You may have use cases that go beyond Esper’s standard roles. With Custom Roles, also known as RBAC (Role Based Access Control), you can now set up read and write permissions for a variety of Esper features.
By default, a wide array of permissions are available for the built-in Enterprise Admin role. With Custom Roles, you can restrict Console and Device permissions beyond what’s currently available to meet you and your organization’s needs.
Requirements
- You’ll need to be an Enterprise Administrator to request a Custom Role.
- You’ll need to be on Esper Single Sign-On, the new authentication system.
In this article:
Requesting a Custom Role
Enterprise Admin can create Custom Roles and assign them when they invite users.
Step 1 Request a Custom Role
To get started, navigate to your profile and select User Management.
Then select Request custom role.
You’ll be redirected to a form. Enter your registered Esper tenant email address and tenant information.
Then, name the Custom Role. In this example, we’ll be creating a Support Technician role who will be able to view device information and perform basic troubleshooting.
Step 2 Select Permissions for the Console
Now, assign view permissions for Custom Features. Leave checked if you want to enable this feature in the Console. If unchecked, the user won’t be able to view these features.
In this case, this role will be able to view Reports, Alerts, Provisioning Templates, and Compliance Policies. Even if these permissions are enabled, the user won’t have the ability to create, edit, or delete anything for these features since this section of the form only applies to Read-Only permissions.
Other features–such as Pipelines, Geofence, and App Management–will be hidden for this role.
Step 3 Select Permissions for the Device
The next section relates to Device permissions. Refer to Device Settings for a description of these functions. If enabled, a user will be able to perform these actions on a device.
We’d like the user to be able to do basic commands such as reboot a device or ping it to see if it’s reachable. They won’t be able to perform other functions, such as change the branding on it or select its Wi-Fi access point.
Next, select what users will be able to do with regard to app management.
We don’t want these users to interact with Apps in any way, so we’ve left them all unchecked.
Finally, select how this user will interact with device logs, graphs, event feeds, and the remote viewer. If left checked, they’ll be able to view data and initiate remote viewer sessions.
Since this is a Support role, we want this user to be able to interact with logs, data, and the viewer. We’ve left all of the boxes checked, meaning they’ll be able to interact with all of these features.
(Optional) Provide Feedback to Esper
Is there a permission not listed here? Provide feedback and let us know. Feedback is not the same as enabling or disabling permissions (it won’t affect the role you’re currently creating).
Check Your Email
If you’re invited to the beta, you’ll receive an email from our team. We may also reach out to you for more information.
While this feature is in beta, we unfortunately won’t be able to accommodate all Custom Role requests.
Assigning the Custom Role
Once the requested Custom Role is created by Esper, you can assign it to a new or existing user. In the example below, we will add a new user. After entering an email address, notice our new “Support Technician” role (notated with the Custom badge) is now an option in the Select User’s Role section.
Then, select the role and then press Invite.
Custom Role Examples
Need some ideas on how to create roles? We’ve provided a list of commonly created roles for our custom role. Modify these permissions to suit your needs.
Support
For Support personnel, you usually want to grant them permissions to logs and Remote Viewer while restricting other functionality.
Console Features
Device Settings
The user will be able to perform basic tasks, such as performing a reboot or pinging a device to check that it’s online.
App Management Functions
This user shouldn’t need access to Apps, so we’ve disabled all controls related to Apps.
Data and Remote View
We’ve given full permission for this user to view device data and initiate remote viewer sessions.
Third Party App Developer
If your apps are developed through a third party, you can give these developers partial access to your tenant to manage their apps and deployments.
Console Features
These users will probably want to view the App Management and Pipelines parts of the console, but won’t need access to other parts.
Device Settings
Usually, your third-party app developers won’t need to manage a device. However, if you’ll be sending them a device to test on, you may want to consider giving them access to more settings.
Device Apps
App developers may need to interact with all the app management settings.
Data and Remote View
Consider if the developer will test a device in person or remotely. A remote viewer may help a remote developer, but graphs and logs are useful overall.
Create a Custom Support role to capture a variety of use cases.