Roles and Scopes

After a user account is created (check Creating User Accounts topic) it can be set up with limited rights with regards to specific features (Custom User).

Scopes control which devices a user account can see. Scopes are controlled by assigning a Absolute Device Group.

Roles restrict what a user can do: the features of Absolute they have access to. Once a role is created it can be reused by multiple user accounts. 

In addition to the existing assigned permissions, you may restrict or allow access to the following:

  • Devices: Modify Sites, Archive/delete devices, Remove Agent, Add Device menu, Custom Fields and Data Export
  • Vulnerabilities: View Patch Manager, View Security Manager
  • Tasks: Office 365 and Maintenance Windows
  • Device Tools: Each tool is an individual assignment. File Browser, Event Viewer, Process Viewer, WMI Explorer, Log Viewer, Remote Registry, and Powershell
  • General: Edit and create dashboards, Applications, Settings, etc.

Prerequisites 

An account that has 'Admin' permissions

Discovery: What's here?Discovery: What's here?

See the full list of permissions which can be assigned to users ensuring that they have the necessary control and access to effectively manage devices, monitor security, and analyze system data.

 The Role Editor  is available udner Console Security - Roles - '+Add"

Alerting

Alerts are notifications triggered by specific events or conditions, such as the detection of a security threat or the failure of a system component.

Settings in this area will allow or deny access to the following options:

  • Create - Create new alerts based on predifined criteria.
  • Delete - Users with this permission can remove existing alerts from the system.
  • Edit - Editing alerts allows for fine-tuning of criteria or adjusting notification thresholds based on changing requirements or conditions.
  • Publish alert - Make alerts visible and active within the console. Publishing alerts ensures that they are operational and can trigger notifications or actions based on predefined criteria.
Monitoring

Grants access to functions for managing and publishing monitor checks, as well as importing and exporting monitoring configurations.

Permissions in this area include:

  • Import – Upload monitor check templates or definitions from external sources.
  • Export – Save and share existing monitor configurations for reuse or auditing.
  • Manage – Create, edit, and delete monitoring checks within the console.
  • Publish – Activate monitor checks so they begin collecting data or triggering responses based on defined criteria.
Device Permissions

Settings in this area will allow or deny permissions related to managing devices in the system, including modifying sites, archiving/deleting devices, removing agents, accessing the add device menu, and managing custom fields and data export.

 Devices

  • Active Directory Settings - Allow AD Browsing. Permissions related to configuring and managing integration with Active Directory for device management purposes.
  • Column Sets - Permissions for customizing the columns displayed in device lists and reports.
  • Custom Fields - Permissions for creating and managing custom fields within Inventory.
  • Data Export - Permissions to export device data from the console as an XML file for analysis or reporting purposes.

  • Device Groups - Permissions for managing device groups, which are used for organizing and managing devices based on various criteria.

    • Create
    • Delete
    • Edit

Scope users cannot modify or delete queries assigned to them, unlike group queries.

  • Device Queries - Permissions for managing and running queries to filter and search for specific devices based on defined criteria.

    • Create
    • Delete
    • Edit
    • Run
  • Device Remove Agent - Permissions related to archiving or deleting agents from devices.
    • Archive Agent - Archiving device will keep the device history in the console but will reclaim a license seat for use by another device.
    • Delete Agent - Removing devices from the Absolute console.
  • Device Tools
  • Bitlocker Info - View the collected information about BitLocker state on the device, check the 48-digit recovery key that you'll need to unlock your device.
  • Device Config - Set site locks and enable/disable End User Access features.
  • Event Viewer - View any of the standard Windows event logs.
  • File Browser - Managing files on devices, including deleting, downloading, and uploading files.
  • Linux scanner - Task automation tool with a command-line shell.
  • Log Viewer - View the remote device's Absolute logs.
  • PowerShell - Remote PowerShell terminal with returned response.
  • Process Viewer (Run Shell Commands, Terminate Process) - Silently view and control the running processes and services, send silent command line.
  • Remote Console - Terminal interface designed to execute both PowerShell and command prompts directly on any managed device.
  • Remote Registry - When you reinstall software packages, you may want to use a remote registry to check if all the components from the previous package are removed.
  • Team Viewer - Initiate remote-control session via the TeamViewer app.
  • WMI Explorer - Advanced. Send custom WMI queries and view the returned results.
  • Manage vRep - Permissions related to managing virtual representations of devices. vReps are discovery agents that despite being installed on the devices that are a part of a virtual private network, can be detected by an external cloud server.
  • Move Device - Permissions for moving devices between different groups or locations within the Absolute console.
  • Remote Control - Permissions for remotely controlling devices for troubleshooting or management purposes.
  • Sites - Access to the global location of all devices in the console
Vulnerabilities 

Settings in this area will allow or deny access to the following:

  • Patch Groups: Permission to view Patch Groups. Patch groups are indeed used to organize devices based on their patch status and facilitate targeted patch deployments.
  • Patch Management: Permission to access Patch Manager. Patch Manager is responsible for remediating vulnerabilities on devices within the system by deploying patches and updates.
  • Patch Queries: Permission to view Patch Queries and Default Queries. With this permission, users can indeed create, edit, and run patch queries to filter and identify devices based on their patch status and other criteria. Patch queries are essential for identifying vulnerable devices and planning patch deployments efficiently.
  • Security Manager: Permission to access Security Vulnerabilities for identifying and assessing vulnerabilities on devices within the system.
Software This permission allows users to approve or deny software applications for deployment. When software approval is enabled, users can review software requests submitted by other users or automated processes and decide whether to allow or deny them for deployment on managed devices.
Tasks Permissions

Settings in this area will allow Create, Delete or Edit Tasks:

  • Feature Updates: Permission to create, delete, or edit tasks related to installing ISO files to upgrade devices to the newest versions of Windows 10 or install Windows 11.
  • Maintenance Windows: Permission to create task schedules for maintenance activities.
  • Office 365: Permission to configure and deploy Office 365 products.
  • Cortex Sequences: Permission to create, delete, or edit tasks combining and implementing remediation workflows in a single task using Cortex Sequences.
  • Deploy Cortex Workflows: Permission to create, delete, or edit tasks for intelligent automation of IT and security workflows using Cortex Workflows.
  • Discovery: Permission to create, delete, or edit tasks for device detection in a specific IP range.
  • Patch Deploy: Permission to create, delete, or edit tasks to scan for all chosen updates and deploy only those required.
  • Patch Scan: Permission to create, delete, or edit tasks to scan for potentially required updates.
  • Reboot: Permission to create, delete, or edit tasks to schedule device reboots.
  • Scheduled Reports: Permission to generate reports and receive them via email right after their completion.
  • Security Resolve: Permission to automatically fix all vulnerabilities found during a security scan.
  • Security Scan: Permission to create, delete, or edit tasks to scan devices for potential vulnerabilities within the environment.
  • Software Deploy: Permission to distribute software packages or scripts to one or many devices in the environment.
  • Wake On Lan: Permission to create, delete, or edit tasks to wake up devices using Wake On Lan functionality. Wake On LAN is commonly used for tasks such as remotely powering on computers for maintenance, updates, or troubleshooting without needing physical access to the device.
 Workflows Permissions

Settings in this area will allow or deny access to the following Automated Workflows options:

  • Import/Export: Permission to import or export Cortex Workflow configurations, allowing users to share or backup workflows between different environments.
  • Publish Policy: Permission to publish policies created within Cortex Workflows, making them available for deployment to managed devices.
  • Run Realtime: Permission to execute Cortex Workflows in real-time, enabling immediate action based on predefined conditions or triggers.
  • Workflow Email Approval Only: Permission to require email approval for Cortex Workflows, ensuring that certain actions or changes are approved by authorized personnel before execution.
  • Create/Edit/Delete Workflows: Permission to create, edit, or delete Cortex Workflows, allowing users to design and customize automated workflows for various IT and security tasks.

 When you grant access to Absolute Cortex, the user will have full access to patch deploys, software deploys and any other cortex permission. Cortex permissions override any settings in Tasks.
Users

Settings in this area will allow or deny access to the following:

  • Manage Users: This permission grants access to user management functionalities within Absolute.

    • Create: Permission to create new user accounts.
    • Delete: Permission to delete existing user accounts.
    • Edit: Permission to modify or update the details and settings of existing user accounts.
  • User Merge: Permission to merge two or more user accounts into a single user account. This may be useful for consolidating user data or resolving duplicate accounts.
  • User Reestablish: Permission to restore or reestablish previously deleted user accounts. This can be helpful in case a user account was deleted accidentally and needs to be restored.
  • User Split: Permission to split or divide a user account into multiple separate user accounts. This may be necessary for separating user roles or responsibilities within the system.
General Permissions

Settings in this area will allow or deny access to the following:

  • Alerting: Permission to access and manage alerting settings, including creating, editing, and managing alerts triggered by specific events or conditions.
  • Applications: Permission to access and manage applications within the console, including deploying, updating, or removing software on managed devices.
  • Audit Logs: Permission to access and view audit logs, which record activities and changes, providing a record of user actions and system events for security and compliance purposes.
  • Console Security: Permission to configure and manage security settings within the Absolute console, including user authentication, access controls, and encryption options.
  • Dashboard/Home (Create/Edit): Permission to create and edit dashboards within the Absolute console, allowing users to customize the layout and content to suit their preferences or requirements.
  • Reports: Permission to access and generate reports based on data collected, providing insights and analysis on various aspects of device management, security, and compliance.
  • Settings: Permission to access and manage general settings.

Guided walk-through: How to Delegate User Role and Device ScopeGuided walk-through: How to Delegate User Role and Device Scope

Before you can delegate a device scope, you must create a Device Group that includes the intended devices:

Navigate to Device Groups > Click '+ Add' to create a new group > Add the desired devices to this group.

This group will serve as the scope—restricting user access to only these devices.

To assign a user to a device scope and role:

Go to Console Security > Select Users (Either create a new user or edit an existing user)

In the user configuration window:

  • Enter the login details (email and password)
  • Set any required security options (e.g., 2FA, logout policies, etc.)
  • In the Security Context section, click Assign to configure the user’s access controls

Define Roles and Scopes:

  • Use the drop-down lists to select the appropriate Role (permissions) and Scope (device group).
  • If this is a new combination, assign a name to the Security Context to reuse it in the future.
  • You can create and manage multiple Security Contexts for streamlined access control across your organization.

Save the changes.

 Devices which are added to the Device Group which is linked to a Scope, are immediately available for users when using this Scope.