TABLE OF CONTENTS
Introduction
This section describes how to manage permissions that roles provide. Role groups are used to define which level of access, or access privileges to functions in ManagementStudio, ranging from view-only access to full administration rights. Management role groups simplify the assignment and maintenance of permissions to users in ManagementStudio. For example Power users and Restricted Users abilities. Anyone who wishes to use and interact with ManagementStudio must have a user account, and only an authenticated administrator can add, edit, and delete a user.
Default Role Groups
- Project Admin: A member of this group will be granted full administrative rights. They will have complete and unrestricted access to the entire ManagementStudio product.
- Project Member: A project member is a user who is assigned to a project. A member can be assigned to one or more projects and to one or more roles.
- Power User: By default, members of this group will be granted specific administrator rights and permissions to perform common system tasks.
- Api Connectors: Members of this group will be able to run the API commands and also the Connectors.
Role Group Permissions Explained
| Permissions | Description |
|---|---|
| Applications - Deny Access |Read /Write |Read only | |
| Create | Ability to create a new Application. |
| Limit access to 'My Apps' | Allow the user to only see the apps assigned to them. |
| Lock | Ability to Lock an Application. |
| Archive | Ability to Archive an Application. |
| Delete | Ability to Delete an Application. |
| Importer | Ability to use the Data Importer to import Applications. |
| Disable Context Menu | Restrict access to the Context menu within the Applications module. |
| Run Custom Actions | Ability to run Custom Actions via the context menu in Applications. |
| Send Emails | Ability to send emails from the Applications module. |
| View Hidden Tab | Provides access to the Hidden tab within the Applications module. |
| Assigned To | Allow the user to be assigned Applications. |
| Owned By | Allow the user to be set as an owner of the Application. |
| Packaged By | Allows the user to be assigned an Application as a packager. |
| Delegate To 1 | Allows the user to be set as a Delegate 1 of an Application. |
| Delegate To 2 | Allows the user to be set as a Delegate 2 of an Application. |
| Configuration | Provides access to the Application configs within the Admin section. |
| Permission | Description |
|---|---|
| User Migrations - Deny Access |Read /Write |Read only | |
| Create | Ability to create a new User Migration. |
| Limit access to 'My Users' | Allow the user to only see the Users assigned to them. |
| Lock | Ability to Lock a User Migration record. |
| Archive | Ability to Archive a User Migration. |
| Delete | Ability to Delete a User Migration. |
| Importer | Ability to use the Data Importer to import User Migrations. |
| Disable Context Menu | Restrict access to the Context menu within the User Migrations module. |
| Run Custom Actions | Ability to run Custom Actions via the context menu in the User Migrations module. |
| Send Emails | Ability to send emails from the User Migrations module. |
| View Hidden Tab | Provides access to the Hidden tab within the User Migrations module. |
| Initiate Migration | Ability to initiate a User Migration. |
| Assigned To | Allow the user to be assigned to a User Migration. |
| Delegate To 1 | Allows the user to be set as a Delegate 1 of a User Migration. |
| Delegate To 2 | Allows the user to be set as a Delegate 2 of a User Migration. |
| Configuration | Provides access to the User Migration configs within the Admin section. |
| Permission | Description |
|---|---|
| Devices - Deny Access |Read /Write |Read only | |
| Create | Ability to create a new Device. |
| Limit access to 'My Devices' | Allow the user to only see the Devices assigned to them. |
| Lock | Ability to Lock a Device record. |
| Archive | Ability to Archive a Device. |
| Delete | Ability to Delete a Device. |
| Importer | Ability to use the Data Importer to import Devices. |
| Disable Context Menu | Restrict access to the Context menu within the Devices module. |
| Run Custom Actions | Ability to run Custom Actions via the context menu in the Devices module. |
| Send Emails | Ability to send emails from the Devices module. |
| View Hidden Tab | Provides access to the Hidden tab within the Devices module. |
| Initiate Migration | Ability to initiate a migration. |
| Assigned To | Allow the user to be assigned to a Device. |
| Delegate To 1 | Allows the user to be set as a Delegate 1 of a Device. |
| Delegate To 2 | Allows the user to be set as a Delegate 2 of a Device. |
| Configuration | Provides access to the Devices configs within the Admin section. |
| Permission | Description |
|---|---|
| Mailboxes - Deny Access |Read /Write |Read only | |
| Create | Ability to create a new Mailbox. |
| Limit access to 'My Mailboxes' | Allow the user to only see the Mailboxes assigned to them. |
| Lock | Ability to Lock a Mailbox record. |
| Archive | Ability to Archive a Mailbox record. |
| Delete | Ability to Delete a Mailbox. |
| Importer | Ability to use the Data Importer to import Mailboxes. |
| Disable Context Menu | Restrict access to the Context menu within the Mailboxes module. |
| Run Custom Actions | Ability to run Custom Actions via the context menu in Mailboxes. |
| Send Emails | Ability to send emails from the Mailboxes module. |
| View Hidden Tab | Provides access to the Hidden tab within the Mailboxes module. |
| Assigned To | Allow the user to be assigned to a Mailbox. |
| Initiate Migration | Ability to initiate a migration. |
| Delegate To 1 | Allows the user to be set as a Delegate 1 of a Mailbox. |
| Delegate To 2 | Allows the user to be set as a Delegate 2 of a Mailbox. |
| Configuration | Provides access to the Mailbox configs within the Admin section. |
| Permission | Description |
|---|---|
| Bespoke - Deny Access |Read /Write |Read only | |
| Create | Ability to create a new Bespoke item. |
| Limit access to 'My Bespokes' | Allow the user to only see the Bespokes items assigned to them. |
| Lock | Ability to Lock a Bespoke record. |
| Archive | Ability to Archive a Bespoke item. |
| Delete | Ability to Delete a Bespoke item. |
| Importer | Ability to use the Data Importer to import Bespoke items. |
| Disable Context Menu | Restrict access to the Context menu within the Bespoke module. |
| Run Custom Actions | Ability to run Custom Actions via the context menu in the Bespoke module. |
| Send Emails | Ability to send emails from the Bespoke module. |
| View Hidden Tab | Provides access to the Hidden tab within the Bespoke module. |
| Initiate Migration | Ability to initiate a migration. |
| Assigned To | Allow the user to be assigned to a Bespoke item. |
| Delegate To 1 | Allows the user to be set as a Delegate 1 of a Bespoke item. |
| Delegate To 2 | Allows the user to be set as a Delegate 2 of a Bespoke item. |
| Configuration | Provides access to the Bespoke configs within the Admin section. |
| Permission | Description |
|---|---|
| Deployment Units - Deny Access |Read /Write |Read only | |
| Create | Ability to create a new Deployment Unit. |
| Limit access to 'My Deployment Units' | Allow the user to only see the Deployment Units assigned to them. |
| Lock | Ability to Lock and unlock a Deployment Unit. |
| Archive | Ability to Archive and unarchive a Deployment Unit. |
| Delete | Ability to Delete and undelete a Deployment Unit. |
| Importer | Ability to use the Data Importer to import Deployment Units. |
| Disable Context Menu | Restrict access to the Context menu within the Deployment Unit module. |
| Run Custom Actions | Ability to run Custom Actions via the context menu in Deployment Units. |
| Send Emails | Ability to send emails from the Deployment Units module. |
| View Hidden Tab | Provides access to the Hidden tab within the Deployment Unit module. |
| Initiate Migration | Ability to initiate a migration. |
| Populate Deployment Units | Ability to populate and manage a Deployment unit. |
| Customise Scheduling Slots | Ability to edit and customise migration timeslots in a Deployment Unit. |
| Update Migration Slot | Ability to override and update a Migration slot. |
| Assigned To | Allow the user to be assigned to a deployment unit. |
| Delegate To 1 | Allows the user to be set as a Delegate 1 of a deployment unit. |
| Delegate To 2 | Allows the user to be set as a Delegate 2 of a deployment unit. |
| Configuration | Provides access to the Deployment unit configs within the Admin section. |
| Permission | Description |
|---|---|
| Defects - Deny Access |Read /Write |Read only | |
| Create | Ability to create a new Defect. |
| Limit access to 'My Defects' | Allow the user to only see the Defects assigned to them. |
| Lock | Ability to Lock and unlock a Defect. |
| Archive | Ability to Archive and unarchive a Defect. |
| Delete | Ability to Delete and undelete a Defect. |
| Importer | Ability to use the Data Importer to import Defects. |
| Disable Context Menu | Restrict access to the Context menu within the Defects module. |
| Run Custom Actions | Ability to run Custom Actions via the context menu in Defects. |
| Send Emails | Ability to send emails from the Defects module. |
| View Hidden Tab | Provides access to the Hidden tab within the Defects module. |
| Assigned To | Allow the user to be assigned to a Defect. |
| Delegate To 1 | Allows the user to be set as a Delegate 1 of a Defect. |
| Delegate To 2 | Allows the user to be set as a Delegate 2 of a Defect. |
| Configuration | Provides access to the Defects configs within the Admin section. |
| Permission | Description |
|---|---|
| Tasks - Deny Access |Read /Write |Read only | |
| Create | Ability to create a new a New Task. |
| Limit access to 'My Tasks' | Allow the user to only see the Tasks assigned to them. |
| Lock | Ability to Lock and unlock a Task. |
| Archive | Ability to Archive and unarchive a Task. |
| Delete | Ability to Delete and undelete a Task. |
| Importer | Ability to use the Data Importer to import Tasks. |
| Disable Context Menu | Restrict access to the Context menu within the Tasks module. |
| Run Custom Actions | Ability to run Custom Actions via the context menu in the Tasks module. |
| Send Emails | Ability to send emails from the Tasks module. |
| Assigned To | Allow the user to be assigned to a Task. |
| Configuration | Provides access to the Tasks configs within the Admin section. |
| Permission | Description |
|---|---|
| Contact | |
| Create | Ability to create a new Contact. |
| Edit | Ability to edit a Contact record. |
| Delete | Ability to Delete and undelete a Contact. |
| Importer | Ability to use the Data Importer to import Contacts. |
| Permission | Description |
|---|---|
| Link | |
| Create | Ability to create a new Link between modules. |
| Reject | Ability to Reject a link. |
| Delete | Ability to Delete and undelete a link. |
| Importer | Ability to use the Data Importer to import links. |
| Bulk Read | |
| Configuration | Provides access to the Links configs within the Admin section. |
| Permission | Description |
|---|---|
| Project | |
| Member | Grants the User access to the project. |
| Manage Notifications | Ability to manage project notifications. |
| View Email Queue | Provides the ability to view the email messaging queue. |
| Edit Email Queue | Provides the ability to edit the email messaging queue. |
| Run Scripts As | This enables the User to run a script directly. |
| Send Project Emails | Ability to Send project emails. |
| Project Config Roles | |
| Admin UI Access | Grants the user access to the default Admin UI. |
| Manage Global Configuration | Provides access to edit and manage the Global settings such as email settings, and global portal localisation. |
| Manage Project Configuration | Provides access to manage the Project settings. General settings, Email Templates, Housekeeping tasks and portal localisation. |
| Manage Extensions (All Req. Manage Extensions) (ESM Required - Configuration in Module Type) i.e. Enable Configuration in the required module to gain access. | |
| Manage Extensions | Provides access to manage Extensions such as connectors, ESM, plugins, and custom settings. |
| Access ESM Plans | Provides access to manage ESM plans |
| Access Connectors | Provides access to Manage the Connectors. |
| Access Connectors UI | Provides access to the Connectors UI. |
| Access Custom Settings | Provides access to the Custom settings UI. |
| Manage Micro Update Service | Ability to configure the micro update services. This allows records to be updated from an external tool (e.g. SCCM) by reading a micro update file from a shared location. |
| Manage Project Resources | Provides access to the project resources UI to allow upload of files that can be used as images in email templates or as an attachment. |
| Manage Contacts (Req. Manage Tabs, Details, Menu Items) | Provides access to configure the contacts UI. You need to enable the 'Manage Tabs, Details, Menu Items' within the Module Config Roles below. If you require the ability to delete contacts, please include the granular permissions with the ‘Contact Permissions’. |
| Manage Blueprints | Provides access to create and edit Blueprints in a Project. |
| Manage Custom Forms | Ability to create and edit Custom forms. |
| Manage Scheduled Tasks | Provides access to create and edit Scheduled tasks in a Project. |
| Manage Scripts, Emails, Buttons (Required 'Query User Accounts') Please enable the 'Query User Accounts' within User Account Roles below. | |
| Manage Scripts | Provides access to configure and manage PowerShell Scripts. |
| Manage Email Templates | Ability to create and edit email templates. |
| Manage UI Buttons | Ability to create and manage the UI buttons. |
| Apply Software Updates | Ability to apply Software Updates. |
| View Software License | Ability to view Software License. The user can additionally create a new project, get the license key and apply a new key. |
| Module Config Roles (Apps, Users, Devices, Mailboxes, Bespokes, Deployment Units, Defects, Tasks) Pair these roles with the 'configuration' role per module e.g. Apps, Users, Devices etc. | |
| Manage Tabs, Details, Menu Items | Allows access to the Main Tabs, Details & Menu Items within the required modules(s). |
| Manage Workflow | Allows access to manage the workflow within the required module(s). |
| Portal Configuration | |
| Access Portal Configuration | Provides access to the portal settings. In this area, an admin can configure the web portal of Managementstudio, these are pages users interact with outside the client. |
| Manage Portal Wrappers | Ability to manage portal wrappers |
| Delete Portal Wrappers | Ability to delete portal wrappers |
| Manage Portal Pages | Ability to manage portal pages. |
| Delete Portal Pages | Ability to delete portal pages. |
| Manage Surveys | Provides access to manage Surveys. |
| Delete Surveys | Allows the user to delete Surveys. |
| Manage Test Types | Ability to create and edit Test Types. |
| Delete Test Types | Ability to delete Test Types. |
| Manage Portal DMR Reports | Ability to manage portal DMR reports. |
| Manage Portal Dashboards | Ability to manage portal dashboards. |
| User Account Roles | |
| Manage User Accounts | Access to User Management in the Admin section. |
| Manage Role Groups | Access to User role management in the Admin section. |
| Manage Blueprint Rules | Provides access to manage and modify Blueprint rules. |
| Query User Accounts | Used by Api Account/ESM to validate User accounts and roles. |
| Api Elevated | Used by Api Account/ESM to validate some rule types. |
| Reports | |
| Run Endpoint Datamining Reports | Ability to run endpoint datamining reports. Please refer to this article for more information of the endpoint reports. |
| Run Endpoint Projection Reports | Ability to run endpoint projection reports. |
| Run Endpoint Blueprint Readiness Reports | Ability to run endpoint Blueprint readiness reports |
| Run Endpoint History Reports | Ability to run endpoint History reports. |
| User can't save new Datamining Reports | Prevent a user from saving a new datamining report. |
| User can't run Datamining Reports | Prevent a user from running a datamining report. |
| Cross Project Permissions | |
| Configuration | Ability to configure cross project settings for sharing assets between multiple projects. |
| Share Asset | Ability to Share assets to other projects. |
| Remove Asset | Ability to remove assets that have been shared from another project. |
Create a Role Group
| Step | Example |
| Switch to Administration view and select the Role Groups menu from within the User accounts, Roles and Permissions section. |  |
| Click on Click here to add new item |  |
| Enter a unique name for the role group and a brief optional description (1) Click Save Changes (2) |  |
| Click Edit Rules next to the newly created role group. |  |
| Grant the permissions required by going through the permissions section and selecting the appropriate permissions against each module. |  |
| Click Finished after selecting the required permissions. |  |
| Click Save Changes. |
Add a User to a Role Group
User permissions are granted by adding Roles to an account.
| Steps | Example |
| Switch to Administration view and select the MS User Accounts menu from within the User accounts, Roles and Permissions section. |  |
| Select the User or Users (1) (CTRL + Click to select multiple users). Right Click and select Add Roles (2) from the context menu. |  |
| Click a Role or Roles (1) (CTRL + Click to select multiple roles). Then Click Add Roles (2). |  |
Remove a User from a Role Group
| Steps | Example |
| Switch to Administration view and select the MS User Accounts menu from within the User accounts, Roles and Permissions section. |  |
| Select the User or Users (1) (CTRL + Click to select multiple users). Right Click and select Remove Roles (2) from the context menu. |  |
| Click a Role or Roles (1) (CTRL + Click to select multiple roles). Then Click Remove Roles (2). |  |
Further Support
If you require further support, please visit ManagementStudio's Service Desk to search the knowledge base or create a new support ticket.