Default System Role Permissions
You can use the following System Roles with their defined permissions, or you can create custom roles that are based on the System Roles:
- Superuser—full system access with all permissions enabled (except for Product Keys)
- Administrator—system access to all features except user management and billing information
- Standard—system access with mixed permissions; mostly concerned with viewing items and using features
- Client— basic system access with permissions for specific Client management and view options
If you create a custom role based on the Superuser, Administrator, or Standard System Role you can edit all of the permissions, except the Security permission that is for Superuser only, to meet your custom needs.
If you create a custom role based on the Client System Role, you are limited in the permissions you can edit.
For information about the limited permissions for a custom role based on the Client System Role, see the Client: Custom Options column in the following tables.
To avoid exposure of customer details to other clients, it is imperative that Client Dashboard logins are used with Client Groups to ensure the customer can only view their own devices and information, rather than other client details.
To avoid inadvertently revealing customer information, we recommend you log into the Client Dashboard with the customer login before distributing the credentials to the customer to verify they can only view their own details.
The following colors indicate the permissions used for Roles and Permissions:
| Key | Description |
|---|---|
| Allow | Allow |
| Deny | Deny |
| Group | Group option unavailable—the group contains mixed permissions |
| Optional | Client Role—option available |
The following tables indicate the default permission details for each System Role:
General
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| General Settings | View and edit the general account settings | Allow | Allow | Deny | Deny | Deny |
| Users | Allow | Deny | Deny | Deny | Deny | |
| User Accounts | Add, edit and delete user accounts | Allow | Deny | Deny | Deny | Deny |
| Security | Reset 2FA for users. Superuser Role only. | Allow | Deny | Deny | Deny | Deny |
| Roles & Permissions | Add, edit and delete user roles | Allow | Deny | Deny | Deny | Deny |
| Client Groups | Add, edit and delete client groups | Allow | Deny | Deny | Deny | Deny |
| Clients | Add, edit and delete clients | Allow | Allow | Deny | Deny | Deny |
| Sites | Add, edit and delete sites | Allow | Allow | Deny | Deny | Deny |
| Devices | Add, edit and delete devices (Client cannot Add devices) | Allow | Allow | Allow | Deny | Optional |
| Agents | Allow | Allow | Allow | Deny | Deny | |
| Download & Install | Download and install agents and add devices | Allow | Allow | Allow | Deny | Deny |
| Site Installation Package | Configure and download a site installation package | Allow | Allow | Allow | Deny | Deny |
| Agent Auto-update Settings | View and update the Agent versions on servers and workstations | Allow | Allow | Allow | Deny | Deny |
| Quick Links | Allow | Allow | Deny | Deny | Deny | |
| Take Control | Show or hide the Take Control quick link in the product bar | Allow | Allow | Deny | Deny | Deny |
| MSP Manager | Show or hide the MSP Manager quick link in the product bar | Allow | Allow | Deny | Deny | Deny |
| External Links | Allow | Allow | Group | Deny | Deny | |
| Settings | Edit the external links settings | Allow | Allow | Deny | Deny | Deny |
| Usage | Show the external links drop-down menu | Allow | Allow | Allow | Deny | Deny |
| Help | Allow | Allow | Allow | Deny | Optional | |
| System Help | Show the link to the helpfile section | Allow | Allow | Allow | Deny | Optional |
| Support Tickets | Submit help tickets to customer support via the Help drop-down menu | Allow | Allow | Allow | Deny | Optional |
| Release Notes | Show link to the release notes section | Allow | Allow | Allow | Deny | Optional |
| Billing | Allow | Deny | Deny | Deny | Deny | |
| Report | View billing related reports | Allow | Deny | Deny | Deny | Deny |
| PSA Integration | Allow | Allow | Group | Deny | Optional | |
| Settings | Set up and configure a PSA integration | Allow | Allow | Deny | Deny | Deny |
| Usage | Create, edit and view PSA tickets and information | Allow | Allow | Allow | Deny | Optional |
| Asset Tracking | View and use the Asset Tracking section | Allow | Allow | Allow | Deny | Optional |
| Product Keys | Display the Windows and Microsoft Office Keys in the device Summary tab | Deny | Deny | Deny | Deny | Optional |
| Wall Chart | View and edit the Wall Chart settings | Allow | Allow | Deny | Deny | Deny |
| Community | Access the Community websites | Allow | Allow | Allow | Deny | Deny |
Alerting
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| Alert Routing & Policies | Set server and workstation alert routing and alert policy settings | Allow | Allow | Deny | Deny | Deny |
| Email Templates | View and edit email templates | Allow | Allow | Deny | Deny | Deny |
| Email & SMS Alerts | Allow | Allow | Allow | Deny | Optional | |
| Devices | Show the email and SMS alert columns for Servers and Workstations in the North-pane | Allow | Allow | Allow | Deny | Optional |
| Checks | Show the email and SMS alert columns for checks in the South-pane | Allow | Allow | Allow | Deny | Optional |
Reporting
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| Dashboard Reports | Allow | Allow | Group | Deny | Optional | |
| User Audit | View the User Audit Report | Allow | Allow | Allow | Deny | Deny |
| Added and Removed Devices | View the added and removed devices | Allow | Allow | Allow | Deny | Deny |
| Device Inventory | View the Device Inventory Report | Allow | Allow | Allow | Deny | Optional |
| Feature Policy | View the Feature Policy Report | Allow | Allow | Allow | Deny | Optional |
| Critical Events | View the Critical Events Report | Allow | Allow | Allow | Deny | Optional |
| Check Clearing | View the Check Clearing Report | Allow | Allow | Allow | Deny | Optional |
| Fault History | View the Fault History Report | Allow | Allow | Allow | Deny | Optional |
| Bandwidth and Performance History | View the Bandwidth History Report | Allow | Allow | Allow | Deny | Optional |
| Active Directory Users | View the Active Directory Report | Allow | Allow | Allow | Deny | Optional |
| Automated Tasks | View the Automated Task Report | Allow | Allow | Allow | Deny | Optional |
| Remote Support | View the Remote Support Report | Allow | Allow | Allow | Deny | Deny |
| Take Control | View the Take Control report | Allow | Allow | Allow | Deny | Optional |
| Patch Management | View the Patch Management report | Allow | Allow | Allow | Deny | Optional |
| Managed Antivirus | View the Managed Antivirus reports | Allow | Allow | Allow | Deny | Optional |
| Disk Encryption | Allow | Allow | Deny | Deny | Optional | |
| Disk Encryption Report | View the Disk Encryption Report | Allow | Allow | Deny | Deny | Optional |
| Recovery Key Report | View the Disk Encryption Recovery Key Report | Allow | Allow | Deny | Deny | Optional |
| Web Protection | View the Web Protection reports | Allow | Allow | Allow | Deny | Optional |
| Backup & Recovery | View the Backup & Recovery report | Allow | Allow | Allow | Deny | Optional |
| Mobile Device Management | View the MDM reports | Allow | Allow | Allow | Deny | Optional |
| Risk Intelligence | View the Risk Intelligence reports | Allow | Allow | Allow | Deny | Optional |
| Servers | Allow | Allow | Group | Deny | Optional | |
| Settings | Configure the settings and monthly content for the client server monitoring reports | Allow | Allow | Deny | Deny | Deny |
| Email Template | Configure the email template settings for the server monitoring reports | Allow | Allow | Deny | Deny | Deny |
| Monthly Content | Configure the daily, weekly and monthly reports and their email settings | Allow | Allow | Deny | Deny | Deny |
| Monthly Report | View and (re)send the monthly client server reports | Allow | Allow | Allow | Deny | Optional |
| Resend Daily | View and (re)send the daily client server reports | Allow | Allow | Allow | Deny | Optional |
| Resend Weekly | View and (re)send the weekly client server reports | Allow | Allow | Allow | Deny | Optional |
| Workstations | Allow | Allow | Group | Deny | Group | |
| Settings | Configure the settings for the client workstation reports | Allow | Allow | Deny | Deny | Deny |
| Email Template | Configure the email template settings for the workstation monitoring reports | Allow | Allow | Deny | Deny | Deny |
| Resend Daily | View and (re)send the client daily workstation reports | Allow | Allow | Allow | Deny | Optional |
| Resend Weekly | View and (re)send the client weekly workstation reports | Allow | Allow | Allow | Deny | Optional |
| Notes | Allow | Allow | Group | Deny | Deny | |
| Settings | Configure the settings for the notes report | Allow | Allow | Deny | Deny | Deny |
| Email Template | Configure the email template settings for notes report | Allow | Allow | Deny | Deny | Deny |
| Notes Report | View the notes report | Allow | Allow | Allow | Deny | Deny |
Mobile Apps
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| Mobile Apps | Access the mobile apps | Allow | Allow | Deny | Deny | Optional |
| Private Notes | View and add private check notes | Allow | Allow | Deny | Deny | Optional |
Monitoring & Management
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| 24x7 & Daily Safety Checks | Allow | Allow | Group | Deny | Optional | |
| Settings | Add, edit and delete checks | Allow | Allow | Deny | Deny | Deny |
| Predefined SNMP Checks | View, add, edit and delete predefined SNMP checks | Allow | Allow | Allow | Deny | Deny |
| Usage | Run and clear checks | Allow | Allow | Allow | Deny | Optional |
| Automated Tasks | Allow | Allow | Group | Deny | Optional | |
| Settings | Add, edit and delete tasks for devices and sites | Allow | Allow | Deny | Deny | Deny |
| Usage | Run automated tasks | Allow | Allow | Allow | Deny | Optional |
| View | View automated tasks on the Tasks tab | Allow | Allow | Allow | Allow | Optional |
| Outages | Allow | Allow | Deny | Deny | Optional | |
| View | Show the outages tab | Allow | Allow | Allow | Deny | Optional |
| Details | Show the details of the outage | Allow | Allow | Deny | Deny | Deny |
| Monitoring Templates | Allow | Allow | Deny | Deny | Optional | |
| Settings | Add, edit and delete monitoring templates. Set default monitoring templates for new devices | Allow | Allow | Deny | Deny | Deny |
| Usage | Add and replace checks on devices using the monitoring templates | Allow | Allow | Deny | Deny | Optional |
| Custom Scripts | View, add, edit and delete custom scripts for checks and tasks | Allow | Allow | Deny | Deny | Deny |
| Maintenance Mode | Schedule maintenance mode and turn maintenance mode on and off | Allow | Allow | Allow | Deny | Deny |
| Critical Events | Add, edit, delete and apply critical events settings | Allow | Allow | Deny | Deny | Deny |
| Notes | Allow | Allow | Allow | Group | Optional | |
| Usage | Add, edit and delete device notes and check notes | Allow | Allow | Allow | Deny | Deny |
| View | View client facing notes | Allow | Allow | Allow | Allow | Optional |
| Pending Actions | Allow | Allow | Allow | Group | Optional | |
| Clients | View and cancel pending actions across clients | Allow | Allow | Allow | Deny | Deny |
| Devices | View and cancel pending actions for a device | Allow | Allow | Allow | Allow | Optional |
| Reboot | Reboot devices | Allow | Allow | Allow | Deny | Optional |
| Backup Device Configuration | Download a copy of the 24x7 and Daily Safety Check configuration on a device | Allow | Allow | Allow | Deny | Optional |
Device Management for Apple
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| Certificates | Manage certificates | Allow | Allow | Deny | Deny | Optional |
| Profile Library | Manage the profile library | Allow | Allow | Deny | Deny | Optional |
| Profile Deployment | Deploy profiles to devices using Device Management for Apple | Allow | Allow | Deny | Deny | Optional |
| Apple Business Manager | View and manage Apple Business Manager tokens | Allow | Allow | Deny | Deny | Optional |
| Workstations | Allow | Allow | Group | Group | Group | |
| View | View workstations on the Dashboard | Allow | Allow | Allow | Allow | Allow |
| View Profiles | View Profiles on workstations | Allow | Allow | Deny | Deny | Optional |
| Install Profiles | Install Profiles on workstations | Allow | Allow | Deny | Deny | Optional |
| Remove Profiles | Remove Profiles from workstations | Allow | Allow | Deny | Deny | Optional |
| Lock | Send the command to workstations | Allow | Allow | Deny | Deny | Optional |
| Instant Restart | Send the command to workstations | Allow | Allow | Deny | Deny | Optional |
| Remote Wipe |
Send the command to workstations | Allow | Allow | Deny | Deny | Optional |
| Update Device Information | Send the command to workstations | Allow | Allow | Deny | Deny | Optional |
| Shutdown Device | Send the command to workstations | Allow | Allow | Deny | Deny | Optional |
| Checkout | Send the command to workstations | Allow | Allow | Deny | Deny | Optional |
| Command History | View the commands sent to workstations | Allow | Allow | Deny | Deny | Optional |
| Mobile Devices | Allow | Allow | Group | Group | Group | |
| View | View mobile devices on the Dashboard | Allow | Allow | Allow | Allow | Allow |
| View Profiles | View Profiles on mobile devices | Allow | Allow | Deny | Deny | Optional |
| Install Profiles | Install Profiles on mobile devices | Allow | Allow | Deny | Deny | Optional |
| Remove Profiles | Remove Profiles from mobile devices | Allow | Allow | Deny | Deny | Optional |
| Lock | Send the command to mobile devices | Allow | Allow | Deny | Deny | Optional |
| Instant Restart | Send the command to mobile devices | Allow | Allow | Deny | Deny | Optional |
| Remote Wipe |
Send the command to mobile devices | Allow | Allow | Deny | Deny | Optional |
| Update Device Information | Send the command to mobile devices | Allow | Allow | Deny | Deny | Optional |
| Shutdown Device | Send the command to mobile devices | Allow | Allow | Deny | Deny | Optional |
| Checkout | Send the command to mobile devices | Allow | Allow | Deny | Deny | Optional |
| Command History | View the commands sent to mobile devices | Allow | Allow | Deny | Deny | Optional |
Integrations
Features
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| Managed Antivirus | Allow | Allow | Group | Group | Optional | |
| Settings & Policies | Add, edit and delete Managed Antivirus policies and apply to devices. Use the CART tool | Allow | Allow | Deny | Deny | Optional |
| Usage | Run and cancel MAV scans, quarantine and release items from quarantine, update threat definitions, detect installed products | Allow | Allow | Allow | Deny | Optional |
| View | View MAV scan results | Allow | Allow | Allow | Allow | Optional |
| Recovery Key Management | Retrieve Disk Encryption Key | Allow | Allow | Deny | Deny | |
| Patch Management | Allow | Allow | Group | Group | Optional | |
| Settings & Policies | Add, edit and delete Patch Management policies and apply to devices | Allow | Allow | Deny | Deny | Optional |
| Usage | Install, approve, reprocess and ignore patches. Run the vulnerability check | Allow | Allow | Allow | Deny | Optional |
| View | View patches on the Patches tab | Allow | Allow | Allow | Allow | Optional |
| Web Protection | Allow | Allow | Group | Group | Optional | |
| Settings & Policies | Add, edit and delete Web Protection policies and apply to devices | Allow | Allow | Deny | Deny | Optional |
| Usage | Refresh Web Protection data and use the website lookup tool | Allow | Allow | Allow | Deny | Optional |
| View | View Web Protection browsing data | Allow | Allow | Allow | Allow | Optional |
| Backup & Recovery | Allow | Allow | Group | Group | Optional | |
| Settings & Policies | Add, edit and delete Backup & Recovery policies and apply to devices | Allow | Allow | Deny | Deny | Deny |
| Usage | Download the Backup Manager, run backups, restore backups, view changed and removed files | Allow | Allow | Allow | Deny | Optional |
| View | View backup files on the Backup tab, view changed and removed files | Allow | Allow | Allow | Allow | Optional |
| Network Discovery | Allow | Group | Deny | Deny | Optional | |
| Settings | Enable or disable Network Discovery at the policy or device level | Allow | Deny | Deny | Deny | Deny |
| Usage | Access the Networks tab, manage a network and use the Network Discovery feature | Allow | Allow | Deny | Deny | Deny |
| View | Show Networks tab on the North-pane | Allow | Allow | Deny | Deny | Optional |
| NetPath | Allow | Allow | Deny | Deny | Optional | |
| Usage | Access the NetPath section, manage and view Network Paths | Allow | Allow | Deny | Deny | Optional |
| View | Show NetPath in the View menu | Allow | Allow | Allow | Deny | Optional |
|
Mobile Device Management
Mobile Device Management was retired on November 1, 2021 and replaced with Device Management for Apple. |
Allow | Allow | Group | Group | Optional | |
| Settings & Policies | Add, edit and delete mobile devices; view mobile device reports | Allow | Allow | Deny | Deny | Deny |
| Usage | Issue updates and commands for mobile devices under management | Allow | Allow | Allow | Deny | Optional |
| View | Show Mobile Devices tab on the North-pane | Allow | Allow | Allow | Allow | Optional |
| O365, Google Drive | Access the Services tab. Add, edit and delete services, and use the Services functions | Allow | Allow | Deny | Deny | Deny |
| Take Control | Allow | Allow | Group | Group | Optional | |
| Settings | Configure and install Take Control and Remote Access. Customize the remote support mail templates | Allow | Allow | Deny | Deny | Optional |
| Usage | Use Take Control to remote on to end-point devices that have Take Control installed | Allow | Allow | Allow | Deny | Optional |
| View | Show Take Control column on the North-pane | Allow | Allow | Allow | Allow | Optional |
| Attended Take Control | Use Take Control Fast Assist to start attended remote access sessions | Allow | Allow | Allow | Deny | Deny |
| Remote Background Management | Allow | Allow | Group | Group | Optional | |
| Settings | Enable the Remote Background Management feature for clients, sites and devices | Allow | Allow | Deny | Deny | Deny |
| Usage | Start and use Remote Background Management sessions on devices | Allow | Allow | Allow | Deny | Optional |
| View | Show RBM column on the North-pane | Allow | Allow | Allow | Allow | Optional |
| Remote Control of Network Devices | Start and use Remote Control of Network Device session on devices | Allow | Allow | Allow | Deny | Optional |
| User Chat | Show or hide the User Chat feature. Take Control or Remote Background Management must be installed on the device. | Allow | Allow | Allow | Deny | Optional |
| Remote Support (Legacy tool) | Allow | Allow | Group | Deny | Optional | |
| Email Template | Edit the Remote Support email template | Allow | Allow | Deny | Deny | Deny |
| Usage | Send the Remote Support agent | Allow | Allow | Allow | Deny | Optional |
| Remote Desktop | Start a remote desktop session | Allow | Allow | Deny | Deny | Optional |
| System Tray | Allow | Allow | Group | Group | Optional | |
| Settings | Manage the system tray settings including icon | Allow | Allow | Deny | Deny | Deny |
| View | Show System Tray column on the North-pane | Allow | Allow | Allow | Allow | Optional |
| Risk Intelligence | Allow | Allow | Allow | Allow | Optional | |
| Settings & Policies | Configure and install Risk Intelligence. Customize and apply policies. | Allow | Allow | Deny | Deny | Optional |
| Usage | Run Risk Intelligence scans | Allow | Allow | Allow | Deny | Optional |
| View | View the Risk Intelligence results and reports | Allow | Allow | Allow | Allow | Optional |
Filter Manager
| Permission | Description |
|
|
|
|
|
|---|---|---|---|---|---|---|
| Settings | Manage and use custom filters | Allow | Allow | Allow | Deny | Optional |
Please be aware that the Asset Tracking section and all Dashboard Reports (apart from the account wide User Audit Report and Remote Support Report) are Client Group aware. And where setup, users will only see Assets and Dashboard Reports that are specific to their assigned Clients; for example when selecting All Clients from a Report drop-down, this will only return the Reports for their Client Group. In line with best practice we would suggest taking a moment to login as the Client and check the returned information to ensure the expected information is returned.