Manage user roles (also known as RBAC, Role Based Access Controls) to give them permissions to the entire Console or just a group.
There are four default user roles for the Esper Console: Enterprise Administrator, Enterprise Viewer, Group Administrator, and Group Viewer. In addition, can create custom roles to handle various use cases.
When setting up a user role, be mindful that each role has different permissions. Enterprise Administrators have the highest level of permissions and can view or change most of the settings. In contrast, a Group Viewer has far fewer permissions. These users need permission to view tasks for the devices and groups.
In the article:
Enterprise Roles
Enterprise Admins have access to the entire Console. While admins can manage features, viewers may only view these features.
Feature | Enterprise Admin | Enterprise Viewer |
Alerts | Read, Write Access | Read access |
Apps/Play for Work | Read, Write Access | Read access |
Compliance Policy | Read, Write Access | Read access |
Dashboard | Read, Write Access | Read access |
Device views | Read, Write Access | Read access |
Device Apps | Read, Write Access | Read access |
Device Compliance Policies | Read, Write Access | Read access |
Device Capture logs | Read, Write Access | Read access |
Geofencing | Read, Write Access | Read access |
Group views | Read, Write Access | Read access |
Group settings and policies | Read, Write Access | Read access |
Group apps | Read, Write Access | Read access |
Group OS updates | Read, Write Access | Read access |
Pipeline | Read, Write Access | Read access |
Esper Software updates | Read, Write Access | Read access |
API key management | Read, Write Access | Read, Write Access |
Provisioning | Read, Write Access | Read access |
Reports | Read, Write Access | Read access |
User management | Read, Write Access | No |
Company settings | Read, Write Access | No |
Tenant settings | Read, Write Access | No |
Factory Reset | Yes | No |
Group Roles
Group users will have access to features for specific device groups.
Feature | Group Admin | Group Viewer |
Alerts | Read access | Read access |
Apps/Play for Work | Read access | Read access |
Compliance Policy | Read access | Read access |
Dashboard | Read access | Read access(for devices in assigned groups) |
Device views | Yes, for devices in assigned groups | Read access(for devices in assigned groups) |
Device Apps | Yes, for devices in assigned groups | Read access(for devices in assigned groups) |
Device compliance policies | Yes, for devices in assigned groups | Read access(for devices in assigned groups) |
Device capture logs | Yes, for devices in assigned groups | Read access(for devices in assigned groups) |
Geofencing | No | No |
Group views | Yes, for devices in assigned groups | Read access(for devices in assigned groups) |
Group settings and policies | Yes, for devices in assigned groups | Read access(for devices in assigned groups) |
Group apps | Yes, for devices in assigned groups | Read access(for devices in assigned groups) |
Group OS updates | Yes, for devices in assigned groups | Read access(for devices in assigned groups) |
Pipeline | Read access | Read access |
Esper software updates | Read access | Read Access |
API key management | Read, Write Access | Read, Write Access |
Provisioning | Read,Write access | No |
Reports | Yes, for devices in assigned groups | No |
User management | No | No |
Company settings | No | No |
Tenant settings | No | No |
Factory Reset | Yes, for devices in assigned groups | No |
Custom Roles
Enterprise admins can create custom roles. The following outlines scopes and their related permissions. See Custom Roles for more information about creating a custom role.
Section | Scope | Permission(s) enabled |
Device Quick Actions |
Device lockdown | create:device_command:SET_DEVICE_LOCKDOWN_STATE |
Reboot | create:device_command:REBOOT | |
Beep device | create:device_command:BEEP_DEVICE | |
Reset or remove device | create:device_command:WIPE | |
Ping device | create:device_command:UPDATE_HEARTBEAT | |
Send message | create:device_command:NOTIFY_DEVICE | |
Screen lock | create:device_command:LOCK | |
Switch between multi-app and kiosk mode | create:device_command:SET_KIOSK_APP | |
Move Device to Group | update:device:group | |
Modify Tags | create:device:tag | |
update:device:tag | ||
delete:device:tag | ||
Rename device | update:device:alias | |
Upgrade from Template to Blueprint | create:template_upgrade | |
Device Settings |
Sound volume | create:device_command:SET_STREAM_VOLUME |
Display Settings | create:device_command:SET_BRIGHTNESS_SCALE | |
create:device_command:SET_ROTATION_STATE | ||
create:device_command:SET_SCREEN_OFF_TIMEOUT | ||
Branding | create:device_command:SET_WALLPAPER | |
Wi-Fi | create:device_command:SET_WIFI_STATE | |
Wi-Fi access point | create:device_command:ADD_WIFI_AP | |
create:device_command:REMOVE_WIFI_AP | ||
Wi-Fi static IP | create:device_command:SET_STATIC_IP | |
Ethernet | create:device_command:SET_ETHERNET_SETTINGS | |
Location (GPS) | create:device_command:SET_GPS_STATE | |
Bluetooth | create:device_command:SET_BLUETOOTH_STATE | |
Timezone | create:device_command:SET_TIMEZONE | |
ADB access | create:device_command:SET_ADB_STATE | |
Manage configurations | create:device_command:UPDATE_DEVICE_CONFIG | |
Update blueprint | create:device_command:UPDATE_BLUEPRINT | |
Shut down | create:device_command:SHUT_DOWN | |
Clear passcode | create:device_command:CLEAR_PASSCODE | |
Device App Settings |
Device refresh app list | create:device_command:REFRESH_APPLIST |
Install apps | create:device_command:INSTALL | |
create:device_command:INSTALL_APP | ||
Uninstall apps | create:device_command:UNINSTALL | |
create:device_command:UNINSTALL_APP | ||
Manage app state | create:device_command:SET_APP_STATE | |
Clear app state | create:device_command:CLEAR_APP_DATA | |
Update app permission | create:device_command:SET_APP_PERMISSION | |
Device Capture Logs | Generate bug report | create:device_command:REQUEST_BUGREPORT |
Device Compliance Policy | Apply Policy | create:device_command:SET_NEW_POLICY |
Group Quick Actions | Reboot | create:group_command:REBOOT |
Screen lock | create:group_command:LOCK | |
Ping device | create:group_command:UPDATE_HEARTBEAT | |
Reset or remove devices in group | create:group_command:WIPE | |
Send message | create:group_command:NOTIFY_DEVICE | |
Switch between multi-app and kiosk mode | create:group_command:SET_KIOSK_APP | |
Group Settings | Sound volume | create:group_command:SET_STREAM_VOLUME |
Display Settings | create:group_command:SET_BRIGHTNESS_SCALE | |
create:group_command:SET_ROTATION_STATE | ||
create:group_command:SET_SCREEN_OFF_TIMEOUT | ||
Branding | create:group_command:SET_WALLPAPER | |
Wi-Fi | create:group_command:SET_WIFI_STATE | |
Wi-Fi access point | create:group_command:ADD_WIFI_AP | |
create:group_command:REMOVE_WIFI_AP | ||
Wi-Fi static IP | create:group_command:SET_STATIC_IP | |
Ethernet | create:group_command:SET_ETHERNET_SETTINGS | |
Location (GPS) | create:group_command:SET_GPS_STATE | |
Bluetooth | create:group_command:SET_BLUETOOTH_STATE | |
Timezone | create:group_command:SET_TIMEZONE | |
ADB access | create:group_command:SET_ADB_STATE | |
Manage configurations | create:group_command:UPDATE_DEVICE_CONFIG | |
Update blueprint | create:group_command:UPDATE_BLUEPRINT | |
Group app install | create:group_command:INSTALL | |
create:group_command:INSTALL_APP | ||
Group app uninstall | create:group_command:UNINSTALL | |
create:group_command:UNINSTALL_APP | ||
Manage app state | create:group_command:SET_APP_STATE | |
Device Remote Viewer & Control | Create remote session | create:device_command:INITIATE_OFFER |
Device view screenshot | read:device_screenshot | |
Take screenshot | create:device_command:CAPTURE_SCREENSHOT | |
Take screenshot | create:device_screenshot | |
General | View device graphs | read:device_graph |
Device event feed | read:event_feed | |
Blueprints | View blueprints | read:blueprint (This setting is always enabled) |
Create blueprints | create:blueprint | |
Update blueprints | update:blueprint | |
Delete blueprints | delete:blueprint | |
Converge | create:device_command:CONVERGE | |
Change Device Blueprint | update:device:blueprint | |
Compliance policy | View compliance policy | read:compliance_policy |
Create compliance policy | create:compliance_policy | |
Update compliance policy | update:compliance_policy | |
Delete compliance policy | delete:compliance_policy | |
Provisioning templates | View provisioning templates | read:provisioning_template |
Create provisioning templates | create:provisioning_template | |
Update provisioning templates | update:provisioning_template | |
Delete provisioning templates | delete:provisioning_template | |
Add IMEI/Serial numbers in provisioning template | create:provisioning_template:imei_serial | |
Update IMEI/Serial numbers in provisioning template | update:provisioning_template:imei_serial | |
Delete IMEI/Serial numbers in provisioning template | delete:provisioning_template:imei_serial | |
Update Wi-Fi Management in provisioning templates | update:provisioning_template:wifi_management | |
App Management | View app management | read:app |
Manage Play Store Apps |
read:emm |
|
create:emm |
||
update:emm |
||
Upload Esper Android Apps |
create:app:esper_android |
|
Update Esper Android Apps |
update:app:esper_android |
|
Delete Esper Android Apps | delete:app:esper_android
|
|
Alerts | View alerts | read:alert |
Pipelines | View pipelines | read:pipeline |
Geofence | View geofence | read:geofence |
Reports | View reports | read:report |
Personal Access Tokens (API Keys) |
Manage Personal Access Tokens | read:personal_access_token |
create:personal_access_token | ||
update:personal_access_token | ||
delete:personal_access_token | ||
Foundation Updates |
View Foundation Builds & Update Configuration | read:foundation_build |
read:foundation_device_model | ||
Approve/Unapprove Foundation Builds | read:foundation_build | |
read:foundation_device_model | ||
update:foundation_build | ||
Update Automatic Update Configuration |
read:foundation_build | |
read:foundation_device_model | ||
update:foundation_device_model | ||
View Foundation Updates Event Feed | read:foundry_event |