Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Hexnode's Unified Management Vision

Category filter

Atomic RBAC: Defining Granular Custom Roles for 500+ Admins

Jump To

In large-scale enterprise environments managing hundreds of administrators across multiple sub-organizations, a “one-size-fits-all” approach creates security vulnerabilities. Hexnode’s Atomic Role-Based Access Control (RBAC) allows organizations to define access at a granular level, ensuring technicians have exactly the permissions they need for their specific jurisdiction—and nothing more.

The Three Pillars of Atomic Access

Hexnode silos administrative actions based on three distinct dimensions to prevent “Neighbor Noise” (cross-tenant interference) and protect operational privacy.

1. Action-Based Granularity (Permissions)

Permissions are granted based on the technician’s specific tier. This is configured under Admin > Technicians and Roles > Roles.

  • Tier 1 (Helpdesk): Troubleshooting only. Permissions: Remote View, Device Locate, Passcode Reset.
  • Tier 2 (Systems): Management level. Permissions: App Deployment.
  • Tier 3 (Security/Architect): Full system authority.

2. Scope-Based Boundaries (Jurisdiction)

Scope defines where a technician can exercise their actions. In Hexnode, scope is assigned during technician creation to create a “walled garden” for their sub-company.

  • Localized Management: An admin assigned to the “EMEA-Germany” scope is programmatically blocked from seeing devices in the “Americas” portal.
  • PII Protection: Global search and reporting engines filter results in real-time, ensuring technicians never encounter PII outside their assigned node.

3. Object-Based Filtering (Data Privacy)

This layer ensures that even if an admin can manage a device, they cannot see sensitive data “objects” associated with it. This is managed via:

  • View Restrictions (Admin > Technicians and Roles): Within a custom role, you can explicitly Allow a technician to access “Apps” while keeping “Scan Device Location” Unchecked/Blocked.
  • Example: A Senior SysAdmin can deploy software to a CEO’s laptop but is programmatically blocked from seeing the device’s real-time physical location.

Administrative Privacy & Audit Integrity

Hexnode maintains a forensic record of all administrative interactions, often referred to as the Technician Shadow.

  • Action Isolation: Activity logs for Sub-Company A are physically invisible to technicians in Sub-Company B.
  • Unified Audit Trail: Every interaction is recorded, including the originating IP, specific API calls triggered, and sub-second timestamps.
  • Identity Sync (SCIM 2.0): RBAC roles are dynamically mapped to your IdP (Okta/Entra ID) groups. If a technician’s group changes in your corporate directory, their Hexnode permissions update instantly.

RBAC Permission Matrix (Enterprise Template)

Privilege Group Junior Helpdesk Senior SysAdmin Security Auditor
Remote View Allowed Allowed Allowed
Remote Control Blocked Allowed Blocked
Execute Scripts Blocked Allowed (Validated only) Blocked
Device Wipe Blocked Allowed Blocked

Implementation Checklist

  1. Define Personas: Standardize your roles (T1, T2, T3, Auditor).
  2. Configure Custom Roles: Navigate to Admin > Technicians and Roles > Add Role to set atomic permissions.
  3. Map IdP Groups: Use Hexnode’s IdP integrations to link corporate directory groups to these roles.
  4. Define Scope: Assign technicians to specific Domain/OU Scopes to ensure they only see their respective sub-companies.
  5. Enable MFA: Enforce Multi-Factor Authentication for all administrative portal logins to protect RBAC integrity.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework