You may have use cases that go beyond Esper’s standard roles. With Custom Roles, also known as RBAC (Role Based Access Control), you can set up read, write, and remove permissions for various Esper features.
By default, a wide array of permissions are available for the built-in Admin and Viewer roles. With Custom Roles, you can restrict permissions beyond those currently available to meet your organization’s needs.
Requirements
- You’ll need to be an Enterprise Administrator to create a Custom Role.
In this article:
Creating a Custom Role
Enterprise Admins can create Custom Roles and assign them when they invite users. These roles can be viewed any time by navigating to User Management > Roles.
Step 1 Create a Custom Role
To get started, navigate to your profile and select User Management.
Then select Roles.
In the Roles tab, you’ll see a list of the previously created roles. To add a new Custom Role, press Add Custom Role.
Then, name the Custom Role and add a description. In this example, we’ll be creating a Support Technician role who will be able to view device information and perform basic troubleshooting.
What does "applied globally" mean?
Currently, only device event feed permissions are applied globally. That means the event feed module appears throughout the console in the form of toast messages.
If a user can't view the event feed, they also won't be able to view messages such as the one above. Take that into account when creating custom roles.
Step 2 Select Permissions for Devices & Groups
The first set of permissions is Devices & Groups. Each option refers to a setting in a Device or a Group.
When you select an option, you give users permission to view and manage settings and perform actions for different Devices or Groups. If an option is unchecked, the user won’t be able to perform any actions for that setting, but they’ll still be able to view it.
In the following example, the Administrator has allowed the user to reboot and ping individual devices or Groups in the Devices & Groups section. However, they won’t be able to perform other actions, such as a screen lock or removal.
As you begin selecting options, you may notice that the access options change. You can quickly select from the following options:
- No access: all permissions for that section will be disabled.
- All access: all permissions for that section will be enabled.
- Custom access: choose the permissions to enable or disable.
You can also quickly enable all permissions in a section by clicking Select all.
As you hover over settings, you’ll see a popup with the API scope the setting relates to. You can learn more about these commands in Common API Commands.
Step 3 Select Permissions for Other Sections
The following sections have customizable permissions:
- Blueprints
- Compliance Policy
- Provisioning Templates
- App Management
- Support Tickets
Users will always need to view access to perform other actions in that section.
Esper Android apps refer to Enterprise apps for Android devices.
We recommend enabling Support Tickets for all user roles, unless your organization has its own ticketing system for Esper support.
Other sections are currently view only:
- Alerts
- Pipelines
- Geofence
- Reports
- Personal Access Tokens (API Keys)
Users will need view access to App Management to fully create or edit a Provisioning Template.
The following scopes are only available to some users. If your organization uses Esper Foundation, you can configure a role to manage Foundation updates.
Need to give a user access beyond what’s listed here? Contact Esper.
Step 3: Save the Role
After you’ve customized the role’s permissions, remember to click Save. Alternatively, if you’d like to start over, press Revert to reset any changes or Cancel to discard your changes.
You’ll be able to view the role and its permissions in User Management > Roles. You can also search for roles using the Search Role box.
Click on the role to view its details.
Assigning the Custom Role
Step 4: Assign Users to the Role
After you’ve created the role, you can apply that role to new or existing users.
New Users
To apply the role to new users, go to User Management and click Invite New User and select that role.
Press Continue.
Then, specify Group access.
- All Groups Access: The role will have access to all Groups and devices in that tenant.
- Custom Group Access: The role will have access to only the Groups and devices selected.
Then press Invite or Save if editing a user’s role.
Existing Users
To apply the role to existing users, go to the User Management > Users. Click on the ellipsis (...) under the Actions heading and select Edit user details.
Then select the role and press Save.
Editing or Deleting a Role
To edit or delete a role, locate that role in User Management > Roles.
Then click on the ellipsis (...) and select Edit.
Alternatively, click on an existing role and press Edit.
Once you’re done editing, press Save. Allow up to 10 minutes for changes to take effect. Users can log out and log back in again to see their updated permissions in the Console immediately.
To delete a role, click on the ellipsis (...) and select Delete.
Fixing Policy Violations
Some scopes require other scopes. If a scope is not enabled when a role is saved, you'll be asked to enable all the required scopes before you create the role.
Press Fix All to enable the required scopes.
Then preview the new scopes and press Save to create the role.
Create a Custom Support role to capture a variety of use cases.