Automox supports the following role-based access controls (RBAC). The user roles and permissions are listed in the table.
Note:
Global Administrators have complete control of the Automox account. Zone Administrators only have control of the zone they are assigned to. You can assign a zone administrator access to the Global View, in which the permissions for the account management are excluded.
It is recommended to keep the number of Global Administrators to a minimum.
Only Global Administrators can invite users to an account.
Only Global Administrators can enable Ask Otto.
Function |
Permissions |
Global Administrator |
Zone Administrator |
Zone Operator |
Patch Operator |
Helpdesk Operator |
Billing Administrator |
Read Only |
---|---|---|---|---|---|---|---|---|
Billing |
Modify |
X |
X |
|
|
|
X |
|
Read |
X |
X |
|
|
|
X |
X |
|
Devices |
Add |
X |
X |
X |
|
|
|
|
Delete |
X |
X |
X |
|
|
|
|
|
Manage |
X |
X |
X |
|
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
Groups |
Create |
X |
X |
X |
|
|
|
|
Delete |
X |
X |
X |
|
|
|
|
|
Modify |
X |
X |
X |
X |
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
Package (Software) |
Manage (Patch/Update) |
X |
X |
X |
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
Patch Policy |
Create |
X |
X |
X |
X |
|
|
|
Delete |
X |
X |
X |
X |
|
|
|
|
Modify |
X |
X |
X |
X |
|
|
|
|
Execute |
X |
X |
X |
X |
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
RBAC Roles |
Create |
X |
X |
|
|
|
|
|
Delete |
X |
X |
|
|
|
|
|
|
Modify |
X |
X |
|
|
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
Remote Control |
Manage Consent |
X |
X |
|||||
Access |
X |
X |
X |
X |
||||
Reports |
Read |
X |
X |
X |
X |
X |
X |
X |
Required Software Policy |
Create |
X |
X |
X |
|
|
|
|
Delete |
X |
X |
X |
|
|
|
|
|
Modify |
X |
X |
X |
|
|
|
|
|
Execute |
X |
X |
X |
X |
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
SAML |
Read |
X |
X |
X |
X |
X |
X |
X |
Manage |
X |
X |
|
|
|
|
|
|
Software |
Read |
X |
X |
X |
X |
X |
X |
X |
TFA (two-factor authentication) |
Create |
X |
X |
|
|
|
|
|
Read |
X |
X |
|
|
|
|
X |
|
Manage |
X |
X |
|
|
|
|
|
|
Delete |
X |
X |
|
|
|
|
|
|
Users |
Invite |
X |
X |
|
|
|
|
|
Delete |
X |
X |
|
|
|
|
|
|
Modify |
X |
X |
|
|
|
|
|
|
Read |
X |
X |
|
|
|
X |
X |
|
Worklets |
Create |
X |
X |
X |
|
|
|
|
Delete |
X |
X |
X |
|
|
|
|
|
Modify |
X |
X |
X |
|
|
|
|
|
Execute |
X |
X |
X |
X |
|
|
|
|
Read |
X |
X |
X |
X |
X |
X |
X |
|
Zone |
Manage |
X |
X |
|
|
|
|
|
Create |
X |
X |
|
|
|
|
|
|
Read |
X |
X |
X |
X |
|
X |
X |
Role Summaries
Global Administrator: A global administrator has full administrative rights, and can manage consent for remote control, where your plan includes remote control.
Zone Administrator: A zone administrator has full administrative rights to a specific zone. For zones on a plan that includes remote control, this role can manage consent and access devices with remote control.
Zone Operator: A zone operator can create, read, modify, and delete all policies and server groups for a zone(s). They can add, remove, and restart devices. This role is able to access remote control, if your plan includes it.
Patch Operator: A patch operator can create, modify, and delete patch policies. They can view and run worklets and required software policies. They do not have permission to create or modify worklets and required software policies. They can view, but not manage devices.
Billing Administrator: Provides full read rights in addition to the ability to view and edit billing information.
Read Only: Provides full read rights to a specific zone.
Helpdesk Operator: A helpdesk operator has full read rights in addition to the ability to conduct remote control sessions.
User preferences, such as notifications and password, can only be modified by the user.
Access Within Zones
Users can be given a role to access a zone with certain permissions. These permissions are then only related to the devices in that zone.
-
Ask Otto
Enable Ask Otto: only global administrators
Use Ask Otto: only global administrators, zone administrators, and zone operators
-
Automated Vulnerability Remediation (AVR)
Configure: global administrators, zone administrators, zone operators
Remediate: global administrators, zone administrators, zone operators, and patch operators
Read: global administrators, zone administrators, zone operators, patch operators, and read only users
-
Script Signing
Modify: global administrators and zone administrators
Read: global administrators, zone administrators, and zone operators
-
Secrets Management
Create, Edit, Remove: global administrators, zone administrators, and zone operators
API Keys
All users can create, read, modify, delete, and decrypt (reveal) their own API keys.
These roles have permissions related to the API keys of others:
-
Global administrators:
read, modify, and delete API keys for users in all zones
-
Zone administrators
read, modify, and delete API keys for users in the zone that they have permissions to