Roles and Securables

System roles

On the Roles, a system role is indicated by an icon with a padlock

System roles are built-in and are not configurable, however, they can be assigned to users the same as any other role. The following table lists the built-in system roles.

Expand table

1E system role	Permissions	Allows delegation	Description
All Instructions Actioner	InstructionSet (Actioner) for All Instruction Sets	Yes	Use 1E Endpoint Troubleshooting, execute any Instruction (Action and Question), and view any Instruction response
All Instructions Approver	InstructionSet (Approver) for All Instruction Sets	Yes	Use 1E Endpoint Troubleshooting, approve any Instruction for anyone other than self
All Instructions Questioner	InstructionSet (Questioner) for All Instruction Sets	Yes	Use 1E Endpoint Troubleshooting, ask any Question and view any Instruction response
All Instructions Viewer	InstructionSet (Viewer) for All Instruction Sets	Yes	Use 1E Endpoint Troubleshooting, view any Instruction response
Full Administrator	All	No	Has all the permissions available in the Platform and its Applications
Group Administrator	CustomProperty (Read) ManagementGroup (Read, Write, Synchronize, Delete) Security (Read, Write, Delete) Repository.Inventory (Read, EvaluateManagementGroup)	Yes	Add Users and Management Groups, and manage their roles and assignments, below this Group Administrator's assigned Management Group(s)
Guaranteed State Administrator	GuaranteedState (Read,Write,Delete) PolicyAssignment (Assign) PolicyDeployment (Execute)	No	Use Endpoint Automation, manage Rules and Polices, and assign and deploy Policies
Guaranteed State Policy Approver	GuaranteedState (Approver, Read)	No	To use Endpoint Automation, and approve rule changes.
Guaranteed State Policy Assigner	PolicyAssignment (Assign)	Yes	Assign Policies to Management Groups (does not allow use of Endpoint Automation)
Guaranteed State User	GuaranteedState (Read)	No	Use Endpoint Automation, view dashboards
Installer	Application (Write, Delete) Consumer (Read, Write) CustomProperty (Read) EventSubscription (Read, Write, Delete) Infrastructure (Read) InfrastructureLog (Read) InstructionSetManagement (Delete, Add, Read) ManagementGroup (Read) Security (Read, Write, Delete)	No	Install and upgrade the Platform and Applications, register Consumers, upload DEXPacks, manage Instruction Sets, and configure Roles and Permissions
Inventory Administrator	Component (Read, Write) Connector (Read, Write, Delete, Execute) CustomProperty (Read, Write) Inventory (Read, Export) Inventory.Association (Read, Write, Delete, Export) ManagementGroup (Read, Write, Synchronize, Delete) ProcessLog (Read) ProviderOperationLog (Read) Repository.Inventory (Archive, Delete, EvaluateManagementGroups, Populate, Read, Write) Schedule (Read, Delete, Write) SynchronizationLog (Read)	No	Manage Inventory repositories - populate and archive them - export data - manage Inventory associations
Inventory User	Inventory (Read, Export) Inventory.Association (Read) Repository.Inventory (Read)	No	View Inventory repositories, data and Inventory associations
1E System	Component (Read) Connector (Execute) Consumer (Read) EngagementAssignment (Assign) Engagements (Read, Write, Delete, Execute) InstructionSetManagement (Read) ManagementGroup (Read, Synchronize) OffloadingData (Offload) PolicyDeployment (Execute) ProcessLog (Read) ProviderOperationLog (Read) Repository.Inventory (Read, EvaluateManagementGroups) Security (Read)	No	For service and equivalent accounts to perform 1E system operations
Remote Support	RemoteSupport (Execute)	No	To create TeamViewer remote support sessions.

Questions, responses, actions are examples of securables. Other Consumers may create their own system roles and securables.

Custom roles

On the Roles, a custom role is indicated by an icon with a cogwheel

The following table lists built-in custom roles used by 1E Applications.

Expand table

1E custom role	Permissions	Allows delegation	Description
1E ITSM Connect Actioner	InstructionSet (Actioner) on the instruction sets you wish to allow ServiceNow to use	Yes	The ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role
AppClarity Administrator	AppClarity.Compliance (Read, Write, Export, Delete, Execute) AppClarity.Entitlement (Read, Write, Export, Delete, Execute) AppClarity.Reclaim (Read, Write, Export, Delete, Execute) Connector (Execute) Inventory (Read, Export) Inventory.Association (Read, Write, Export, Delete) ProcessLog (Read) ProviderOperationLog (Read) Repository.Compliance (Read, Write, Delete, Archive, Populate) Repository.Entitlement (Read, Write, Delete, Archive, Populate) Repository.Inventory (Read) Schedule (Read, Write, Delete)	No	Create, update, delete and view AppClarity Compliance, Entitlement, License Demand and Reclaim - view and export Inventory - view, edit, delete and export Associations
Application Migration Administrator	Connector (Execute) Inventory (Read) Inventory.Association (Read,Write,Delete) ProcessLog (Read) ProviderConfiguration (Read) ProviderOperationLog (Read) Repository.ApplicationMigration (Read,Write,Delete,Archive,Populate) Repository.Inventory (Read,Write,Populate,EvaluateManagementGroups)	No	Create, update, delete and view Application Migration Rules and Role Based Application Sets to manage installations in your estate during operating system deployment
Compliance Administrator	AppClarity.Compliance (Read, Write, Export, Delete, Execute) AppClarity.Entitlement (Read, Write, Export, Delete, Execute) AppClarity.Reclaim (Read) Connector (Execute) Inventory (Read, Export) Inventory.Association (Read, Write, Export, Delete) ProcessLog (Read) ProviderOperationLog (Read) Repository.Compliance (Read, Write, Delete, Archive, Populate) Repository.Entitlement (Read, Write, Delete, Archive, Populate) Repository.Inventory (Read) Schedule (Read, Write, Delete)	No	Create, update, delete and view AppClarity Compliance, Entitlement and License Demand - view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations
Compliance Viewer	AppClarity.Compliance (Read) AppClarity.Entitlement (Read) ProviderOperationLog (Read)	No	View AppClarity Compliance, Entitlement and License Demand
Entitlement Administrator	AppClarity.Entitlement (Read, Write, Export, Delete, Execute) Connector (Execute) Inventory (Read, Export) Inventory.Association (Read, Write, Export, Delete) ProcessLog (Read) ProviderOperationLog (Read) Repository.Compliance (Read) Repository.Entitlement (Read, Write, Delete, Archive, Populate) Repository.Inventory (Read) Schedule (Read, Write, Delete)	No	Create, update, delete and view AppClarity Entitlement - view and export Inventory - view, edit, delete and export Associations
Experience Administrator	Consumer (Read) EngagementAssignment (Assign) - new Engagements (Read, Write, Delete, Execute) EventSubscription (Delete, Read, Write) Experience (Read) - new ManagementGroup (Read) PolicyDeployment (Execute) VDI (Read, Write)	No	Use Experience Analytics, manage, assign and deploy Engagements (Surveys and Announcements), and manage Metrics
Experience Engagement Assigner	EngagementAssignment (Assign)	Yes	Assign Engagements to Management Groups (does not allow use of Experience Analytics)
Experience User	Engagements (Read) EventSubscription (Read) Experience (Read)	No	Use Experience Analytics, view Survey responses, and view Metrics
Nomad Administrator	GuaranteedState (Read) InstructionSet (Actioner) for the 1E Nomad instruction set on All Devices Nomad (Read, Write, Delete)	No	Use Content Distribution, manage Pre-cache jobs, view the results of related Instructions and Client health policies
Patch Success Administrator	Consumer (Read) InstructionSet (Actioner) for the 1E Patch Success instruction set on All Devices Repository.BI (Read, Populate) Repository.Patch (Read)	No	Use Patch Success, manage and populate its Repository, and deploy Policies, use Endpoint Troubleshootingto deploy patches
Patch Success User	Consumer (Read) InstructionSet (Questioner) for the 1E Patch Success instruction set on All Devices Repository.Patch (Read)	No	Use Patch Success, and use Endpoint Troubleshooting to ask about Patch status on devices
Reclaim Administrator	AppClarity.Reclaim (Read, Write, Export, Delete, Execute) Connector (Execute) Inventory (Read, Export) Inventory.Association (Read, Write, Export, Delete) ProcessLog (Read) ProviderOperationLog (Read) Repository.Compliance (Read, Populate) Repository.Inventory (Read) Schedule (Read, Write, Delete)	No	Create, update, delete and view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations
Reclaim Viewer	AppClarity.Reclaim (Read) ProviderOperationLog (Read)	No	View AppClarity Reclaim

Securables and operations

In the SDK documentation, Securables are also known as Securable Types.

A Permission is one or more Operations for a Securable. The remit for a Securable is either Localized or Global. A Role that has only Localized permissions can be delegated.

Expand table

Securable	Operations	Remit	Description
AgentDeployment	Approve, Execute, View	Global	View, create, and cancel 1E Client deployment jobs
AgentInstallerManagement	Add, Delete, Read	Global	View, upload, and delete 1E Client installers
AppClarity.Compliance	Delete, Execute, Export, Read, Write	Global	View, create, edit, delete, export, and manage AppClarity Compliance and LDC
AppClarity.Entitlement	Delete, Execute, Export, Read, Write	Global	View, create, edit, delete, export, and manage AppClarity Entitlement
AppClarity.Reclaim	Delete, Execute, Export, Read, Write	Global	View, create, edit, delete, export, and manage AppClarity Reclaim
Application	Delete, Write	Global	Install and uninstall Portal applications
Component	Read, Write	Global	View and configure Components
Connector	Delete, Execute, Read, Write	Global	View, create, edit, delete, and test Connectors
Consumer	Read, Write	Global	View, add, edit, and delete Consumers
CustomProperty	Read, Write	Global	View, add, edit, and delete Custom properties
EngagementAssignment	Assign	Localized	Assign Engagements (Surveys and Announcements) to Management Groups
Engagements	Delete, Execute, Read, Write	Global	View, create, edit, delete, and enable Engagements (Surveys and Announcements) - this securable has been renamed in version 8.0 from Surveys
EventSubscription	Delete, Read, Write	Localized	View, create, edit, and delete the configurations of event subscriptions
Experience	Read	Global	View Experience Analytics dashboards
GuaranteedState	Delete, Read, Write	Global	View, add, edit, and delete Rules, Fragments, Trigger templates, and Policies - view Endpoint Automation dashboards
Infrastructure	Delete, Read, Write	Global	View System health and System information - view, add, and edit global settings
InfrastructureLog	Read	Global	View Infrastructure log
InstructionSet	Actioner, Approver, Questioner, Viewer	Localized	Execute, schedule, cancel, and approve instructions - view responses
InstructionSetManagement	Add, Delete, Read	Global	Upload DEXPack- add, modify, and delete instruction sets - delete instruction definitions
Inventory	Export, Read	Global	View Inventory Insights dashboards and export inventory data
Inventory.Association	Delete, Export, Read, Write	Global	View, create, edit, and delete SCCM Associations in Inventory
ManagementGroup	Delete, Read, Synchronize, Write	Localized	Create, delete, edit, and initiate synchronization of Management Groups
Nomad	Delete, Read, Write	Global	View Content Distributiondashboards and SSD peer data. View, add, and delete pre-cache jobs. Pause and resume download activity of Content Distribution clients
OffloadingData	Offload	Global	Offload (forward) event data to any Web API responsible for processing that data
PolicyAssignment	Assign	Localized	AssignEndpoint Automation policies to Management Groups
PolicyDeployment	Execute	Global	Deploy all types of policies (including metrics, events, and engagements) except for Reclaim policies
ProcessLog	Delete, Read, Write	Global	View and purge the Process log, Cancel all actions
Protect	Read, Write	Global	View and deploy patches at all endpoints
ProviderConfiguration	Delete, Read, Write	Global	View, create, edit, and delete Providers
ProviderOperationLog	Read	Global	Update, delete and view provider configurations
RemoteSupport	Start	Localized	Create TeamViewer remote support sessions.
Repository.ApplicationMigration	Archive, Delete, EvaluateManagementGroups, Execute, Populate, Read, Write	Global
Repository.BI	Populate, Read	Global	View and populate the BI respository
Repository.Compliance	Archive, Delete, Populate, Read, Write	Global
Repository.Entitlement	Archive, Delete, Populate, Read, Write	Global
Repository.Inventory	Archive, Delete, EvaluateManagementGroups, Populate, Read, Write	Global	View, create, edit, and delete Inventory repositories - populate and archive them
Repository.Patch	Read	Global	View Patch Success dashboards
Schedule	Delete, Read, Write	Global	View, create, edit, and delete Schedules - view Schedule history
Security	Delete, Read, Write	Localized	Add and remove Users - view all Roles - add, modify, and delete Custom roles - assign roles to users - view Audit information log
SynchronizationLog	Read	Global	View Sync log
VDI	Read, Write	Global	View, create, edit, and delete application servers