Allow | Allow | Allow | Deny | Deny |
| Remote Background Manager | Allow | Allow | Group | Group | Optional | |
| Settings | Enable the Remote Background Manager feature for clients, sites and devices | Allow | Allow | Deny | Deny | Deny |
| Usage | Start and use Remote Background Manager sessions on devices | Allow | Allow | Allow | Deny | Optional |
| View | Show RBM column on the North-pane | Allow | Allow | Allow | Allow | Optional |
| Remote Control of Network Devices | Start and use Remote Control of Network Device session on devices | Allow | Allow | Allow | Deny | Optional |
| User Chat | Show or hide the User Chat feature. Take Control or Remote Background Manager must be installed on the device. | Allow | Allow | Allow | Deny | Optional |
| Remote Support (Legacy tool) | Allow | Allow | Group | Deny | Optional | |
| Email Template | Edit the Remote Support email template | Allow | Allow | Deny | Deny | Deny |
| Usage | Send the Remote Support agent | Allow | Allow | Allow | Deny | Optional |
| Remote Desktop | Start a remote desktop session | Allow | Allow | Deny | Deny | Optional |
| System Tray | Allow | Allow | Group | Group | Optional | |
| Settings | Manage the system tray settings including icon | Allow | Allow | Deny | Deny | Deny |
| View | Show System Tray column on the North-pane | Allow | Allow | Allow | Allow | Optional |
| Risk Intelligence | Allow | Allow | Allow | Allow | Optional | |
| Settings & Policies | Configure and install Risk Intelligence. Customize and apply policies. | Allow | Allow | Deny | Deny | Optional |
| Usage | Run Risk Intelligence scans | Allow | Allow | Allow | Deny | Optional |
| View | View the Risk Intelligence results and reports | Allow | Allow | Allow | Allow | Optional |
Filter Manager
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| Settings | Manage and use custom filters | Allow | Allow | Allow | Deny | Optional |