Roles and Securables
Use the Roles and Securables reference to understand system and custom roles, securables, and delegated permissions.

On the Roles, a system role is indicated by an icon with a padlock
System roles are built-in and are not configurable, however, they can be assigned to users the same as any other role. The following table lists the built-in system roles. Questions, responses, actions are examples of Securables. Other Consumers may create their own system roles and Securables.
1E system role |
Permissions |
Allows delegation |
Description |
---|---|---|---|
All Instructions Actioner |
|
Yes |
Use 1E Endpoint Troubleshooting, execute any Instruction (Action and Question), and view any Instruction response. |
All Instructions Approver |
|
Yes |
Use 1E Endpoint Troubleshooting, approve any Instruction for anyone other than self. |
All Instructions Questioner |
|
Yes |
Use 1E Endpoint Troubleshooting, ask any Question and view any Instruction response. |
All Instructions Viewer |
|
Yes |
Use 1E Endpoint Troubleshooting, view any Instruction response. |
Full Administrator |
|
No |
Has all the permissions available in the Platform and its Applications. |
Group Administrator |
|
Yes |
Add Users and Management Groups, and manage their roles and assignments, below this Group Administrator's assigned Management Group(s). |
Guaranteed State Administrator |
|
No |
Use Endpoint Automation, manage Rules and Polices, and assign and deploy Policies. |
Guaranteed State Policy Approver |
|
No |
To use Endpoint Automation, and approve rule changes. |
Guaranteed State Policy Assigner |
|
Yes |
Assign Policies to Management Groups (does not allow use of Endpoint Automation). |
Guaranteed State User |
|
No |
Use Endpoint Automation, view dashboards. |
Installer |
|
No |
Install and upgrade the Platform and Applications, register Consumers, upload DEXPacks, manage Instruction Sets, and configure Roles and Permissions. |
Inventory Administrator |
|
No |
Manage Inventory repositories - populate and archive them - export data - manage Inventory associations. |
Inventory User |
|
No |
View Inventory repositories, data and Inventory associations. |
1E System |
|
No |
For service and equivalent accounts to perform 1E system operations. |
Remote Support |
|
No |
To create TeamViewer remote support sessions. |

On the Roles, a custom role is indicated by an icon with a cogwheel
The following table lists built-in custom roles used by 1E Applications.
1E custom role |
Permissions |
Allows delegation |
Description |
---|---|---|---|
1E ITSM Connect Actioner |
|
Yes |
The ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role. |
AppClarity Administrator |
|
No |
Create, update, delete and view AppClarity Compliance, Entitlement, License Demand and Reclaim - view and export Inventory - view, edit, delete and export Associations. |
Application Migration Administrator |
|
No |
Create, update, delete and view Application Migration Rules and Role Based Application Sets to manage installations in your estate during operating system deployment. |
Compliance Administrator |
|
No |
Create, update, delete and view AppClarity Compliance, Entitlement and License Demand - view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations. |
Compliance Viewer |
|
No |
View AppClarity Compliance, Entitlement and License Demand. |
Entitlement Administrator |
|
No |
Create, update, delete and view AppClarity Entitlement - view and export Inventory - view, edit, delete and export Associations. |
Experience Administrator |
|
No |
Use Experience Analytics, manage, assign and deploy Engagements (Surveys and Announcements), and manage Metrics. |
Experience Engagement Assigner |
|
Yes |
Assign Engagements to Management Groups (does not allow use of Experience Analytics). |
Experience User |
|
No |
Use Experience Analytics, view Survey responses, and view Metrics. |
Nomad Administrator |
|
No |
Use Content Distribution, manage Pre-cache jobs, view the results of related Instructions and Client health policies. |
Patch Success Administrator |
|
No |
Use Patch Success, manage and populate its Repository, and deploy Policies, use Endpoint Troubleshootingto deploy patches. |
Patch Success User |
|
No |
Use Patch Success, and use Endpoint Troubleshooting to ask about Patch status on devices. |
Reclaim Administrator |
|
No |
Create, update, delete and view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations. |
Reclaim Viewer |
|
No |
View AppClarity Reclaim. |

In the SDK documentation, Securables are also known as Securable Types.
A Permission is one or more Operations for a Securable. The remit for a Securable is either Localized or Global. A Role that has only Localized permissions can be delegated.
Securable |
Operations |
Remit |
Description |
---|---|---|---|
Approve, Execute, View |
Global |
View, create, and cancel 1E Client deployment jobs. |
|
Add, Delete, Read |
Global |
View, upload, and delete 1E Client installers. |
|
Delete, Execute, Export, Read, Write |
Global |
View, create, edit, delete, export, and manage AppClarity Compliance and LDC. |
|
Delete, Execute, Export, Read, Write |
Global |
View, create, edit, delete, export, and manage AppClarity Entitlement. |
|
Delete, Execute, Export, Read, Write |
Global |
View, create, edit, delete, export, and manage AppClarity Reclaim. |
|
Delete, Write |
Global |
Install and uninstall Portal applications. |
|
Read, Write |
Global |
View and configure Components. |
|
Delete, Execute, Read, Write |
Global |
View, create, edit, delete, and test Connectors. |
|
Read, Write |
Global |
View, add, edit, and delete Consumers. |
|
Read, Write |
Global |
View, add, edit, and delete Custom properties. |
|
Delete |
Global |
Delete devices. |
|
Assign |
Localized |
Assign Engagements (Surveys and Announcements) to Management Groups. |
|
Delete, Execute, Read, Write |
Global |
View, create, edit, delete, and enable Engagements (Surveys and Announcements) - this securable has been renamed in version 8.0 from Surveys. |
|
Delete, Read, Write |
Localized |
View, create, edit, and delete the configurations of event subscriptions. |
|
Read |
Global |
View Experience Analytics dashboards. |
|
Delete, Read, Write |
Global |
View, add, edit, and delete Rules, Fragments, Trigger templates, and Policies - view Endpoint Automation dashboards. |
|
Delete, Read, Write |
Global |
View System health and System information - view, add, and edit global settings. |
|
Read |
Global |
View Infrastructure log. |
|
Actioner, Approver, Questioner, Viewer |
Localized |
Execute, schedule, cancel, and approve instructions - view responses. |
|
Add, Delete, Read |
Global |
Upload DEXPack- add, modify, and delete instruction sets - delete instruction definitions. |
|
Export, Read |
Global |
View Inventory Insights dashboards and export inventory data. |
|
Delete, Export, Read, Write |
Global |
View, create, edit, and delete SCCM Associations in Inventory. |
|
Delete, Read, Synchronize, Write |
Localized |
Create, delete, edit, and initiate synchronization of Management Groups. |
|
Delete, Read, Write |
Global |
View Content Distributiondashboards and SSD peer data. View, add, and delete pre-cache jobs. Pause and resume download activity of Content Distribution clients. |
|
Offload |
Global |
Offload (forward) event data to any Web API responsible for processing that data. |
|
Assign |
Localized |
AssignEndpoint Automation policies to Management Groups. |
|
Execute |
Global |
Deploy all types of policies (including metrics, events, and engagements) except for Reclaim policies. |
|
Delete, Read, Write |
Global |
View and purge the Process log, Cancel all actions. |
|
Protect |
Read, Write |
Global |
View and deploy patches at all endpoints. |
Delete, Read, Write |
Global |
View, create, edit, and delete Providers. |
|
Read |
Global |
Update, delete and view provider configurations. |
|
Start |
Localized |
Create TeamViewer remote support sessions. |
|
Archive, Delete, EvaluateManagementGroups, Execute, Populate, Read, Write |
Global |
|
|
Populate, Read |
Global |
View and populate the BI respository. |
|
Archive, Delete, Populate, Read, Write |
Global |
|
|
Archive, Delete, Populate, Read, Write |
Global |
|
|
Archive, Delete, EvaluateManagementGroups, Populate, Read, Write |
Global |
View, create, edit, and delete Inventory repositories - populate and archive them. |
|
Read |
Global |
View Patch Success dashboards. |
|
Delete, Read, Write |
Global |
View, create, edit, and delete Schedules - view Schedule history. |
|
Delete, Read, Write |
Localized |
Add and remove Users - view all Roles - add, modify, and delete Custom roles - assign roles to users - view Audit information log. |
|
Read |
Global |
View Sync log. |
|
Read, Write |
Global |
View, create, edit, and delete application servers. |