System permissions by user roles
About
Access rights to Miradore are based on Miradore user group memberships (i.e. user roles) and item permissions. The following table lists Miradore user groups and the default permissions which are granted to all members of the groups.
The permissions inherited from Miradore user groups can be expanded with item permissions on a user-level.
System permissions by user roles
This section contains tables 1-4, which display what user permissions different user roles have in Miradore.
Table 1: Access permissions by user roles
| User in this role has... |
Administrator |
Editor |
Operator |
Help desk |
Reader |
Network operator |
License administrator |
Package builder |
Package approver |
Asset model approver |
Managed software approver |
Group distribution approver |
Report builder |
External event writer |
Security officer |
Web service reader |
Web service writer |
|
Reader access to the entire system |
X |
X |
X* |
X* |
X* |
X* |
X* |
X* |
X* |
X* |
X* |
X* |
X* |
X* |
X* |
X* |
- |
|
Edit access to asset configuration items |
X |
X |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
X |
|
Access to system settings |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Access to license transaction prices |
X |
X |
- |
- |
- |
- |
X |
- |
- |
- |
- |
- |
- |
- |
- |
X |
X |
|
Access to report builder |
X |
-** |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
X |
- |
- |
- |
- |
|
Access to detailed reports of virus alerts |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
X |
X |
X |
|
Access to Automation tasks |
X |
-** |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
X |
- |
- |
- |
- |
|
Read access to encryption recovery key |
X |
X |
-*** |
X |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
-*** |
|
Access to user information |
X |
X**** |
X**** |
X**** |
X**** |
X**** |
X**** |
X**** |
X**** |
X**** |
X**** |
X**** |
X**** |
X**** |
X**** |
X**** |
X**** |
* All users have reader access to the entire system by default, but it is possible to limit users read access to asset configuration items by using the item permissions. For more information, read Customization of user permissions.
** Editors don't have access to the Report builder, Automation tasks view, or to the Automation task items, but they can be permitted to access those by adding them to the Report builders group.
*** The permissions can be granted for other user roles with the item permissions. For more information, read Customization of user permissions.
**** By default, all users are able to access Users view and User item forms. Administrators always have access to user information, but from other users the access can be denied by adding them as members to the "Deny user listing" user group.
Web service readers and writers' permissions are described with more details in Miradore web service API documentation, which can be found from this page.
Table 2: General permissions by user roles
| User in this role can... |
Administrator |
Editor |
Operator |
Help desk |
Reader |
Network operator |
License administrator |
Package builder |
Package approver |
Asset model approver |
Managed software approver |
Group distribution approver |
External event writer |
Security officer |
Web service reader |
Web service writer |
|
Activate initial installation |
X |
X |
- |
X* |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Define permissions to other users accounts |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Distribute installation packages |
X |
X |
- |
X*** |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Import events from external systems (via mdevent.exe) |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
X |
- |
- |
- |
|
Import licenses from a CSV file |
X |
- |
- |
- |
- |
- |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Install Miradore client |
X |
X |
- |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Process reported asset data mismatches |
X |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Share custom reports to other users |
X |
X |
X |
- |
- |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Share custom dashboards via public URL |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Test installation packages |
X |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Unlock locked user accounts |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Use custom tools |
X |
- |
- |
X ** |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Use and configure network discovery |
X |
X |
- |
- |
- |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Use Miradore web service to query data |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
X |
X |
* Users with Help desk role are not able to access the "Activate initial installation" task at the Asset configuration items by default, but that right can be given to these user groups by granting them a write access to the desired asset configuration items with the custom item permissions.
** Each custom tool item can be allowed to use for helpdesk operators from the properties of the custom tool. By default, helpdesk operators are not allowed to use custom tools.
*** Users with the role of Helpdesk can only distribute such packages to assets which have the "Allowed for help desk = Yes". Helpdesk users cannot distribute other packages to assets.
Web service readers and writers' permissions are described with more details in Miradore web service API documentation, which can be found from this page.
Table 3: Item creation permissions by user roles
| User in this role can... |
Administrator |
Editor |
Operator |
Help desk |
Reader |
Network operator |
License administrator |
Package builder |
Package approver |
Asset model approver |
Managed software approver |
Group distribution approver |
External event writer |
Security officer |
Web service reader |
Web service writer |
| Create assets |
X |
X |
X |
- | - | - | - | - | - | - | - | - | - | - | - | - |
|
Create asset models |
X |
X |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Create, modify or remove asset groups |
X |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
X |
|
Create custom dashboards |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Create group distributions |
X |
X |
X |
- |
- |
- |
- |
- |
- |
- |
- |
X |
- |
- |
- |
X |
|
Create hardware categories |
X |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Create installation packages |
X |
- |
- |
- |
- |
- |
- |
X |
- |
- |
- |
- |
- |
- |
- |
- |
|
Create license pools |
X |
X |
- |
- |
- |
- |
X |
- |
- |
- |
- |
- |
- |
- |
- |
X |
|
Create locations |
X |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
X |
|
Create managed software |
X |
X |
- |
- |
- |
- |
X |
X |
- |
- |
- |
- |
- |
- |
- |
X |
|
Create organizations |
X |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Create software categories |
X |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Create subnets |
X |
X |
- |
- |
- |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Create TCP/IP items |
X |
X |
- |
- |
- |
X |
- |
- |
- |
- |
- |
- |
X |
- |
- |
- |
Web service readers and writers' permissions are described with more details in Miradore web service API documentation, which can be found from this page.
Table 4: Item activation permissions by user roles
| User in this role can... |
Administrator |
Editor |
Operator |
Help desk |
Reader |
Network operator |
License administrator |
Package builder |
Package approver |
Asset model approver |
Managed software approver |
Group distribution approver |
External event writer |
Security officer |
Web service reader |
Web service writer |
|
Activate asset groups |
X |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
X |
|
Activate and approve asset models |
X |
- |
- |
- |
- |
- |
- |
- |
- |
X |
- |
- |
- |
- |
- |
- |
|
Activate, approve, and reject group distributions |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
X * |
- |
- |
- |
- |
|
Activate and approve installation packages |
X |
- |
- |
- |
- |
- |
- |
- |
X |
- |
- |
- |
- |
- |
- |
- |
|
Activate, approve, and close license pools |
X |
X |
- |
- |
- |
- |
X |
- |
- |
- |
- |
- |
- |
- |
- |
X |
|
Activate or remove locations |
X |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
X |
|
Activate and deactivate managed software |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
X |
- |
- |
- |
- |
X |
|
Activate or remove organizations |
X |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
|
Approve patch deployments |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
X |
- |
X |
|
Activate and remove subnets |
X |
X |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
* A user account must belong to both Group distribution approvers and Editors groups in order to be able to approve group distributions. If the user account belongs to Group distribution approvers and Readers groups, The user does not have permission to approve the group distribution.
Web service readers and writers' permissions are described with more details in Miradore web service API documentation, which can be found from this page.
Notice
Each Miradore instance and the MSP console have a built-in default administrator account which cannot be edited or removed from the system. The password for the default administrator account is defined during the installation of Miradore.
Built-in user groups (Administrators, Editors, Operators etc.) cannot be removed or added as members to other user groups in Miradore.
See also
Customization of user permissions
Related to