Roles and Permissions
Automox supports the following role-based access controls (RBAC). The user roles and permissions are listed in the table.
About global administrators
- Global Administrators have complete control of the Automox account. Organization Administrators only have control of the organization they are assigned to. You can assign an organization administrator access to the Global View, in which the permissions for the account management are excluded.
- It is recommended to keep the number of Global Administrators to a minimum.
- Only Global Administrators can invite users to an account.
- Only Global Administrators can enable Ask Otto.
Roles and permissions table
|
Function |
Permissions |
Global Administrator |
Organization Administrator |
Organization Operator |
Patch Operator |
Helpdesk Operator |
Billing Administrator |
Read Only |
|---|---|---|---|---|---|---|---|---|
|
Billing |
Modify |
X |
X |
|
|
|
X |
|
|
Read |
X |
X |
|
|
|
X |
X |
|
|
Devices |
Add |
X |
X |
X |
|
|
|
|
|
Delete |
X |
X |
X |
|
|
|
|
|
|
Manage |
X |
X |
X |
|
|
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
|
Groups |
Create |
X |
X |
X |
|
|
|
|
|
Delete |
X |
X |
X |
|
|
|
|
|
|
Modify |
X |
X |
X |
X |
|
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
|
Package (Software) |
Manage (Patch/Update) |
X |
X |
X |
|
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
|
Patch Policy |
Create |
X |
X |
X |
X |
|
|
|
|
Delete |
X |
X |
X |
X |
|
|
|
|
|
Modify |
X |
X |
X |
X |
|
|
|
|
|
Execute |
X |
X |
X |
X |
|
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
|
RBAC Roles |
Create |
X |
X |
|
|
|
|
|
|
Delete |
X |
X |
|
|
|
|
|
|
|
Modify |
X |
X |
|
|
|
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
|
Remote Control |
Manage Consent |
X |
X |
|
|
|
|
|
|
Access |
X |
X |
X |
|
X |
|
|
|
|
Reports |
Read |
X |
X |
X |
X |
X |
X |
X |
|
Required Software Policy |
Create |
X |
X |
X |
|
|
|
|
|
Delete |
X |
X |
X |
|
|
|
|
|
|
Modify |
X |
X |
X |
|
|
|
|
|
|
Execute |
X |
X |
X |
X |
|
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
|
SAML |
Read |
X |
X |
X |
X |
X |
X |
X |
|
Manage |
X |
X |
|
|
|
|
|
|
|
Software |
Read |
X |
X |
X |
X |
X |
X |
X |
|
TFA (two-factor authentication) |
Create |
X |
X |
|
|
|
|
|
|
Read |
X |
X |
|
|
|
|
X |
|
|
Manage |
X |
X |
|
|
|
|
|
|
|
Delete |
X |
X |
|
|
|
|
|
|
|
Users |
Invite |
X |
X |
|
|
|
|
|
|
Delete |
X |
X |
|
|
|
|
|
|
|
Modify |
X |
X |
|
|
|
|
|
|
|
Read |
X |
X |
|
|
|
X |
X |
|
|
Worklets |
Create |
X |
X |
X |
|
|
|
|
|
Delete |
X |
X |
X |
|
|
|
|
|
|
Modify |
X |
X |
X |
|
|
|
|
|
|
Execute |
X |
X |
X |
X |
|
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
|
Organization |
Manage |
X |
X |
|
|
|
|
|
|
Create |
X |
X |
|
|
|
|
|
|
|
Read |
X |
X |
X |
X |
|
X |
X |
Role Summaries
- Global Administrator: A global administrator has full administrative rights, and can manage consent for remote control, where your plan includes remote control.
- Organization Administrator: An organization administrator has full administrative rights to a specific organization. For organizations on a plan that includes remote control, this role can manage consent and access devices with remote control.
- Organization Operator: An organization operator can create, read, modify, and delete all policies and server groups for an organization(s). They can add, remove, and restart devices. This role is able to access remote control, if your plan includes it.
- Patch Operator: A patch operator can create, modify, and delete patch policies. They can view and run worklets and required software policies. They do not have permission to create or modify worklets and required software policies. They can view, but not manage devices.
- Billing Administrator: Provides full read rights in addition to the ability to view and edit billing information.
- Read Only: Provides full read rights to a specific organization.
- Helpdesk Operator: A helpdesk operator has full read rights in addition to the ability to conduct remote control sessions.
The user can only modify user preferences, such as notifications and password.
Access Within Organization
Users can be given a role to access an organization with certain permissions. These permissions are then only related to the devices in that organization.
- Ask Otto
- Enable Ask Otto: only global administrators
- Use Ask Otto: only global administrators, organization administrators, and organization operators
- Automated Vulnerability Remediation (AVR)
- Configure: global administrators, organization administrators, organization operators
- Remediate: global administrators, organization administrators, organization operators, and patch operators
- Read: global administrators, organization administrators, organization operators, patch operators, and read only users
- Script Signing
- Modify: global administrators and organization administrators
- Read: global administrators, organization administrators, and organization operators
- Secrets Management
- Create, Edit, Remove: global administrators, organization administrators, and organization operators
API Keys
All users can create, read, modify, delete, and decrypt (reveal) their own API keys.
These roles have permissions related to the API keys of others:
- Global administrators:
- read, modify, and delete API keys for users in all organization
- Organization administrators
- read, modify, and delete API keys for users in the organization that they have permissions to
