Available Permissions
Overview
This page will try to list and explain available permissions to use in Custom Roles.
This list is not complete, as the feature-set of RealmJoin is continually growing.
Please use Auto-Complete in Custom Roles' editor to see all currently available permissions.
We will expand this list over time.
As there are many permissions available, we will group them by topic for easier naviagtion.
Settings
CanReadSettingsDetails
The user gains access to to Settings
App Management
CanReadAppTable
The user gains read access to Package Management (Package Management List). This does not grant permission to the package details.
CanReadIntuneAppDetails
Given:
User has access Package Management
The user gains read only access to Intune packages / package details.
CanReadRealmJoinAppDetails
Given:
User has access Package Management
The user gains read only access to RealmJoin Client packages / package details.
CanChangeAppAssignments
Given:
User has access to Package Details
The user gains the ability to add/remove user or group assignments in a packages details.
CanChangeAppAssignmentSettings
Given:
User has access to Package Details
On RealmJoin Client Packages, the option to change per assignment settings will be shown and users can modify the settings.
CanEditAppArgs
Given:
User has access to Package Details
The user gains the ability to modify an app's command line arguments in Package Details.
CanEditAppAutomation
Given:
User has access to Package Details
The user gains the ability to modify an Intune app's automation settings ( = If and when newer versions of the package from the store will be automatically rolled out to existing users.)
CanEditAppDisplayName
Given:
User has access to Package Details
The user gains the ability to modify an app's display name.
CanEditAppExpertSettings
Given:
User has access to Package Details
The user gains the ability to modify an app's expert settings.
CanEditAppTechnicalApplicationOwners
Given:
User has access to Package Details
The user gains the ability to modify an app's Technical App. Owners in Config.
CanDeleteApp
Given:
User has access to Package Details
The user gains the ability to delete an app from a Package Management. This will not remove an app from the package store and will not trigger uninstallations on existing deployments.
CanRequestSoftware
The user gains the ability to submit a software packaging request to RealmJoin.
Please combine this with either CanRequestSoftwareOrganic or CanRequestSoftwarePaas
CanRequestSoftwareOrganic
The user gains the ability to submit an "organic" software package to RealmJoin for distribution via RealmJoin Client to specific users.
Organic packages contain raw and unprocessed application setups. When handling those, RealmJoin is used as a transport vehicle to move the zipped container to a specified location. Depending on its payload, the installer then has to be manually started by the user (if user mode) or a remote administrator or field service.
The software deployment will not be tested by RealmJoin.
CanRequestSoftwarePaas
The user gains the ability to submit a software packaging request to RealmJoin.
The software will be packaged by RealmJoin and will become available for consumption through the Package Store.
CanReadPackageStoreTable
The user gains access to the Package Store (Package Store List).
This does not grant permission to the package details or to subscribe to an app.
CanReadPackageStoreDetails
Given:
CanReadPackageStoreTable
Allow a user to inspect a package store offering. This does not grant permission to subscribe to an app.
CanSubscribeApp
Given:
CanReadPackageStoreDetails
Allow the user to subscribe to an offering from package store.
CanSeeIntuneAppJson, CanSeeIntuneAppStoreJson, CanSeeRealmJoinAppJson, CanSeeRealmJoinAppStoreJson
Allow to see additional, diagnostic JSON information for a package in Package Store or Package Management.
User Management
CanReadUserTable
The user gains the ability to see the list of all Entra ID users.
CanReadUserDetails
The user gains the ability to inspect an individual user's details.
CanSeeRealmJoinUserSettings
Given:
CanReadUserDetails
Allow the user to see/inspect RealmJoin Client Settings assigned to a specific user.
CanChangeRealmJoinUserSettings
Given:
CanReadUserDetails
CanSeeRealmJoinUserSettings
Allow the user to add/modify/delete RealmJoin Client Settings assigned to a specific user.
CanReadUserSettingTable
The user gains the ability to see the list of user settings (across all users) from the navigation.
CanReadUserSettingDetails
The user gains the ability to inspect all user settings' details.
CanSeeUserJsonAzureAD and CanSeeUserJsonRealmJoin
Given:
CanReadUserDetails
These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in Settings.
CanSeeUserSignIns
Given:
CanReadUserDetails
These permissions allow a user to see Microsoft Entra user sign in information as JSON in a separate tab.
Group Management
CanReadGroupTable
The user gains the ability to see the list of all Entra ID and RealmJoin internal groups.
CanReadGroupDetails
The user gains the ability to inspect an individual Microsoft Entra / RealmJoin internal group's details.
CanChangeGroupMembers
Given:
CanReadGroupDetails
The user gains the ability to add or remove members from groups.
CanDeleteGroup
Given:
CanReadGroupDetails
The user gains the ability to delete a group.
CanEditGroupDisplayName
Given:
CanReadGroupDetails
The user gains the ability to change a group's display name.
CanSeeGroupJsonAzureAD and CanSeeGroupJsonRealmJoin
Given:
CanReadGroupDetails
Allow the user to see diagnostic metadata about a Microsoft Entra or RealmJoin internal group, if "Show advanced info" is enabled in Settings.
CanSeeRealmJoinGroupSettings
Given:
CanReadGroupDetails
Allow the user to see/inspect RealmJoin Client Settings assigned to a specific group.
CanChangeRealmJoinGroupSettings
Given:
CanReadGroupDetails
CanSeeRealmJoinGroupSettings
Allow the user to add/modify/delete RealmJoin Client Settings assigned to a specific group.
CanReadGroupSettingTable
The user gains the ability to see the list of group settings (across all groups) from the navigation.
CanReadGroupSettingDetails
The user gains the ability to inspect all group settings' details.
Device Management
CanReadDeviceTable
The user gains the ability to see the list of all Entra ID devices.
CanReadDeviceDetails
The user gains the ability to inspect an individual device's details.
CanRequestDeviceLogs
The user can trigger collecting "Extended Logs" for a device using RealmJoin Client .
CanScanDevice
The user can trigger a Defender for Endpoint scan for a Windows device.
CanSyncDevice
The user can trigger an Intune sync for a managed Windows device.
CanChangeRealmJoinPrimaryUser
Allow the user to assign a different primary user in RealmJoin.
When transfering a Windows device to a different user, you should change the RealmJoin primary user AND wipe the device. When a new user logs on after the wipe, this will also update the Intune primary user.
CanSeeDeviceAutopilotInformation
Allow the user to see a device's Autopilot information (if present)
CanSeeDeviceExtendedSecurityInformation
Allow the user to see a device's extended sec. info from Defender for Endpoint - if available.
CanSeeDeviceExternalLinks
Allow the user to see links to Intune, Microsoft Entra etc. Only useful if the user is allowed to use these portals.
CanSeeDeviceJson...
These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in Settings.
CanSeeDeviceJsonAtp
CanSeeDeviceJsonAutopilot
CanSeeDeviceJsonAzureAD
CanSeeDeviceJsonIntune
CanSeeDeviceJsonRealmJoin
CanSeeDeviceNetworkInformation
Allow the user to see network information for a device if available.
This will include "Delivery Optimization" information if available.
CanSeeDeviceRealmJoinInformation
Allow the user to see RealmJoin Client details or a device.
CanSeeDeviceSafeguardHold
Allow the use to see the Safeguard Holds for a device.
Safeguard Holds indicate that a Windows device can not upgrade to a newer version of Windows.
See Safeguard Holds (Microsoft Docs).
CanSeeDeviceSecurityInformation
Allow the user to see a device's security state, especially device compliance.
CanSeeDeviceSecurityRecommendations and CanSeeDeviceSecurityVulnerabilities
RealmJoin Portal can pull security recommendations and vulnerabilities from the Microsoft Security Center. This permission allows a user to see these for a device respectively.
CanSeeDeviceUsers
Allow the user to see the devices logged in user.
Be aware: If not given this permission, a user able to see the device's details can still see the device's owner.
CanSeeWarranty
Allow the user to use the warranty tab for a device.
CanUseDeviceAnyDeskInterface
Allow the user to use / connect to a device using AnyDesk AnyConnect from RealmJoin Portal.
Organization
CanReadOrganizationDetails
Allow the user to see / read the Organization details.
CanSeeOrganizationJsonAzureAD
These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in Settings.
Self Service Forms
CanReadSelfServiceFormsHistoryTable
The user can see the list of recent Self Service Forms submissions.
CanReadSelfServiceFormsHistoryDetails
The user can inspect individual Self Service Forms submission details and contents.
CanAddSelfServiceForms and CanDeleteSelfServiceForms
Given:
Self Service Forms are enabled for your tenant
User has access to Settings
The user can create new or delete Self Service Forms in Settings->Self Service Forms respectively.
Runbooks
CanSeeRunbooks
The user can see the list of available runbooks, limited by:
Object types (Users/Groups/Devices/Org) the user can see
Runbooks as limited by Runbook Permissions
This does not grant the right to actually start Runbook jobs.
CanRunRunbooks
The user can start Runbooks, if CanSeeRunbooks is given and the conditions listed there are met.
CanEditRunbookSchedules
If the user is able to see Runbooks, he/she can create/manage Runbook Schedules.
Logs
CanReadRunbookTable
Allow a user to see the Runbook Logs list.
CanReadRunbookDetails
Allow a user to inspect a Runbook Logs item and output.
Last updated