A Limited Access Role is a type of Network Administrator that is restricted by both the scope of devices they can manage, as well as features they can access. This allows the creation of an administrator who only has access to specific devices in your Systems Manager network.
This article outlines how to create a Limited Access Role and apply it to a user, as well as describes options available to these users.
Creating and Assigning a Limited Access Role
The following instructions outline how to create a limited access role, and assign it to specific device scopes by tag:
In Dashboard, navigate to Systems manager > Configure > General for a standalone SM network, or Network-wide > Configure > Administration in a combined network.
Navigate to the Network Administration > Limited Access Roles section.
Select Add a New Limited Access Role.
Name the new Limited Access Role, and select which device tags this role should have the ability to manage. These can be static or dynamic tags, including schedules and geofencing:
Click Save changes to save the role.
Under the Network Admins section, select or create a user, and assign the newly-created Limited Access Role from the drop-down Privilege menu:
Click Save changes.
Limited Access Role Functionality
When a Limited Access Admin logs into Dashboard, their view is restricted in terms of both devices and functionality. This accomplishes two goals: It simplifies the menu for users to quickly and easily access the tools they need, and protects other managed devices from unwanted changes.
Devices List View and Commands
Users with a Limited Access Role have access to the clients list (Systems Manager > Monitor > Devices). They can view devices within their scoped role, and only have access to the “Command” menu. This allows them to perform common functions, like send notifications or lock devices into single app mode. Multiple devices can be selected at once, allowing these commands to be executed en masse:
Users with a Limited Access Role can access the client details page by navigating to Systems Manager > Monitor > Devices, and clicking on a specific client device. This allows them to access MDM commands. From here, users can clear passcodes, reboot devices, and (for iOS devices) initiate AirPlay for media sharing:
Limited access roles are unable to use potentially destructive Live Tools and MDM Commands such as Selective Wipe, Erase Device, Remote Desktop, and Command Line tool.
Profiles and Settings
Users with a Limited Access Role can modify profiles and settings under Systems Manager > Manage > Profiles. Here, users can make changes to restrictions like disabling the camera, or managing content on the device via the backpack feature. Any profiles they manage are automatically scoped to devices tagged to them, including any geofence or schedule tags:
Please note that users with a Limited Access Role may only modify existing profiles, they cannot create or delete profiles.