User Management permissions were created with custom admin roles in mind. Use Restricted when you need to limit a custom admin to delegating only what they already have. For example, a franchise operator can onboard users within their own location but cannot assign permissions outside their own role. Use unrestricted when you want to closely mirror the default Enterprise Admin role.
Custom admins can be created in User Management > Custom Roles. Three User Management permissions support Restricted and Unrestricted access levels: View user roles, Update users, and Create user/SSO invites. These settings control how much access a custom admin can extend to other users when inviting, updating, or viewing roles in the Console.
In this article:
- Restricting role assignment for custom admins
- How the permission check works
- Unrestricted vs. restricted behavior
- Group access
- What to expect in the Console
Restricting role assignment for custom admins
Restricted role assignment prevents custom-role users from granting another user more access than they have themselves. When enabled, a custom admin can only assign roles whose permissions fall within their own.
Without this restriction, a custom admin with invite access could invite a new user and assign a high-privilege role such as Enterprise Admin, even if that admin doesn't hold those permissions themselves.
How the permission check works
When restricted role assignment is active, the system compares the actual permission sets of both roles. A user can assign a role only if every permission in the target role is also present in their own role.
This check is not based on role names, role ranking, or permission count. Only the scopes contained in the role are checked.
Example
| Allow Custom Admin Action | Blocked Custom Admin Action |
| A custom admin has Lock device and Reboot device. They try to assign a role that only has Reboot device. The assignment is allowed because the target role contains no permission outside the admin's own set. | A custom admin has Reboot device plus nine other permissions. They try to assign a role that contains only Wipe device. The assignment is blocked because Wipe device is not in the admin's own role, even though the target role has fewer total permissions. |
Think of it as "you can only delegate what you already have," NOT "you can assign roles below your title."
Unrestricted vs. restricted behavior
| Permission | Restricted | Unrestricted |
| Update users | Can only update user roles if they have permissions contained in their own custom role. | Can update other users’ roles |
| View user roles | Can only view roles that have permissions that are contained in their own custom role. | Can view all roles in the role list |
| Create user/sso invites | Can only invite users and assign roles to users if that role contains a subset of their own role | Can invite any user to any role |
When configuring a custom role, the following User Management permissions can be set to either Unrestricted or Restricted:
- Creating user or SSO invites
- Updating an existing user's role
- Viewing and selecting roles in role lists
Unrestricted preserves the existing behavior. The user can assign roles without the subset check for that permission.
Restricted enforces the subset rule. The user can only assign roles whose permissions are already contained in their own role, and cannot assign high-privilege default roles like Enterprise Admin unless those roles pass the same check.
When role viewing is restricted, the role picker in the Console only shows roles the user is eligible to assign. Roles outside the user's assignable set are hidden from the list.
Group access
Restricted users can only grant group access they already hold.
- A user with access to Group A can assign another user to Group A.
- They cannot assign Group B if they don't have access to Group B.
- They cannot grant All Groups access unless they also have All Groups access.
Example Scenarios
Invite allowed: A custom admin has restricted create-user-invite permission, Reboot device permission, and access to Group A. They invite a new user into a custom role that has Reboot device and access to Group A. The invite is allowed because the role permissions and group access both fall within the admin's own access.
Invite blocked: The same admin tries to invite a user as Enterprise Admin. The action is blocked because Enterprise Admin includes permissions outside the admin's own role.
Role update blocked: A custom admin tries to update an existing user's role to one with broader permissions. The update is blocked because the target role is not a subset of the admin's own permissions.
What to expect in the Console
- Restricted custom admins may see a shorter list of roles in the role picker.
- Some default roles, including Enterprise Admin, may not appear for restricted admins.
- If a restricted admin attempts to assign a role or group outside their access, the action fails with a permission error.
- Enterprise Admins can create and manage custom roles with either unrestricted or restricted assignment behavior.