Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Hexnode's Unified Management Vision

Category filter

Mastering Bitmasking for Permissions and Advanced RBAC Settings

Jump To

In an enterprise environment, delegation is essential, but over-privileging is a security risk. For organizations on Ultra and Ultimate plans, Hexnode UEM provides Bit-Level Control—a granular permission system that goes beyond simple “on/off” switches.

By using Bitmasking, you can define exactly what a technician can see, what they can edit, and what they can trigger, ensuring the Principle of Least Privilege (PoLP) is maintained across your IT hierarchy.

What is Bitmasking?

Bitmasking is a technical method of treating permissions as individual “bits” of data that can be toggled on or off independently. Instead of a module being either “Accessible” or “Locked,” Bitmasking allows the Hexnode engine to evaluate specific layers of access simultaneously.

While the interface uses clear checkboxes for different functionalities, the backend processes these as a binary string (e.g., 1010), where each position represents a specific capability. This allows for lightning-fast security checks and the creation of highly nuanced roles.

The “No-Fly Zone”: Critical Restricted Permissions

Certain permissions are so fundamental to the stability of your UEM environment that they are designated as the No-Fly Zone. Granting these to custom roles should be done with extreme caution, as misuse can lead to unmanaged devices or global configuration loss.

  • Infrastructure & Connectivity
    • APNs Certificate Management: Replacing or deleting the Apple Push Notification service (APNs) certificate will break communication with all managed iOS and macOS devices. Recovery requires manual re-enrollment of the entire fleet.
    • Global API Settings: Access to API keys allows for programmatic control of the portal, bypassing UI-based security checks.
  • Enrollment & Deployment
    • Enrollment Profile Deletion: Deleting profiles associated with Apple DEP (ADE) or Android Zero-Touch can disrupt automated deployment workflows for new hardware.
    • Privacy Settings: The ability to toggle location tracking or data collection should be restricted to ensure regional compliance (e.g., GDPR).

Technical Guardrails: The Power Ceiling

To prevent security loopholes, Hexnode implements built-in technical guardrails. These ensure that no technician can ever “outmaneuver” the system to gain higher privileges.

Privilege Escalation Prevention

A Custom Role is governed by a “Power Ceiling”. A technician can only create or edit other technicians with permissions that are equal to or lower than their own.

Example: If a manager does not have the “Wipe” (Execute) permission, they cannot create a new technician role that includes the “Wipe” permission.

Super Admin Immunity

The system identifies the original Super Admin as an immutable entity.

  • No Modifications: Custom roles are programmatically blocked from editing, deactivating, or changing the password of a Super Admin.
  • No Deletions: To prevent accidental lockout of the entire portal, the Super Admin account cannot be deleted by any custom role, regardless of how many “Modify” bits are assigned to them.

Setting Up Advanced Roles

  1. Navigate to Admin > Technicians and Roles.
  2. Click the Roles tab and select Add Role.
  3. Name the role and provide a clear description (e.g., “Regional Support – iOS Only”).
  4. Specify the permissions for the role.
  5. Save the role and assign it to the desired user.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework