Permissions in Detail
Here is the list of available permissions you can assign to Action1 roles.
Permissions
Approve Updates
Assign Roles
Manage Advanced Settings
Manage Automations
Manage Data Sources
Manage Endpoint Attributes
Manage Endpoints
Manage Enterprise
Manage Organizations
Manage Reports
Manage Roles
Manage Scripts
Manage Software Repository
Manage Users
Manage Vulnerabilities
Remote Connect
Run Automations
Use Scripts
View Audit Trail
View Automations and History
View Dashboards
View Endpoints
View Installed Software
View Reports
View Software Repository
View Updates
View Users
View Vulnerabilities
Description
Allow approving updates in the specified scope.
Assign/unassign user roles in the specified scope.
Create, modify, and delete advanced settings in the specified scope.
View, create, modify, delete automations, view automation history, stop running automations in the specified scope.
View, create, modify, and delete data sources in the specified scope.
Modify endpoint attributes in the specified scope.
Move endpoints between organizations, remove endpoints, manage endpoint attributes. View Action1 Deployer and manage its settings for agent deployment in the specified scope.
View Action1 enterprise subscription license details and usage information. Modify enterprise configuration. Request Action1 account closure or revoke such request. Request a license quote. Start a trial.
View, create, modify, and delete organizations and their license usages in the specified scope.
Create, modify, and delete custom reports (in the Enterprise scope only). View, create, modify, and delete alerts based on reports in Enterprise or Organization scopes.
View, create, clone, modify, and delete roles in the specified scope.
Create, modify, and delete scripts in the Script Library in the specified scope.
View, create, modify, and delete software repository packages and their versions in the specified scope.
View, create, invite, modify, and delete users.
Remediate vulnerabilities in the specified scope.
Connect to remote desktop in the specified scope.
Run existing pre-configured automations or new ad-hoc automations (using "Run now" option) in the specified scope.
View scripts in the Script Library in the specified scope. Include scripts from the Script Library or ad-hoc scripts in Run Script automations or in Additional actions of software repository packages.
View audit trail in the specified scope.
View automations and their history (instances) in the specified scope.
View dashboards in the specified scope.
View endpoints and their details (including missing updates, vulnerabilities, installed software, and automation history) in the specified scope.
View installed software in the specified scope.
View reports and alerts. Refresh reports to populate them with live data in the specified scope.
View software repository packages and their versions in the specified scope.
View updates in the specified scope.
View users in the specified scope.
View vulnerabilities and CVE descriptions in the specified scope.
Permission scope
Enterprise, Organization
Enterprise, Organization, Login Email Wildcard**
Enterprise, Advanced Setting Template, Organization
Enterprise, Organization, Group
Enterprise
Enterprise, Organization, Group
Enterprise, Organization
Enterprise
Enterprise, Organization
Enterprise, Organization
Enterprise, Organization
Enterprise
Enterprise, Organization
Enterprise, Login Email Wildcard**
Enterprise, Organization
Enterprise, Organization, Group
Enterprise, Organization, Group
Enterprise, Script, Ad Hoc Script
Enterprise
Enterprise, Organization
Enterprise, Organization
Enterprise, Organization, Group
Enterprise, Organization
Enterprise, Organization, Report
Enterprise, Organization
Enterprise, Organization
Enterprise, Login Email Wildcard**
Enterprise, Organization
Implicitly included permissions*
View Updates
View Users and View Roles in the same scope
View Advanced Settings
Run Automations
View Automations and History,
View Updates,
View Installed Software,
View Software Repository,
View Endpoints,
Use "Deactivate Updates in Windows Settings" script
View Automations and History,
View Updates,
View Installed Software,
View Software Repository,
View Endpoints,
Use "Deactivate Updates in Windows Settings" script
View Data Sources
View Endpoints
View Endpoints
Manage Endpoint Attributes
Manage Endpoint Attributes
-
-
View Reports,
View Data Sources
View Data Sources
View Endpoints,
Use Scripts
Use Scripts
Use Scripts
View Software Repository
View Users,
View Advanced Settings for the "Identity Provider" setting from "Single sign-on" category
View Advanced Settings for the "Identity Provider" setting from "Single sign-on" category
View Vulnerabilities
View Endpoints,
View Advanced Settings for the "Remote desktop" category
View Advanced Settings for the "Remote desktop" category
View Automations and History,
View Updates,
View Installed Software,
View Software Repository,
View Endpoints,
Use "Deactivate Updates in Windows Settings" script
View Updates,
View Installed Software,
View Software Repository,
View Endpoints,
Use "Deactivate Updates in Windows Settings" script
-
View Users
-
View Reports,
View Installed Software,
View Updates,
View Endpoints,
View Vulnerabilities,
View Advanced Settings for the "SLA" category
View Installed Software,
View Updates,
View Endpoints,
View Vulnerabilities,
View Advanced Settings for the "SLA" category
Per managed endpoint: View Automations,
View Installed Software,
View Vulnerabilities,
View Reports (on system updates)
View Installed Software,
View Vulnerabilities,
View Reports (on system updates)
-
-
View Advanced Settings
-
-
-
Notes
The scope levels work as follows:
- within Enterprise scope, you can assign any user any role
- within Organization scope, you can assign any user to organization-specific roles only
- with Login Email Wildcard scope, you can select certain organization and then assign organization-specific roles to the users with the specified emails - or select All Organizations and then assign any role to these users.
- within Enterprise scope, you can assign any user any role
- within Organization scope, you can assign any user to organization-specific roles only
- with Login Email Wildcard scope, you can select certain organization and then assign organization-specific roles to the users with the specified emails - or select All Organizations and then assign any role to these users.
- If Advanced Setting Template was chosen as permission scope, then creation, cloning, modification, and deletion will be allowed only for the advanced setting you selected when configuring that permission scope.
- If Organization was chosen as permission scope, then creation, cloning, modification, and deletion will be allowed if the advanced setting's own scope contains only the scopes related to the selected organization.
- If Organization was chosen as permission scope, then creation, cloning, modification, and deletion will be allowed if the advanced setting's own scope contains only the scopes related to the selected organization.
- To specify ALL as the automation's target endpoints, the Organization scope will be required.
- Creating an automation for a group of endpoints is only allowed if all endpoints in the group are visible. Visibility may be limited if the group contains endpoints that belong to another group excluded by the View Endpoints permission. Similarly, specifying individual endpoints by ID is restricted if those endpoints are part of a group that has been excluded through the View Endpoints permission.
Deploy Updates automation:
- To disable automatic Windows updates during the automation execution, the "Deactivate Updates in Windows Settings" script is used. So, the underlying Use Scripts permission will be granted automatically, with the Script permission scope and 'Include scope' set to that script only.
- To use the 'Auto-approve updates' option, the Approve Updates permission will be required.
Run Script automation:
- To use the ad-hoc scripts or scripts from the Script Library, the Use Scripts permission will be required:
- Using scripts from the Script Library will require the Script scope.
- Using ad-hoc scripts will require the Ad-Hoc Script scope.
- Creating an automation for a group of endpoints is only allowed if all endpoints in the group are visible. Visibility may be limited if the group contains endpoints that belong to another group excluded by the View Endpoints permission. Similarly, specifying individual endpoints by ID is restricted if those endpoints are part of a group that has been excluded through the View Endpoints permission.
Deploy Updates automation:
- To disable automatic Windows updates during the automation execution, the "Deactivate Updates in Windows Settings" script is used. So, the underlying Use Scripts permission will be granted automatically, with the Script permission scope and 'Include scope' set to that script only.
- To use the 'Auto-approve updates' option, the Approve Updates permission will be required.
Run Script automation:
- To use the ad-hoc scripts or scripts from the Script Library, the Use Scripts permission will be required:
- Using scripts from the Script Library will require the Script scope.
- Using ad-hoc scripts will require the Ad-Hoc Script scope.
This permission will be denied if the target endpoint is a member of a group specified as 'Exclude' Group scope.
For moving endpoints between organizations, this permission with 'Include scope' set to Organization for both the source and target organizations is required.
To create and delete organizations, this permission with Enterprise scope is required.
To manage alerts based on built-in and custom reports, you can use Organization or Enterprise scope. To manage custom reports (create, modify, delete), Enterprise scope is required.
All operations (creating, cloning, modifying, deleting, and assigning roles to users) will be allowed only if the corresponding underlying permissions (View Endpoints, Use Scripts) and their 'Include' and 'Exclude' scopes are targeting the certain Organization.
The only exception is the Use Script permission, which may have Enterprise scope.
The list of displayed roles will be filtered to exclude those that are not accessible.
To assign/unassign a role to/from user, the Assign Roles permission is required (see its description above).
The only exception is the Use Script permission, which may have Enterprise scope.
The list of displayed roles will be filtered to exclude those that are not accessible.
To assign/unassign a role to/from user, the Assign Roles permission is required (see its description above).
For using scripts in Additional actions of repository packages, the Use Scripts permission will be required.
- Using scripts from the Script Library will require the Script scope.
- Using ad-hoc scripts will require the Ad-Hoc Script scope.
- Using scripts from the Script Library will require the Script scope.
- Using ad-hoc scripts will require the Ad-Hoc Script scope.
Manage Users also controls the invitation of users to Action1, so if you specify *@mydomain.com in Login Email Wildcard scope, this means that only emails with mydomain.com can be invited.
This permission will be denied if the target endpoint is a member of a group specified as 'Exclude' Group scope.
When selecting a script from the list while configuring a Run Script automation or an Additional action of software repository package, consider that:
-If 'Exclude' scope was configured for a Script permission scope, the excluded scripts will be filtered out from the list.
-If 'Include' scope was configured for a Script (but not for Enterprise) permission scope, only the scripts with 'Include' scope will be displayed in the list.
-If 'Exclude' scope was configured for a Script permission scope, the excluded scripts will be filtered out from the list.
-If 'Include' scope was configured for a Script (but not for Enterprise) permission scope, only the scripts with 'Include' scope will be displayed in the list.
Users can only view the Groups to which they have access. For viewing the endpoints within the organization groups, consider the following:
- if the included Organization is absent, all endpoints from the included Groups will be displayed.
- if the excluded Groups are present, all endpoints belonging to them will be filtered out.
For viewing endpoints from a certain group: if an excluded Group is present, all endpoints belonging to it will be filtered out.
Reports and a list of installed software will display data for a certain endpoint(s).
- if the included Organization is absent, all endpoints from the included Groups will be displayed.
- if the excluded Groups are present, all endpoints belonging to them will be filtered out.
For viewing endpoints from a certain group: if an excluded Group is present, all endpoints belonging to it will be filtered out.
Reports and a list of installed software will display data for a certain endpoint(s).
In case you set Report as permission scope (that is, configure access to a specific report), then you can select not only the report but also the target organization.
- If selected, this will allow or restrict access to a specific report within a specific organization.
- If omitted, access will be granted to the specific report across all organizations.
- If selected, this will allow or restrict access to a specific report within a specific organization.
- If omitted, access will be granted to the specific report across all organizations.
Important! With the latest version of Action1 solution, the existing Manage Roles permission will no longer provide the ability to assign roles – for that operation, users require the new Assign Roles permission (which is not implicitly included in Manage Roles). If you rely on the Manage Roles permission today, you must explicitly grant the new Assign Roles permission; otherwise, affected users will lose the ability to assign roles they manage.
*) – Permissions listed under Implicitly included permissions apply to the same scope as their parent permission; they can be revoked using an explicit Exclude. For example, you can grant a user role the ability to create automations but prevent it from running them (such as using the “Run Now” option) by explicitly excluding the Run Automations permission from that role.
Example
Example
You want to allow the helpdesk team to view all built-in reports except for “Group Membership” and “Logon Statistics” reports for the target organization “My Organization”. For that, you can take these steps:
- Create a role named Helpdesk.
- When setting up its permissions, select View Reports permission.
- Next, when configuring the scopes, click Exclude scope and select Report.
- From the list of organizations, select My Organization, and from the list of reports, select “Group Membership”.
- Click Add, then repeat steps 3 and 4 for the “Logon Statistics” report.
**) – Login Email Wildcard scope enables isolation of user visibility by domain, which is specified using a wildcard: *@mydomain.com
You can use this scope, for example, with:
- Manage Users – to allow inviting only users from the specified domain to Action1.
- View Users – to prevent users in one organization from seeing the users in other organizations or domains within the same Action1 account.
Example
To include or exclude a user:
- For a single user, enter the email as usual, i.e.,
[email protected] - You can use a mask like
[email protected](here ? means any single character) or a mask likenam*@domain.com(here * means any number of characters)
To include or exclude several domains or users:
Use Include Scope or Exclude Scope for each email.
How are multiple permissions combined?
How are multiple permissions combined?
Permissions do not override each other, but combine with each other. However, consider that the Exclude scope always takes priority over Include, and you can use it to explicitly deny what the implicit permission grants.
Example
The Manage Endpoints permission implicitly grants access to view endpoints within the specified scope. Thus, if a user was assigned the Manage endpoints permission for Org1, this user will be implicitly allowed to View endpoints in Org1.
- If this user is also explicitly assigned View Endpoints permission for Org2, the resulting permission for this user will allow to View Endpoints for both Org1 and Org2.
However, since Exclude always takes priority over Include, you can explicitly deny what the implicit permission grants. In this example, you can exclude View Endpoints permission for the target user, e.g., on a group in Org1 named “Sensitive Group”.
- The resulting View Endpoints permission will allow viewing only the endpoints in Org1, and only those that are not members of “Sensitive Group”.