Types of User Roles and Access Credentials – Esper Help

This feature is available for: ✓ Templates ✓ Blueprints

Manage user roles (also known as RBAC, Role Based Access Controls) to give them permissions to the entire console or just a group.

There are four default user roles for the Esper Console: Enterprise Administrator, Enterprise Viewer, Group Administrator, and Group Viewer. In addition, can create custom roles to handle various use cases.

When setting up a user role, be mindful that each role has different permissions. Enterprise Administrators have the highest level of permissions and can view or change most of the settings. In contrast, a Group Viewer has far fewer permissions. These users need permission to view tasks for the devices and groups.

In the article:

Enterprise Roles
Group Roles
Custom Roles

Enterprise Roles

Enterprise Admins have access to the entire console. While admins can manage features, viewers may only view these features.

Feature	Enterprise Admin	Viewer
Dashboard	All access	Read access
Provisioning Methods	All access	No access
Devices & Groups	All access	Read access
Device Overview, Apps, Event Feed	All access	Read access
Device Remote Viewer	All access	All access
Device Capture Logs	All access	All access
Device Settings & Actions	All access	Read access
Group Overview, Apps, Event Feed	All access	Read access
Group Settings & Actions	All access	Read access
Blueprints Manager	All access	Read access (able to view version history)
Content Management	All access	Read access (able to view details and download files)
Apps	All access	Read access (no access to Google Play Store apps)
Alerts	All access	Read access
Geofence	All access	Read access
Pipelines	All access	Read access
Reports	All access	No access to email subscriptions, all access to other Report features
Esper Software Updates	All access	No access
API Key Management	All access	All access
Provisioning Templates	All access	Read access
Compliance Policy	All access	Read access
User management	All access	No access
Company settings	All access	No access
Self-service Billing	All access	No access
Single Sign-on (SSO)	All access	No access
Tenant settings	All access	No access
Apple MDM Management	All access	No access
Factory Reset	All access (available for certain tenants)	No access
Support tickets	All access	All access

Group Roles

Group users will have access to features for specific device groups.

Feature	Group Admin	Group Viewer
Dashboard	All access for assigned groups	All access for assigned groups
Provisioning Methods	All access for assigned groups*	No access
Devices & Groups	All access for assigned groups	Read access for assigned groups
Device Overview, Apps, Event Feed	All access for assigned groups	Read access for assigned groups
Device Remote Viewer	All access for assigned groups	All access for devices in assigned groups
Device Capture Logs	All access for assigned groups	All access for devices in assigned groups
Device Settings	All access for assigned groups	Read access for assigned groups
Group Overview & Event Feed	All access for assigned groups	Read access
Group Apps	All access for assigned groups	No access
Group Settings & Actions	All access for assigned groups	Read access
Blueprints Manager	Read access	Read access
Content Management	Partial access for assigned groups: can view details, download, and transfer to assigned groups	Read access (able to view details and download files)
Apps	No access to Play Store, read access to all other features	Read access (no access to Google Play Store apps)
Alerts	Read access	Read access
Geofence	Read access	Read access
Pipelines	Read access	Read access
Reports	No access to email subscriptions, all access to other Report features for assigned groups	Read access for assigned groups
Esper Software Updates	No access	No access
API Key Management	All access	All access
Provisioning Templates	No access	No access
Compliance Policy	Read access	Read access
User management	No access	No access
Company settings	No access	No access
Self-service Billing	No access	No access
Single Sign-on (SSO)	No access	No access
Tenant settings	No access	No access
Apple MDM Management	No access	No access
Factory Reset	No access	No access
Support tickets	All access	All access

*For Templates users, group admins will not be able to add a seamless entry without reaching out to Support to enable this feature. For Blueprints users, the group admins can add seamless entries to all their assigned groups.

Custom Roles

Enterprise admins can create custom roles. The following outlines scopes and their related permissions. See Custom Roles for more information about creating a custom role.

Section	Scope	Permission(s) enabled
Device Quick Actions	Device lockdown	create:device_command:SET_DEVICE_LOCKDOWN_STATE
	Reboot	create:device_command:REBOOT
	Beep device	create:device_command:BEEP_DEVICE
	Reset or remove device	create:device_command:WIPE
	Ping device	create:device_command:UPDATE_HEARTBEAT
	Send message	create:device_command:NOTIFY_DEVICE
	Screen lock	create:device_command:LOCK
	Switch between multi-app and kiosk mode	create:device_command:SET_KIOSK_APP
	Move Device to Group	update:device:group
	Modify Tags	create:device:tag
		update:device:tag
		delete:device:tag
	Rename device	update:device:alias
	Upgrade from Template to Blueprint	create:template_upgrade
	Lost Mode	create:device_command:LOST_MODE
Device Settings	Sound volume	create:device_command:SET_STREAM_VOLUME
	Display Settings	create:device_command:SET_BRIGHTNESS_SCALE
		create:device_command:SET_ROTATION_STATE
		create:device_command:SET_SCREEN_OFF_TIMEOUT
	Branding	create:device_command:SET_WALLPAPER
	Wi-Fi	create:device_command:SET_WIFI_STATE
	Wi-Fi access point	create:device_command:ADD_WIFI_AP
	Wi-Fi access point	create:device_command:REMOVE_WIFI_AP
	Wi-Fi static IP	create:device_command:SET_STATIC_IP
	Ethernet	create:device_command:SET_ETHERNET_SETTINGS
	Location (GPS)	create:device_command:SET_GPS_STATE
	Bluetooth	create:device_command:SET_BLUETOOTH_STATE
	Timezone	create:device_command:SET_TIMEZONE
	ADB access	create:device_command:SET_ADB_STATE
	Manage configurations	create:device_command:UPDATE_DEVICE_CONFIG
	Update blueprint	create:device_command:UPDATE_BLUEPRINT
	Shut down	create:device_command:SHUT_DOWN
	Clear passcode	create:device_command:CLEAR_PASSCODE
Device App Settings	Device refresh app list	create:device_command:REFRESH_APPLIST
	Install apps	create:device_command:INSTALL
	Install apps	create:device_command:INSTALL_APP
	Uninstall apps	create:device_command:UNINSTALL
	Uninstall apps	create:device_command:UNINSTALL_APP
	Manage app state	create:device_command:SET_APP_STATE
	Clear app state	create:device_command:CLEAR_APP_DATA
	Update app permission	create:device_command:SET_APP_PERMISSION
Device Capture Logs	Generate bug report	create:device_command:REQUEST_BUGREPORT
Device Compliance Policy	Apply Policy	create:device_command:SET_NEW_POLICY
WebCli	Manage WebCli	read:webcli_session
		create:webcli_session
		delete:webcli_session
		update:webcli_session
Group Quick Actions	Reboot	create:group_command:REBOOT
	Screen lock	create:group_command:LOCK
	Ping device	create:group_command:UPDATE_HEARTBEAT
	Reset or remove devices in group	create:group_command:WIPE
	Send message	create:group_command:NOTIFY_DEVICE
	Switch between multi-app and kiosk mode	create:group_command:SET_KIOSK_APP
Group Settings	Sound volume	create:group_command:SET_STREAM_VOLUME
	Display Settings	create:group_command:SET_BRIGHTNESS_SCALE
		create:group_command:SET_ROTATION_STATE
		create:group_command:SET_SCREEN_OFF_TIMEOUT
	Branding	create:group_command:SET_WALLPAPER
	Wi-Fi	create:group_command:SET_WIFI_STATE
	Wi-Fi access point	create:group_command:ADD_WIFI_AP
	Wi-Fi access point	create:group_command:REMOVE_WIFI_AP
	Wi-Fi static IP	create:group_command:SET_STATIC_IP
	Ethernet	create:group_command:SET_ETHERNET_SETTINGS
	Location (GPS)	create:group_command:SET_GPS_STATE
	Bluetooth	create:group_command:SET_BLUETOOTH_STATE
	Timezone	create:group_command:SET_TIMEZONE
	ADB access	create:group_command:SET_ADB_STATE
	Manage configurations	create:group_command:UPDATE_DEVICE_CONFIG
	Update blueprint	create:group_command:UPDATE_BLUEPRINT
Group App Settings	Group app install	create:group_command:INSTALL
	Group app install	create:group_command:INSTALL_APP
	Group app uninstall	create:group_command:UNINSTALL
	Group app uninstall	create:group_command:UNINSTALL_APP
	Manage app state	create:group_command:SET_APP_STATE
Device Remote Viewer & Control	Create remote session	create:device_command:INITIATE_OFFER
	Device view screenshot	read:device_screenshot
	Take screenshot	create:device_command:CAPTURE_SCREENSHOT
	Take screenshot	create:device_screenshot
General	View device graphs	read:device_graph
General	Device event feed	read:event_feed
Group General	View groups	read:group (This setting is always enabled)
	Create group	create:group
	Update or move groups	update:group
	Delete group	delete:group
Blueprints	View blueprints	read:blueprint (This setting is enabled by default)
	Create blueprints	create:blueprint
	Update blueprints	update:blueprint
	Delete blueprints	delete:blueprint
	Converge	create:device_command:CONVERGE
	Link/Unlink Group Blueprint	update:group:blueprint
	Change Device Blueprint	update:device:blueprint
Provisioning Methods	Provision Device	provision:device
Compliance policy	View compliance policy	read:compliance_policy
	Create compliance policy	create:compliance_policy
	Update compliance policy	update:compliance_policy
	Delete compliance policy	delete:compliance_policy
Provisioning templates	View provisioning templates	read:provisioning_template
	Create provisioning templates	create:provisioning_template
	Update provisioning templates	update:provisioning_template
	Delete provisioning templates	delete:provisioning_template
	Add IMEI/Serial numbers in provisioning template	create:provisioning_template:imei_serial
	Update IMEI/Serial numbers in provisioning template	update:provisioning_template:imei_serial
	Delete IMEI/Serial numbers in provisioning template	delete:provisioning_template:imei_serial
	Update Wi-Fi Management in provisioning templates	update:provisioning_template:wifi_management
App Management	View app management	read:app
	Manage Play Store Apps	read:emm
		create:emm
		update:emm
	Upload Esper Android Apps	create:app:esper_android
	Update Esper Android Apps	update:app:esper_android
	Delete Esper Android Apps	delete:app:esper_android
	Upload Esper iOS Apps	create:app:esper_ios
	Delete Esper iOS Apps	delete:app:esper_ios
	Update Esper iOS Apps	update:app:esper_ios
Alerts	View alerts	read:alert
	Manage alerts	create:alert
		update:alert
		delete:alert
Pipelines	View pipelines	read:pipeline
	Manage pipelines	create:pipeline
		update:pipeline
		delete:pipeline
Geofence	View geofences	read:geofence
	Update geofences	update:geofence
	Create geofences	create:geofence
	Delete geofence	delete:geofence
Reports	View reports	read:report
Personal Access Tokens (API Keys)	Manage Personal Access Tokens	read:personal_access_token
		create:personal_access_token
		update:personal_access_token
		delete:personal_access_token
Esper Software Updates	Manage Esper Agent	update:esper_software_updates
	View Foundation Builds & Update Configuration	read:foundation_build
	View Foundation Builds & Update Configuration	read:foundation_device_model
	Approve/Unapprove Foundation Builds	read:foundation_build
		read:foundation_device_model
		update:foundation_build
	Update Automatic Update Configuration	read:foundation_build
		read:foundation_device_model
		update:foundation_device_model
	View Foundation Updates Event Feed	read:foundry_event
Support Tickets	Create and view support tickets	create:support_partner_token
Content Management	View content management	read:content
	Create content management	create:content
	Update content management	update:content
	Delete content management	delete:content
	Transfer content to devices	create:device_command:SYNC_CONTENT
	Transfer content to groups	create:group_command:SYNC_CONTENT
User Management	View users	read:user:all
	View users	read:user
	Delete users	delete:user
	Update users	update:user
	View user roles	read:role:all
	View user roles	read:role
	Update user roles	update:role
	Create user roles	create:role
	Delete user roles	delete:role
	View user invites	read:user_invite
	Delete user invites	delete:user_invite
	Create user/sso invites	create:user_invite
Company Settings	Manage company settings	read:tenant
Company Settings	Manage company settings	update:tenant
Self-service Billing	Manage self-service billing	read:billing
Self-service Billing	Manage self-service billing	create:billing
Single Sign-on (SSO)	View SSO	read:sso_connection
	Delete SSO	delete:sso_connection
	Create SSO	create:sso_connection
Tenant Settings	Manage Partner Control Center	read:partner_tenant
	Manage Partner Control Center	create:partner_tenant
	Manage Firewall Settings	read:tenant_config
	Manage Firewall Settings	update:tenant_config
	Manage Enable Templates	read:enable_template
	Manage Enable Templates	create:enable_template
Apple MDM	Manage Apple MDM	read:mdm_apple
		create:mdm_apple
		delete:mdm_apple

Enterprise Roles

Group Roles

Custom Roles

Related articles

Featured content