Roles and Scopes

Alerts are notifications triggered by specific events or conditions, such as the detection of a security threat or the failure of a system component.

Settings in this area will allow or deny access to the following options:

• Create - Create new alerts based on predifined criteria.
• Delete - Users with this permission can remove existing alerts from the system.
• Edit - Editing alerts allows for fine-tuning of criteria or adjusting notification thresholds based on changing requirements or conditions.
• Publish alert - Make alerts visible and active within the console. Publishing alerts ensures that they are operational and can trigger notifications or actions based on predefined criteria.

Settings in this area will allow or deny permissions related to managing devices in the system, including modifying sites, archiving/deleting devices, removing agents, accessing the add device menu, and managing custom fields and data export.

 Devices

• Active Directory Settings - Allow AD Browsing. Permissions related to configuring and managing integration with Active Directory for device management purposes.
• Column Sets - Permissions for customizing the columns displayed in device lists and reports.
• Custom Fields - Permissions for creating and managing custom fields within Inventory.
• Data Export - Permissions to export device data from the console as an XML file for analysis or reporting purposes.

• Device Groups - Permissions for managing device groups, which are used for organizing and managing devices based on various criteria.

  • Create
  • Delete
  • Edit

Scope users cannot modify or delete queries assigned to them, unlike group queries.

• Device Queries - Permissions for managing and running queries to filter and search for specific devices based on defined criteria.

  • Create
  • Delete
  • Edit
  • Run
• Device Remove Agent - Permissions related to archiving or deleting agents from devices.
  • Archive Agent - Archiving device will keep the device history in the console but will reclaim a license seat for use by another device.
  • Delete Agent - Removing devices from the Syxsense console.
• Device Tools
• Bitlocker Info - View the collected information about BitLocker state on the device, check the 48-digit recovery key that you'll need to unlock your device.
• Device Config - Set site locks and enable/disable End User Access features.
• Device Quarantine - Instantly quarantine a device from its local network as well as limited Internet access.
• Event Viewer - View any of the standard Windows event logs.
• File Browser - Managing files on devices, including deleting, downloading, and uploading files.
• Linux scanner - Task automation tool with a command-line shell.
• Log Viewer - View the remote device's Syxsense logs.
• PowerShell - Remote PowerShell terminal with returned response.
• Process Viewer (Run Shell Commands, Terminate Process) - Silently view and control the running processes and services, send silent command line.
• Remote Console - Terminal interface designed to execute both PowerShell and command prompts directly on any managed device.
• Remote Registry - When you reinstall software packages, you may want to use a remote registry to check if all the components from the previous package are removed.
• Team Viewer - Initiate remote-control session via the TeamViewer app.
• WMI Explorer - Advanced. Send custom WMI queries and view the returned results.

• Manage vRep - Permissions related to managing virtual representations of devices. vReps are discovery agents that despite being installed on the devices that are a part of a virtual private network, can be detected by an external cloud server.
• Move Device - Permissions for moving devices between different groups or locations within the Syxsense console.
• Remote Control - Permissions for remotely controlling devices for troubleshooting or management purposes.
• Sites - Access to the global location of all devices in the console

Map - Feature for visualizing the physical connections between various systems/computers in networks, used for analyzing and checking for connection errors.

Settings in this area will allow or deny access to the following:

• Applications:

  • Delete: Permission to remove applications from managed mobile devices.
  • Run: Permission to execute applications on managed mobile devices.

• Enroll: Permission to enroll new devices into the mobile device management system for monitoring and management.

• Lock: Permission to remotely lock managed mobile devices, restricting access to unauthorized users.

• Policies (Android only):

  • Create: Permission to create new policies for configuring settings and restrictions on managed mobile devices.
  • Delete: Permission to remove existing policies from the mobile device management system.
  • Edit: Permission to modify the settings and configurations of existing policies.
  • Run: Permission to apply policies to managed mobile devices.

• Reboot: Permission to initiate a reboot of managed mobile devices remotely.

• Relinquish: Permission to release control or ownership of managed mobile devices.

• Reset Password: Permission to remotely reset passwords for user accounts on managed mobile devices.

• Wipe: Permission to initiate a remote wipe of data on managed mobile devices, restoring them to factory settings and deleting all data stored on them.

Settings in this area will allow or deny access to the following:

• Patch Groups: Permission to view Patch Groups. Patch groups are indeed used to organize devices based on their patch status and facilitate targeted patch deployments.
• Patch Management: Permission to access Patch Manager. Patch Manager is responsible for remediating vulnerabilities on devices within the system by deploying patches and updates.
• Patch Queries: Permission to view Patch Queries and Default Queries. With this permission, users can indeed create, edit, and run patch queries to filter and identify devices based on their patch status and other criteria. Patch queries are essential for identifying vulnerable devices and planning patch deployments efficiently.
• Security Manager: Permission to access Security Vulnerabilities for identifying and assessing vulnerabilities on devices within the system.

Settings in this area will allow Create, Delete or Edit Tasks:

• Feature Updates: Permission to create, delete, or edit tasks related to installing ISO files to upgrade devices to the newest versions of Windows 10 or install Windows 11.
• Maintenance Windows: Permission to create task schedules for maintenance activities.
• Office 365: Permission to configure and deploy Office 365 products.
• Cortex Sequences: Permission to create, delete, or edit tasks combining and implementing remediation workflows in a single task using Cortex Sequences.
• Deploy Cortex Workflows: Permission to create, delete, or edit tasks for intelligent automation of IT and security workflows using Cortex Workflows.
• Discovery: Permission to create, delete, or edit tasks for device detection in a specific IP range.
• Patch Deploy: Permission to create, delete, or edit tasks to scan for all chosen updates and deploy only those required.
• Patch Scan: Permission to create, delete, or edit tasks to scan for potentially required updates.
• Reboot: Permission to create, delete, or edit tasks to schedule device reboots.
• Scheduled Reports: Permission to generate reports and receive them via email right after their completion.
• Security Resolve: Permission to automatically fix all vulnerabilities found during a security scan.
• Security Scan: Permission to create, delete, or edit tasks to scan devices for potential vulnerabilities within the environment.
• Software Deploy: Permission to distribute software packages or scripts to one or many devices in the environment.
• Wake On Lan: Permission to create, delete, or edit tasks to wake up devices using Wake On Lan functionality. Wake On LAN is commonly used for tasks such as remotely powering on computers for maintenance, updates, or troubleshooting without needing physical access to the device.

Settings in this area will allow or deny access to the following Syxsense Cortex options:

• Import/Export: Permission to import or export Cortex Workflow configurations, allowing users to share or backup workflows between different environments.
• Publish Policy: Permission to publish policies created within Cortex Workflows, making them available for deployment to managed devices.
• Run Realtime: Permission to execute Cortex Workflows in real-time, enabling immediate action based on predefined conditions or triggers.
• Workflow Email Approval Only: Permission to require email approval for Cortex Workflows, ensuring that certain actions or changes are approved by authorized personnel before execution.
• Create/Edit/Delete Workflows: Permission to create, edit, or delete Cortex Workflows, allowing users to design and customize automated workflows for various IT and security tasks.

 When you grant access to Syxsense Cortex, the user will have full access to patch deploys, software deploys and any other cortex permission. Cortex permissions override any settings in Tasks.

Settings in this area will allow or deny access to the following Zero Trust options:

• Manage:

  • Create: Permission to create new trust evaluation.
  • Delete: Permission to remove existing evaluation.
  • Edit: Permission to modify or update existing trust evaluation.

• Zero Trust Flows Settings: Permission related to configuring the settings and parameters of Zero Trust flows. This may include defining the sequence of actions or conditions within Zero Trust policies.

• Zero Trust Publish:

  • Publish Zero Trust Policy: Permission to publish Zero Trust policies, making them active and applicable to endpoint access control.
  • Zero Trust Import/Export: Permission to import or export Trust Evaluations allowing users to share, backup, or migrate Zero Trust settings between different Syxsense environments or instances.
  • Zero Trust PlayBooks: Permission to manage the customizable workflows or sequences of actions within the Zero Trust framework.

Settings in this area will allow or deny access to the following:

• Manage Users: This permission grants access to user management functionalities within Syxsense.

  • Create: Permission to create new user accounts.
  • Delete: Permission to delete existing user accounts.
  • Edit: Permission to modify or update the details and settings of existing user accounts.

• User Merge: Permission to merge two or more user accounts into a single user account. This may be useful for consolidating user data or resolving duplicate accounts.
• User Reestablish: Permission to restore or reestablish previously deleted user accounts. This can be helpful in case a user account was deleted accidentally and needs to be restored.
• User Split: Permission to split or divide a user account into multiple separate user accounts. This may be necessary for separating user roles or responsibilities within the system.

Settings in this area will allow or deny access to the following:

• Alerting: Permission to access and manage alerting settings, including creating, editing, and managing alerts triggered by specific events or conditions.
• Applications: Permission to access and manage applications within the console, including deploying, updating, or removing software on managed devices.
• Audit Logs: Permission to access and view audit logs, which record activities and changes, providing a record of user actions and system events for security and compliance purposes.
• Console Security: Permission to configure and manage security settings within the Syxsense console, including user authentication, access controls, and encryption options.
• Dashboard/Home (Create/Edit): Permission to create and edit dashboards within the Syxsense console, allowing users to customize the layout and content to suit their preferences or requirements.
• Quick Actions: Permission to access Quick Actions section of the console, enabling users to initiate common operations or workflows with minimal effort.
• Reports: Permission to access and generate reports based on data collected, providing insights and analysis on various aspects of device management, security, and compliance.
• Settings: Permission to access and manage general settings.

To create the device scope (the devices a particular user will only have access to), a device group must first be created: 

Create a device Group > Add the intended device to the device group  Drop-down TitleDrop-down Title

To assign a user to a device scope and role:

In the 'Console Security' section create a new user or edit an existing one.

Enter Login Details ①

Specify additional security options ②

In the Security Context (Restricted Actions and Permissions) section, click 'Assign' ③Drop-down TitleDrop-down Title

Specify Roles and Scopes by selecting them from the drop-down lists in the corresponding fields. 

Name the Security Context if it is new.

You can create unique combinations of roles and scopes to reuse, manage, and update centrally. They will be available in Security Context tab.Drop-down TitleDrop-down Title

Save the changes

 Devices which are added to the Device Group which is linked to a Scope, are immediately available for users when using this Scope.