You may have use cases that go beyond Esper’s standard roles. With Custom Roles, also known as RBAC (Role Based Access Control), you can set up read, write, and remove permissions for a variety of Esper features.
By default, a wide array of permissions are available for the built-in Admin and Viewer roles. With Custom Roles, you can restrict permissions beyond what’s currently available to meet you and your organization’s needs.
Requirements
- You’ll need to be an Enterprise Administrator to create a Custom Role.
In this article:
Creating a Custom Role
Enterprise Admins can create Custom Roles and assign them when they invite users. These roles can be viewed any time by navigating to User Management > Roles.
Step 1 Create a Custom Role
To get started, navigate to your profile and select User Management.
Then select Roles.
In the Roles tab, you’ll see a list of the previously created roles. To add a new Custom Role, press Add Custom Role.
Then, name the Custom Role and add a description. In this example, we’ll be creating a Support Technician role who will be able to view device information and perform basic troubleshooting.
Step 2 Select Permissions for Devices & Groups
The first set of permissions is Devices & Groups. Each option refers to a setting in a Device or a Group.
When you select an option, you give users permission to view and manage settings and perform actions for different Devices or Groups. If an option is unchecked, the user won’t be able to perform any actions for that setting, but they’ll still be able to view it.
In the following example, the Administrator has allowed the user to reboot and ping individual devices or Groups in the Devices & Groups section. However, they won’t be able to perform other actions, such as a screen lock or removal.
As you begin selecting options, you may notice that the access options change. You can quickly select from the following options:
- No access: all permissions for that section will be disabled.
- All access: all permissions for that section will be enabled.
- Custom access: choose the permissions to enable or disable.
You can also quickly enable all permissions in a section by clicking Select all.
As you hover over settings, you’ll see a popup with the API scope the setting relates to. You can learn more about these commands in Common API Commands.
Step 3 Select Permissions for Other Sections
For all other sections, you can select view permissions.
- When you check the access boxes, users will be able to view these sections. However, they won’t be able perform any actions within these sections, such as creating a new alert, Template, or Blueprint.
- When you leave the access boxes unchecked, users won’t be able to view these sections or perform any actions in them either.
In the following example, we’ve given permissions to view Reports, Alerts, Provisioning Templates, and Compliance Policies. Even if these permissions are enabled, the user won’t have the ability to create, edit, or delete any of these features.
Other features such as Pipelines, Geofence, and App Management will be view-only.
Need to give a user access beyond what’s listed here? Contact Esper.
Step 3: Save the Role
After you’ve customized the role’s permissions, remember to click Save. Alternatively, if you’d like to start over, press Revert to reset any changes or Cancel to discard your changes.
You’ll be able to view the role and its permissions in User Management > Roles. You can also search for roles using the Search Role box.
Click on the role to view its details.
Assigning the Custom Role
Step 4: Assign Users to the Role
After you’ve created the role, you can apply that role to new or existing users.
New Users
To apply the role to new users, go to User Management and click Invite New User and select that role.
Press Continue.
Then, specify Group access.
- All Groups Access: The role will have access to all Groups and devices in that tenant.
- Custom Group Access: The role will have access to only the Groups and devices selected.
Then press Invite or Save if editing a user’s role.
Existing Users
To apply the role to existing users, go to the User Management > Users. Click on the ellipsis (...) under the Actions heading and select Edit user details.
Then select the role and press Save.
Editing or Deleting a Role
To edit or delete a role, locate that role in User Management > Roles.
Then click on the ellipsis (...) and select Edit.
Alternatively, click on an existing role and press Edit.
Once you’re done editing, press Save. Allow up to 10 minutes for changes to take effect. Users can log out and log back in again to see their updated permissions in the Console immediately.
To delete a role, click on the ellipsis (...) and select Delete.
Custom Role Examples
Need some ideas on how to create roles? We’ve provided a list of commonly created roles for our custom role. Modify these permissions to suit your needs.
Remote Support Agent
Esper Remote Viewer capabilities and its ability to target individual devices are especially useful to support agents.
We’ve allowed this agent to use a range of actions when it comes to interacting with the device remotely. Some of these actions, such as performing a factory reset, or locking a screen, should be considered for only highly-trained agents.
The agent will be able to interact with individual devices, but won’t be able to make changes to a Group.
In the next section, we’ve given the ability for the agent to manage apps on a device, capture logs, and view the App Management and Template sections of the platform. This allows them to quickly reference the apps on the device and its Template, Compliance Policy, or Blueprint settings.
If you are on the Templates experience, enabling or disabling the Blueprints settings will have no effect on the role. Likewise, if you are on the Blueprints experience, enabling or disabling Template and Compliance Policy settings will have no effect on the role.
In addition, they’ll have access to Remote Viewer and Control so that they’ll be able to see the device’s screen.
Finally, we've enabled the ability for the agent to view reports.
When designing a Support Agent role, it would be useful for Administrators to understand the types of reporting Support Agents need to implement troubleshooting and other assistance.
Site Administrator
A site administrator may be responsible for monitoring the day-to-day health of the device fleet. They’ll have the ability to receive alerts with the added ability to physically interact with those devices.
As an administrator, this person would need access to a wide range of actions and settings. Depending on their role, they may need to lock device screens if they notice suspicious activity, view graphs on a day to day basis, and use ADB to diagnose devices.
They’ll also have the ability to view other sections in the Console such as Geofences, Pipelines, and App Management. Enterprise Admins should work with Site Administrators to create Alerts and Geofences that make sense for their locations.
Sales
The product demo is another feature that’s possible with Esper. Sales agents can showcase popular features of a device, such as the ability to interact with different apps, as well as the ability to switch from multi-app to kiosk mode.
App Developer
Your organization’s app development team may not work in the same location where your devices are. You’d still like them to test the latest updates to the application without giving them full access to the fleet.
Consider if the developer will test a device in person or remotely. Access to Remote Viewer may help a remote developer, but graphs and logs are useful overall.
Create a Custom Support role to capture a variety of use cases.