14 DAY FREE TRIAL

No Search Results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Configurations
  3. General

Category filter

Configuring Custom Technician Roles

Jump To

Technicians are individuals who manage the Hexnode UEM console. A technician’s role determines their access control across various functionalities in the console. Hexnode UEM offers several predefined roles that can be assigned to the technicians based on their responsibilities. By default, there are four built-in technician roles on the Hexnode portal:

Super Admin: Super Admin is the first technician to sign-up for the Hexnode UEM portal. Super Admin is an all-time active technician and has complete control over the console.

Admin: Admins have full privileges and can access all the functionalities in the portal.

Apps and Reports Manager: Apps and Reports Manager has permissions only across the following features: Apps and Reports.

Reports Manager: A Reports Manager has permissions only for Reports and the Hexnode UEM Dashboard.

Custom Roles

The custom roles let you manage a technician’s accessibility over the Hexnode UEM portal. It defines the technician privileges at the granular level.

Configuring custom roles involves a step-by-step procedure. First, determine the permissions that should be available. The permissions specify various functionalities that they can view or modify. Next, create as many roles as required based on the needs and assign each technician a role. Further specifying the scope provides a proper authorization setting that ensures they have just the necessary permissions. With changes in requirements, you can also modify the privileges of a custom role.

Scope

The scope identifies the target endpoints – devices, device groups, users, user groups, or domains that the technicians can manage. The technician is permitted only to the defined scope while setting up configurations, associating policies, executing actions, or retrieving the reports. You can specify the scope of a technician while assigning a role. However, the scope can be redefined later.

Note:

  1. The predefined roles will have full scope across the portal.
  2. Only the Super Admin and Admins can create custom roles or define the technician scope.

Add Custom Role

To create new roles on the Hexnode console,

  1. Log in to the Hexnode portal.
  2. Navigate to Admin > Technicians and Roles.
  3. Click on Add Role.
  4. Provide a Name and Description.
  5. Next, specify the permissions.
    Allow or disallow access to various features
    1. Dashboard
    2. Enroll
    3. Manage
    4. Policies
    5. Apps
    6. Content
    7. Reports
    8. Admin

    Note:


    Restricting access to a specific tab makes all the associated functionalities unavailable for a custom role. Yet, if the same functionalities are available on a different tab, they can access them, provided they are permitted to this tab.

    For instance, if the Admin tab is disallowed, a technician cannot manage the Azure AD configurations, Active Directory settings, etc., using the Admin tab. But, permitting the Enroll tab enables the technician to access the same configurations from the Enroll tab.


    6. Permitting various remote actions, a technician can execute

    Firstly, you can determine if the role should have complete access to all the remote actions by enabling/disabling the Actions option. In addition, you may also individually specify each action that should be permitted. Depending on a technician’s responsibility, any or all actions can be permitted, and the technician can execute them across its scope.

    Note:


    Only those remote actions defined in the custom role will be permitted by default. Any new actions on the console should be explicitly included in the custom role to permit them. Only then can the technician execute them.


    Exception:


    Under the Manage tab, you can only manage permissions for the remote actions supported on the devices. Other actions or functionalities will be permitted by default and cannot be restricted. These include actions associated with devices, users, user groups, device groups and directory services like:

    1. Devices
      • Enroll
        • New Enrollment
        • Import Devices
    2. Users
      • Actions
        • New Enrollment
        • Add to user groups
        • Change Password
        • Delete User(s)
      • New User
      • Bulk user
      • Configure AD
    3. Device Groups
      • Actions
        • Delete Group
      • New Group
      • New Dynamic Group
      • Add Bulk Device with CSV
    4. User Groups
      • Actions
        • New Enrollment
        • Delete Group
      • New group
      • Configure AD
    5. Directory Services
      • Actions
        • New Enrollment
      • Configure AD


    Allow technicians to create/edit Dynamic Groups

    You can also permit technicians to create or edit dynamic groups. However, a technician can create/edit a dynamic group only if their scope includes all the devices. Hence, we suggest creating a dynamic group, including all the devices, and adding it to the technician’s scope.

  6. Click Save.

Assign Role

To assign a role while creating a new technician,

  1. Log in to the Hexnode console.
  2. Navigate to Admin > Technicians and Roles.
  3. Click on Add Technician.
  4. Under the Details section, you can configure the following information and settings:
    • Account Information
    • Single Sign On
    • CAPTCHA
    • Two Factor Authentication
    • Logout Automatically
  5. Click Next.
  6. The role-based settings for the given technician can be configured in the Role sub-section.
  7. Click on the Assign Role button.
  8. Choose the role and click Assign. You may select either the predefined roles or custom roles.
  9. For the custom roles, once the assigned role is listed, click the Define Scope button on its right.
  10. Finally, choose the scope for the given technician.
  11. Click Save.

Restricted features for a Custom Technician Role

Despite its privileges over the pre-determined functionalities, custom roles cannot perform any actions that might impact critical modules. It ensures that the permissions granted do not hinder the workflow of device management operations on the Hexnode UEM console.

For instance, custom roles cannot remove the Android Enterprise configurations integrated with the portal. Even if they have access to the Admin tab or Enroll tab, the Android Enterprise configurations that come within, like the Disenroll Organization action, remain restricted. It is because permitting the Disenroll Organization action enables them to disenroll the Android Enterprise from the portal, ultimately removing the devices enrolled in the program. Such important privileges are limited to predefined roles.

The custom roles are restricted from accessing the following functionalities in these tabs:

  1. Enroll tab
    • Authenticated Enrollment: They cannot set up authenticated enrollment if their scope does not include any users or user groups.
    • Android Enterprise: They are restricted from initiating the following actions under the Android Enterprise configurations: Sync Services and Disenroll Organization.
  2. Manage tab
    • Dynamic Groups: Custom roles can create new dynamic groups only if their scope includes all the devices.
  3. Apps tab
    • Actions that modify or remove the app, app groups, app catalogs or store layouts cannot be performed.
  4. Admin tab
    • APNS: Custom roles are restricted from deleting the APNS certificate configured on the portal.
    • Android Enterprise: They are restricted from initiating the following actions under the Android Enterprise configurations: Sync Services and Disenroll Organization.
    • G Suite: Modification or editing of G Suite configurations are not permitted.
    • Technicians and Roles: Custom roles cannot create, edit, or delete technicians and roles.
    • API: Permission to the API functionality is entirely disabled.
    • License: Though the custom roles may view the License page, they cannot edit it.

Change the assigned Role or Scope

While editing the technician info, you can also change its role or redefine its scope.

  1. Log in to the Hexnode console.
  2. Navigate to Admin > Technicians and Roles.
  3. Click on the More icon corresponding to the technician you want to edit.
  4. Choose Edit Technician.

    5. edit a technician in Hexnode

  5. It displays the information regarding the technician on the Details tab. To change the role, shift to the Role tab.
  6. Click on Edit Information displayed in the top-right corner.
  7. Either click on the Change Role button to re-assign a different role or click on Edit Scope to modify the scope.

    8. Change role and modify the scope of a technician in Hexnode

  8. Click Save.
Note:


Only the Super Admin or an Admin can edit the role/scope. However, an Admin cannot change its own role/scope.

Modify permissions of a Role

The custom roles can be modified at any time to reconsider their permissions. The specified changes will be reflected among the technicians assigned to this role.

To modify a role that is created,

  1. Log in to the Hexnode console.
  2. Navigate to Admin > Technicians and Roles.
  3. Move to the Roles sub-tab.
  4. Click on the More icon corresponding to the role to be modified.
  5. Choose Modify Role.

    6. Modify a role created on the Hexnode console

  6. Make the necessary changes.
  7. Click Save.

Clone a Role

After creating a role, you can make an identical copy using the Clone option.

To clone a technician role,

  1. Log in to the Hexnode console.
  2. Navigate to Admin > Technicians and Roles.
  3. Move to the Roles sub-tab.
  4. Identify the role and click on the More icon.
  5. Choose Clone.
  6. It creates an exact copy of the role. You may then modify the role name and the permissions.
  7. Click Save.

Delete a Role

The role that you no longer require can be deleted from the portal.

  1. Log in to the Hexnode console.
  2. Navigate to Admin > Technicians and Roles.
  3. Move to the Roles sub-tab.
  4. Identify the role and click on the More icon. Or, check the role and click on the Delete Role button.
  5. Click on Delete.
Note:


Roles cannot be deleted if assigned with at least one technician.

Pricing plans to manage Custom Technician Roles

There is no limit on the number of custom roles created on the Hexnode portal. However, custom roles can be created only if you are subscribed to the Ultimate and Ultra pricing plans.

Ultimate

If you subscribe to the Ultimate pricing plan, you can manage access to the various tabs on the Hexnode portal. The tabs include:

  1. Dashboard
  2. Enroll
  3. Manage
  4. Policies
  5. Apps
  6. Content
  7. Reports
  8. Admin

Ultra

Subscribing to the Ultra pricing plan lets you set granular level permissions for roles. The tabs, sub-tabs and other actions within, can be selectively delegated based on the technician’s responsibilities.

Here, you can determine if the roles should be permitted the execution of remote actions. Also, you can specify permissions for each remote action available under the Manage tab.

Note:

  1. Only those technicians assigned the roles, Super Admin or Admin, have permissions over the subscription page. The subscription page appears when you navigate Admin > License > Subscribe to change the pricing plan.
  2. Similarly, technicians except for the Super Admin and Admin cannot access the subscription page from the Billing option (that appears while clicking on the user icon displayed on the top-right of the portal).

Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Configurations