Roles and Securables

Use the Roles and Securables reference to understand system and custom roles, securables, and delegated permissions.

System roles

On the Roles, a system role is indicated by an icon with a padlock

System roles are built-in and are not configurable, however, they can be assigned to users the same as any other role. The following table lists the built-in system roles. Questions, responses, actions are examples of Securables. Other Consumers may create their own system roles and Securables.

1E system role	Permissions	Allows delegation	Description
All Instructions Actioner	InstructionSet (Actioner) for All Instruction Sets	Yes	Use 1E Endpoint Troubleshooting, execute any Instruction (Action and Question), and view any Instruction response.
All Instructions Approver	InstructionSet (Approver) for All Instruction Sets	Yes	Use 1E Endpoint Troubleshooting, approve any Instruction for anyone other than self.
All Instructions Questioner	InstructionSet (Questioner) for All Instruction Sets	Yes	Use 1E Endpoint Troubleshooting, ask any Question and view any Instruction response.
All Instructions Viewer	InstructionSet (Viewer) for All Instruction Sets	Yes	Use 1E Endpoint Troubleshooting, view any Instruction response.
Full Administrator	All	No	Has all the permissions available in the Platform and its Applications.
Group Administrator	CustomProperty (Read) ManagementGroup (Read, Write, Synchronize, Delete) Security (Read, Write, Delete) Repository.Inventory (Read, EvaluateManagementGroup)	Yes	Add Users and Management Groups, and manage their roles and assignments, below this Group Administrator's assigned Management Group(s).
Guaranteed State Administrator	GuaranteedState (Read,Write,Delete) PolicyAssignment (Assign) PolicyDeployment (Execute)	No	Use Endpoint Automation, manage Rules and Polices, and assign and deploy Policies.
Guaranteed State Policy Approver	GuaranteedState (Approver, Read)	No	To use Endpoint Automation, and approve rule changes.
Guaranteed State Policy Assigner	PolicyAssignment (Assign)	Yes	Assign Policies to Management Groups (does not allow use of Endpoint Automation).
Guaranteed State User	GuaranteedState (Read)	No	Use Endpoint Automation, view dashboards.
Installer	Application (Write, Delete) Consumer (Read, Write) CustomProperty (Read) EventSubscription (Read, Write, Delete) Infrastructure (Read) InfrastructureLog (Read) InstructionSetManagement (Delete, Add, Read) ManagementGroup (Read) Security (Read, Write, Delete)	No	Install and upgrade the Platform and Applications, register Consumers, upload DEXPacks, manage Instruction Sets, and configure Roles and Permissions.
Inventory Administrator	Component (Read, Write) Connector (Read, Write, Delete, Execute) CustomProperty (Read, Write) Inventory (Read, Export) Inventory.Association (Read, Write, Delete, Export) ManagementGroup (Read, Write, Synchronize, Delete) ProcessLog (Read) ProviderOperationLog (Read) Repository.Inventory (Archive, Delete, EvaluateManagementGroups, Populate, Read, Write) Schedule (Read, Delete, Write) SynchronizationLog (Read)	No	Manage Inventory repositories - populate and archive them - export data - manage Inventory associations.
Inventory User	Inventory (Read, Export) Inventory.Association (Read) Repository.Inventory (Read)	No	View Inventory repositories, data and Inventory associations.
1E System	Component (Read) Connector (Execute) Consumer (Read) EngagementAssignment (Assign) Engagements (Read, Write, Delete, Execute) InstructionSetManagement (Read) ManagementGroup (Read, Synchronize) OffloadingData (Offload) PolicyDeployment (Execute) ProcessLog (Read) ProviderOperationLog (Read) Repository.Inventory (Read, EvaluateManagementGroups) Security (Read)	No	For service and equivalent accounts to perform 1E system operations.
Remote Support	RemoteSupport (Execute)	No	To create TeamViewer remote support sessions.

Custom roles

On the Roles, a custom role is indicated by an icon with a cogwheel

The following table lists built-in custom roles used by 1E Applications.

1E custom role	Permissions	Allows delegation	Description
1E ITSM Connect Actioner	InstructionSet (Actioner) on the instruction sets you wish to allow ServiceNow to use	Yes	The ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role.
AppClarity Administrator	AppClarity.Compliance (Read, Write, Export, Delete, Execute) AppClarity.Entitlement (Read, Write, Export, Delete, Execute) AppClarity.Reclaim (Read, Write, Export, Delete, Execute) Connector (Execute) Inventory (Read, Export) Inventory.Association (Read, Write, Export, Delete) ProcessLog (Read) ProviderOperationLog (Read) Repository.Compliance (Read, Write, Delete, Archive, Populate) Repository.Entitlement (Read, Write, Delete, Archive, Populate) Repository.Inventory (Read) Schedule (Read, Write, Delete)	No	Create, update, delete and view AppClarity Compliance, Entitlement, License Demand and Reclaim - view and export Inventory - view, edit, delete and export Associations.
Application Migration Administrator	Connector (Execute) Inventory (Read) Inventory.Association (Read,Write,Delete) ProcessLog (Read) ProviderConfiguration (Read) ProviderOperationLog (Read) Repository.ApplicationMigration (Read,Write,Delete,Archive,Populate) Repository.Inventory (Read,Write,Populate,EvaluateManagementGroups)	No	Create, update, delete and view Application Migration Rules and Role Based Application Sets to manage installations in your estate during operating system deployment.
Compliance Administrator	AppClarity.Compliance (Read, Write, Export, Delete, Execute) AppClarity.Entitlement (Read, Write, Export, Delete, Execute) AppClarity.Reclaim (Read) Connector (Execute) Inventory (Read, Export) Inventory.Association (Read, Write, Export, Delete) ProcessLog (Read) ProviderOperationLog (Read) Repository.Compliance (Read, Write, Delete, Archive, Populate) Repository.Entitlement (Read, Write, Delete, Archive, Populate) Repository.Inventory (Read) Schedule (Read, Write, Delete)	No	Create, update, delete and view AppClarity Compliance, Entitlement and License Demand - view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations.
Compliance Viewer	AppClarity.Compliance (Read) AppClarity.Entitlement (Read) ProviderOperationLog (Read)	No	View AppClarity Compliance, Entitlement and License Demand.
Entitlement Administrator	AppClarity.Entitlement (Read, Write, Export, Delete, Execute) Connector (Execute) Inventory (Read, Export) Inventory.Association (Read, Write, Export, Delete) ProcessLog (Read) ProviderOperationLog (Read) Repository.Compliance (Read) Repository.Entitlement (Read, Write, Delete, Archive, Populate) Repository.Inventory (Read) Schedule (Read, Write, Delete)	No	Create, update, delete and view AppClarity Entitlement - view and export Inventory - view, edit, delete and export Associations.
Experience Administrator	Consumer (Read) EngagementAssignment (Assign) - new Engagements (Read, Write, Delete, Execute) EventSubscription (Delete, Read, Write) Experience (Read) - new ManagementGroup (Read) PolicyDeployment (Execute) VDI (Read, Write)	No	Use Experience Analytics, manage, assign and deploy Engagements (Surveys and Announcements), and manage Metrics.
Experience Engagement Assigner	EngagementAssignment (Assign)	Yes	Assign Engagements to Management Groups (does not allow use of Experience Analytics).
Experience User	Engagements (Read) EventSubscription (Read) Experience (Read)	No	Use Experience Analytics, view Survey responses, and view Metrics.
Nomad Administrator	GuaranteedState (Read) InstructionSet (Actioner) for the 1E Nomad instruction set on All Devices Nomad (Read, Write, Delete)	No	Use Content Distribution, manage Pre-cache jobs, view the results of related Instructions and Client health policies.
Patch Success Administrator	Consumer (Read) InstructionSet (Actioner) for the 1E Patch Success instruction set on All Devices Repository.BI (Read, Populate) Repository.Patch (Read)	No	Use Patch Success, manage and populate its Repository, and deploy Policies, use Endpoint Troubleshootingto deploy patches.
Patch Success User	Consumer (Read) InstructionSet (Questioner) for the 1E Patch Success instruction set on All Devices Repository.Patch (Read)	No	Use Patch Success, and use Endpoint Troubleshooting to ask about Patch status on devices.
Reclaim Administrator	AppClarity.Reclaim (Read, Write, Export, Delete, Execute) Connector (Execute) Inventory (Read, Export) Inventory.Association (Read, Write, Export, Delete) ProcessLog (Read) ProviderOperationLog (Read) Repository.Compliance (Read, Populate) Repository.Inventory (Read) Schedule (Read, Write, Delete)	No	Create, update, delete and view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations.
Reclaim Viewer	AppClarity.Reclaim (Read) ProviderOperationLog (Read)	No	View AppClarity Reclaim.

Securables and operations

In the SDK documentation, Securables are also known as Securable Types.

A Permission is one or more Operations for a Securable. The remit for a Securable is either Localized or Global. A Role that has only Localized permissions can be delegated.

Securable	Operations	Remit	Description
AgentDeployment	Approve, Execute, View	Global	View, create, and cancel 1E Client deployment jobs.
AgentInstallerManagement	Add, Delete, Read	Global	View, upload, and delete 1E Client installers.
AppClarity.Compliance	Delete, Execute, Export, Read, Write	Global	View, create, edit, delete, export, and manage AppClarity Compliance and LDC.
AppClarity.Entitlement	Delete, Execute, Export, Read, Write	Global	View, create, edit, delete, export, and manage AppClarity Entitlement.
AppClarity.Reclaim	Delete, Execute, Export, Read, Write	Global	View, create, edit, delete, export, and manage AppClarity Reclaim.
Application	Delete, Write	Global	Install and uninstall Portal applications.
Component	Read, Write	Global	View and configure Components.
Connector	Delete, Execute, Read, Write	Global	View, create, edit, delete, and test Connectors.
Consumer	Read, Write	Global	View, add, edit, and delete Consumers.
CustomProperty	Read, Write	Global	View, add, edit, and delete Custom properties.
DeviceManagement	Delete	Global	Delete devices.
EngagementAssignment	Assign	Localized	Assign Engagements (Surveys and Announcements) to Management Groups.
Engagements	Delete, Execute, Read, Write	Global	View, create, edit, delete, and enable Engagements (Surveys and Announcements) - this securable has been renamed in version 8.0 from Surveys.
EventSubscription	Delete, Read, Write	Localized	View, create, edit, and delete the configurations of event subscriptions.
Experience	Read	Global	View Experience Analytics dashboards.
GuaranteedState	Delete, Read, Write	Global	View, add, edit, and delete Rules, Fragments, Trigger templates, and Policies - view Endpoint Automation dashboards.
Infrastructure	Delete, Read, Write	Global	View System health and System information - view, add, and edit global settings.
InfrastructureLog	Read	Global	View Infrastructure log.
InstructionSet	Actioner, Approver, Questioner, Viewer	Localized	Execute, schedule, cancel, and approve instructions - view responses.
InstructionSetManagement	Add, Delete, Read	Global	Upload DEXPack- add, modify, and delete instruction sets - delete instruction definitions.
Inventory	Export, Read	Global	View Inventory Insights dashboards and export inventory data.
Inventory.Association	Delete, Export, Read, Write	Global	View, create, edit, and delete SCCM Associations in Inventory.
ManagementGroup	Delete, Read, Synchronize, Write	Localized	Create, delete, edit, and initiate synchronization of Management Groups.
Nomad	Delete, Read, Write	Global	View Content Distributiondashboards and SSD peer data. View, add, and delete pre-cache jobs. Pause and resume download activity of Content Distribution clients.
OffloadingData	Offload	Global	Offload (forward) event data to any Web API responsible for processing that data.
PolicyAssignment	Assign	Localized	AssignEndpoint Automation policies to Management Groups.
PolicyDeployment	Execute	Global	Deploy all types of policies (including metrics, events, and engagements) except for Reclaim policies.
ProcessLog	Delete, Read, Write	Global	View and purge the Process log, Cancel all actions.
Protect	Read, Write	Global	View and deploy patches at all endpoints.
ProviderConfiguration	Delete, Read, Write	Global	View, create, edit, and delete Providers.
ProviderOperationLog	Read	Global	Update, delete and view provider configurations.
RemoteSupport	Start	Localized	Create TeamViewer remote support sessions.
Repository.ApplicationMigration	Archive, Delete, EvaluateManagementGroups, Execute, Populate, Read, Write	Global
Repository.BI	Populate, Read	Global	View and populate the BI respository.
Repository.Compliance	Archive, Delete, Populate, Read, Write	Global
Repository.Entitlement	Archive, Delete, Populate, Read, Write	Global
Repository.Inventory	Archive, Delete, EvaluateManagementGroups, Populate, Read, Write	Global	View, create, edit, and delete Inventory repositories - populate and archive them.
Repository.Patch	Read	Global	View Patch Success dashboards.
Schedule	Delete, Read, Write	Global	View, create, edit, and delete Schedules - view Schedule history.
Security	Delete, Read, Write	Localized	Add and remove Users - view all Roles - add, modify, and delete Custom roles - assign roles to users - view Audit information log.
SynchronizationLog	Read	Global	View Sync log.
VDI	Read, Write	Global	View, create, edit, and delete application servers.