Quick question.
How many of you actually limit full-access roles in Hexnode?
Right now, we’ve got around 4–5 technicians with a custom role that basically has every permission enabled because “it’s easier.”
Starting to think that might not be a great idea.
33 Views
Yeah… that’s usually how it starts 😅.
We did the same in the beginning. Instead of defining proper roles, we just enabled all permissions for most of the team.
Works fine… until it doesn’t.
What made you change it, @noor_k ?
Two things.
First, someone edited a live policy thinking it was a test one. It pushed changes to way more devices than intended.
Second, we stepped back and realized that “full access” means everything — policy creation, deletion, device wipe, app removal, technician management… the whole portal.
Most people didn’t actually need that level of control. So, we broke it down into proper custom roles instead.
Same here. We now have separate roles:
Helpdesk → device-level actions only
Policy admin → policy management
App admin → app repository + deployments
Only a couple of people have a role with broad permissions.
Did that create delays? Do you have to ask someone else every time?
Not really.
Once roles are defined properly, people don’t feel restricted. They just don’t have unnecessary access anymore.
And if someone genuinely needs extra permissions for a task, we update the role temporarily.
The biggest benefit for us was risk reduction.
If a technician account gets compromised and it has full access, that’s serious damage. If it’s limited to just device-level actions, the impact is much smaller.
Makes sense. I think we gave broad access out of convenience, not necessity.
Time to clean that up.
Don't have an account? Sign up
