Roles and Securables
System roles
On the Roles page, a system role is indicated by an icon with a padlock
System roles are built-in and are not configurable, however, they can be assigned to users the same as any other role. The following table lists the built-in system roles.
1E system role | Permissions | Allows delegation | Description | Notes |
---|---|---|---|---|
| Yes | Use 1E Endpoint Troubleshooting, execute any Instruction (Action and Question), and view any Instruction response | Renamed in 8.0 - was Global Actioners. | |
| Yes | Use 1E Endpoint Troubleshooting, approve any Instruction for anyone other than self | Renamed in 8.0 - was Global Approvers. If email is enabled, this role will receive an approval request email for each requested action instruction. | |
| Yes | Use 1E Endpoint Troubleshooting, ask any Question and view any Instruction response | Renamed in 8.0 - was Global Questioners. | |
| Yes | Use 1E Endpoint Troubleshooting, view any Instruction response | Renamed in 8.0 - was Global Viewers. | |
| No | Has all the permissions available in the Platform and its Applications | Renamed in 8.0 - was Global Administrators. | |
| Yes | Add Users and Management Groups, and manage their roles and assignments, below this Group Administrator's assigned Management Group(s) | New role in 8.0 This role is similar to previous Management Group Administrators role, with permissions extended to support using Management Groups for RBAC, however the role is only allowed to manage Management Groups below the Management Groups they have been assigned to. | |
| No | Use Endpoint Automation, manage Rules and Polices, and assign and deploy Policies | Renamed in 8.0 - was Guaranteed State Administrators. | |
| Yes | Assign Policies to Management Groups (does not allow use of Endpoint Automation) | New role in 8.0 | |
| No | Use Endpoint Automation, view dashboards | Renamed in 8.0 - was Guaranteed State Viewers. | |
| No | Install and upgrade the Platform and Applications, register Consumers, upload DEXPacks, manage Instruction Sets, and configure Roles and Permissions | New role in 8.0 | |
| No | Manage Inventory repositories - populate and archive them - export data - manage Inventory associations | Renamed in 8.0 - was Inventory Administrators. | |
| No | View Inventory repositories, data and Inventory associations | Renamed in 8.0 - was Inventory Viewers. | |
| No | For service and equivalent accounts to perform 1E system operations | New role in 8.0 |
Questions, responses, actions are examples of securables. Other Consumers may create their own system roles and securables.
Note
When upgrading from Tachyon Platform 5.2 or earlier, roles names are automatically renamed as listed above. Other roles are deleted during the upgrade, unless they have members.
Click here to expand and see details of changes made by upgrading to this latest version of Tachyon Platfrom...
The upgrade process makes the following changes:
New roles are created, if they do not exist already:
New system roles Group Administrator
Guaranteed State Policy Assigner
Installer
Tachyon System
New Custom roles Experience Administrator
Experience Engagement Assigner
Patch Success Administrator
The Tachyon user doing the upgrade is automatically assigned to the Installer role. The user is also unassigned from the following roles, if assigned before the upgrade:
Applications Administrators
Consumer Administrators
Event Subscription Administrators
Instruction Set Administrators
Permissions Administrators
Tachyon users associated with the NT AUTHORITY/NETWORK SERVICE and machine accounts, are assigned to the Tachyon System role. These users will also be unassigned from the following roles, if assigned before the upgrade:
Applications Administrators
Consumer Viewers
Engagement Administrator
Management Group Sync Initiators
Offloaders
Permissions Viewers
Survey Administrators
Several old roles are renamed
Some are renamed from plural to singular, for example if the Nomad Administratorsrole exists it is renamed toNomad Administrator
An exception is in the unlikely event that the Nomad Admins role exists, it is renamed to Nomad Administrator unless that role already exists, in which case it is renamed to Nomad Administrators instead
Global Questioner, Global Actioner, Global Viewer, and Global Approver roles have been renamed with Global... replaced by All instructions...
Inventory Viewers, Experience Viewers, Patch Success Viewers, have been renamed with ...Viewers changed to ...User
System roles renamed from Global Actioners
Global Administrators
Global Approvers
Global Questioners
Global Viewers
Guaranteed State Administrators
Guaranteed State Viewers
Inventory Administrators
Inventory Viewers
Survey Administrators
Survey Viewers
System roles renamed to All Instructions Actioner
Full Administrator
All Instructions Approver
All Instructions Questioner
All Instructions Viewer
Guaranteed State Administrator
Guaranteed State User
Inventory Administrator
Inventory User
Experience Engagement Administrator *
Experience Engagement Viewer *
Note
* These roles are retired, and will only be kept if a user or group is assigned to it.
Custom roles renamed from AppClarity Administrators
Application Migration Administrators
Compliance Administrators
Compliance Viewers
Entitlement Administrators
Experience Viewers
Nomad Administrators
Patch Success Viewers
Reclaim Administrators
Reclaim Viewers
Custom roles renamed to AppClarity Administrator
Application Migration Administrator
Compliance Administrator
Compliance Viewer
Entitlement Administrator
Experience Viewer
Nomad Administrator
Patch Success User
Reclaim Administrator
Reclaim Viewer
Other system and custom roles are deleted. A role is kept only if it is (a) on the list of roles to be kept, or (b) the role has a user or group assigned to it
System roles that are kept All Instructions Actioner
All Instructions Approver
All Instructions Questioner
All Instructions Viewer
Full Administrator
Group Administrator
Guaranteed State Administrator
Guaranteed State Policy Assigner
Guaranteed State User
Installer
Inventory Administrator
Inventory User
Tachyon System
Custom roles that are kept 1E ITSM Connect Actioner
AppClarity Administrator
Application Migration Administrator
Compliance Administrator
Compliance Viewer
Entitlement Administrator
Experience Administrator
Experience Engagement Assigner
Experience User
Nomad Administrator
Patch Success Administrator
Patch Success User
Reclaim Administrator
Reclaim Viewer
System roles that have been retired 1E Client Deployment Administrators
1E Client Installer Administrators
Applications Administrators
Component Administrators
Connector Administrators
Consumer Administrators
Consumer Viewers
Custom Properties Administrators
Event Subscription Administrators
Event Subscription Viewers
Infrastructure Administrators
Instruction Set Administrators
Log Viewers
Management Group Administrators
Management Group Sync Initiators
Offloaders
Permissions Administrators
Permissions Viewers
Policy Administrators
Provider Configuration Administrators
Schedule Administrators
Survey Administrators (Experience Engagement Administrator)
Survey Viewers (Experience Engagement Viewer)
VDI Administrators
Custom roles that have been retired Any custom role created by Tachyon administrators
Tip
A retired role is kept if it has a user or group assigned to it.
The following roles are retired (deleted) during an upgrade.
Retired Tachyon system role | Permissions | Notes |
---|---|---|
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| Use Inventory Administrator role instead. | |
| Use Inventory Administrator role instead. | |
| Use Full Administrator role instead. | |
| Create a custom role if required. | |
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| If this role is retained during an upgrade, it will have been renamed from Survey Administrators. | |
| If this role is retained during an upgrade, it will have been renamed from Survey Viewers. | |
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| Create a custom role if required. | |
| Use Full Administrator or Group Administrator role instead. | |
| Not required for users. It is only needed for system accounts and replaced by the Tachyon System role. | |
| Not required for users. It is only needed for system accounts and replaced by the Tachyon System role. | |
| Use Full Administrator or Group Administrator role instead. | |
| Create a custom role if required. | |
| Use Guaranteed State Administrator roles instead. | |
| Use Full Administrator role instead. | |
| Use one or more of the following roles depending which repositories you need to use:
| |
| Use the Experience Administrator custom role instead. |
Custom roles
On the Roles page, a custom role is indicated by an icon with a cogwheel
The following table lists built-in custom roles used by 1E Applications.
1E custom role | Permissions | Allows delegation | Description | Notes |
---|---|---|---|---|
| Yes | The ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role | The ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role. | |
| No | Create, update, delete and view AppClarity Compliance, Entitlement, License Demand and Reclaim - view and export Inventory - view, edit, delete and export Associations | Renamed in 8.0 - was AppClarity Administrators. | |
| No | Create, update, delete and view Application Migration Rules and Role Based Application Sets to manage installations in your estate during operating system deployment | Renamed in 8.0 - was Application Migration Administrators. | |
| No | Create, update, delete and view AppClarity Compliance, Entitlement and License Demand - view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations | Renamed in 8.0 - was Compliance Administrators. | |
| No | View AppClarity Compliance, Entitlement and License Demand | Renamed in 8.0 - was Compliance Viewers. | |
| No | Create, update, delete and view AppClarity Entitlement - view and export Inventory - view, edit, delete and export Associations | Renamed in 8.0 - was Entitlement Administrators. | |
| No | Use Experience Analytics, manage, assign and deploy Engagements (Surveys and Announcements), and manage Metrics | New role in 8.0 Effectively a combination of previous Survey Administrators and VDI Administrators roles. | |
| Yes | Assign Engagements to Management Groups (does not allow use of Experience Analytics) | New role in 8.0 | |
| No | Use Experience Analytics, view Survey responses, and view Metrics | Renamed in 8.0 - was Experience Viewers. | |
| No | Use Content Distribution, manage Pre-cache jobs, view the results of related Instructions and Client health policies | Renamed in 8.0 - was Nomad Administrators. Instruction set assigned manually after installation. | |
| No | Use Patch Success, manage and populate its Repository, and deploy Policies, use Endpoint Troubleshootingto deploy patches | New role in 8.0 Instruction set assigned manually after installation. | |
| No | Use Patch Success, and use Endpoint Troubleshooting to ask about Patch status on devices | Renamed in 8.0 - was Patch Success Viewers. Instruction set assigned manually after installation. | |
| No | Create, update, delete and view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations | Renamed in 8.0 - was Reclaim Administrators. | |
| No | View AppClarity Reclaim | Renamed in 8.0 - was Reclaim Viewers. |
Securables and operations
In the SDK documentation, Securables are also known as Securable Types.
A Permission is one or more Operations for a Securable. The remit for a Securable is either Localized or Global. A Role that has only Localized permissions can be delegated.
Securable | Operations | Remit | Description |
---|---|---|---|
Approve, Execute, View | Global | View, create, and cancel 1E Client deployment jobs | |
Add, Delete, Read | Global | View, upload, and delete 1E Client installers | |
Delete, Execute, Export, Read, Write | Global | View, create, edit, delete, export, and manage AppClarity Compliance and LDC | |
Delete, Execute, Export, Read, Write | Global | View, create, edit, delete, export, and manage AppClarity Entitlement | |
Delete, Execute, Export, Read, Write | Global | View, create, edit, delete, export, and manage AppClarity Reclaim | |
Delete, Write | Global | Install and uninstall Portal applications | |
Read, Write | Global | View and configure Components | |
Delete, Execute, Read, Write | Global | View, create, edit, delete, and test Connectors | |
Read, Write | Global | View, add, edit, and delete Consumers | |
Read, Write | Global | View, add, edit, and delete Custom properties | |
Assign | Localized | Assign Engagements (Surveys and Announcements) to Management Groups | |
Delete, Execute, Read, Write | Global | View, create, edit, delete, and enable Engagements (Surveys and Announcements) - this securable has been renamed in version 8.0 from Surveys | |
Delete, Read, Write | Localized | View, create, edit, and delete the configurations of event subscriptions | |
Read | Global | View Experience Analytics dashboards | |
Delete, Read, Write | Global | View, add, edit, and delete Rules, Fragments, Trigger templates, and Policies - view Endpoint Automation dashboards | |
Delete, Read, Write | Global | View System health and System information - view, add, and edit global settings | |
Read | Global | View Infrastructure log | |
Actioner, Approver, Questioner, Viewer | Localized | Execute, schedule, cancel, and approve instructions - view responses | |
Add, Delete, Read | Global | Upload DEXPack- add, modify, and delete instruction sets - delete instruction definitions | |
Export, Read | Global | View Inventory Insights dashboards and export inventory data | |
Delete, Export, Read, Write | Global | View, create, edit, and delete SCCM Associations in Inventory | |
Delete, Read, Synchronize, Write | Localized | Create, delete, edit, and initiate synchronization of Management Groups | |
Delete, Read, Write | Global | View Content Distributiondashboards and SSD peer data. View, add, and delete pre-cache jobs. Pause and resume download activity of Content Distribution clients | |
Offload | Global | Offload (forward) event data to any Web API responsible for processing that data | |
Assign | Localized | AssignEndpoint Automation policies to Management Groups | |
Execute | Global | Deploy all types of policies (including metrics, events, and engagements) except for Reclaim policies | |
Delete, Read, Write | Global | View and purge the Process log, Cancel all actions | |
Read, Write | Global | View and deploy patches at all endpoints | |
Delete, Read, Write | Global | View, create, edit, and delete Providers | |
Read | Global | Update, delete and view provider configurations | |
Archive, Delete, EvaluateManagementGroups, Execute, Populate, Read, Write | Global | ||
Populate, Read | Global | View and populate the BI respository | |
Archive, Delete, Populate, Read, Write | Global | ||
Archive, Delete, Populate, Read, Write | Global | ||
Archive, Delete, EvaluateManagementGroups, Populate, Read, Write | Global | View, create, edit, and delete Inventory repositories - populate and archive them | |
Read | Global | View Patch Success dashboards | |
Delete, Read, Write | Global | View, create, edit, and delete Schedules - view Schedule history | |
Delete, Read, Write | Localized | Add and remove Users - view all Roles - add, modify, and delete Custom roles - assign roles to users - view Audit information log | |
Read | Global | View Sync log | |
Read, Write | Global | View, create, edit, and delete application servers |