Available Permissions

Overview

This page will try to list and explain available permissions to use in Custom Roles.

This list is not complete, as the feature-set of RealmJoin is continually growing.

Please use Auto-Complete in Custom Roles' editor to see all currently available permissions.

We will expand this list over time.

As there are many permissions available, we will group them by topic for easier naviagtion.

Settings

CanReadSettingsDetails

The user gains access to to Settings

App Management

CanReadAppTable

The user gains read access to Package Management (Package Management List). This does not grant permission to the package details.

CanReadIntuneAppDetails

Given:

The user gains read only access to Intune packages / package details.

CanReadRealmJoinAppDetails

Given:

The user gains read only access to RealmJoin Client packages / package details.

CanChangeAppAssignments

Given:

The user gains the ability to add/remove user or group assignments in a packages details.

CanChangeAppAssignmentSettings

Given:

On RealmJoin Client Packages, the option to change per assignment settings will be shown and users can modify the settings.

CanEditAppArgs

Given:

The user gains the ability to modify an app's command line arguments in Package Details.

CanEditAppAutomation

Given:

The user gains the ability to modify an Intune app's automation settings ( = If and when newer versions of the package from the store will be automatically rolled out to existing users.)

CanEditAppDisplayName

Given:

The user gains the ability to modify an app's display name.

CanEditAppExpertSettings

Given:

The user gains the ability to modify an app's expert settings.

CanEditAppTechnicalApplicationOwners

Given:

The user gains the ability to modify an app's Technical App. Owners in Config.

CanDeleteApp

Given:

The user gains the ability to delete an app from a Package Management. This will not remove an app from the package store and will not trigger uninstallations on existing deployments.

CanRequestSoftware

The user gains the ability to submit a software packaging request to RealmJoin.

Please combine this with either CanRequestSoftwareOrganic or CanRequestSoftwarePaas

CanRequestSoftwareOrganic

The user gains the ability to submit an "organic" software package to RealmJoin for distribution via RealmJoin Client to specific users.

Organic packages contain raw and unprocessed application setups. When handling those, RealmJoin is used as a transport vehicle to move the zipped container to a specified location. Depending on its payload, the installer then has to be manually started by the user (if user mode) or a remote administrator or field service.

The software deployment will not be tested by RealmJoin.

CanRequestSoftwarePaas

The user gains the ability to submit a software packaging request to RealmJoin.

The software will be packaged by RealmJoin and will become available for consumption through the Package Store.

CanReadPackageStoreTable

The user gains access to the Package Store (Package Store List).

This does not grant permission to the package details or to subscribe to an app.

CanReadPackageStoreDetails

Given:

  • CanReadPackageStoreTable

Allow a user to inspect a package store offering. This does not grant permission to subscribe to an app.

CanSubscribeApp

Given:

  • CanReadPackageStoreDetails

Allow the user to subscribe to an offering from package store.

CanSeeIntuneAppJson, CanSeeIntuneAppStoreJson, CanSeeRealmJoinAppJson, CanSeeRealmJoinAppStoreJson

Allow to see additional, diagnostic JSON information for a package in Package Store or Package Management.

User Management

CanReadUserTable

The user gains the ability to see the list of all Entra ID users.

CanReadUserDetails

The user gains the ability to inspect an individual user's details.

CanSeeRealmJoinUserSettings

Given:

  • CanReadUserDetails

Allow the user to see/inspect RealmJoin Client Settings assigned to a specific user.

CanChangeRealmJoinUserSettings

Given:

  • CanReadUserDetails

  • CanSeeRealmJoinUserSettings

Allow the user to add/modify/delete RealmJoin Client Settings assigned to a specific user.

CanReadUserSettingTable

The user gains the ability to see the list of user settings (across all users) from the navigation.

CanReadUserSettingDetails

The user gains the ability to inspect all user settings' details.

CanSeeUserJsonAzureAD and CanSeeUserJsonRealmJoin

Given:

  • CanReadUserDetails

These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in Settings.

CanSeeUserSignIns

Given:

  • CanReadUserDetails

These permissions allow a user to see Microsoft Entra user sign in information as JSON in a separate tab.

Group Management

CanReadGroupTable

The user gains the ability to see the list of all Entra ID and RealmJoin internal groups.

CanReadGroupDetails

The user gains the ability to inspect an individual Microsoft Entra / RealmJoin internal group's details.

CanChangeGroupMembers

Given:

  • CanReadGroupDetails

The user gains the ability to add or remove members from groups.

CanDeleteGroup

Given:

  • CanReadGroupDetails

The user gains the ability to delete a group.

CanEditGroupDisplayName

Given:

  • CanReadGroupDetails

The user gains the ability to change a group's display name.

CanSeeGroupJsonAzureAD and CanSeeGroupJsonRealmJoin

Given:

  • CanReadGroupDetails

Allow the user to see diagnostic metadata about a Microsoft Entra or RealmJoin internal group, if "Show advanced info" is enabled in Settings.

CanSeeRealmJoinGroupSettings

Given:

  • CanReadGroupDetails

Allow the user to see/inspect RealmJoin Client Settings assigned to a specific group.

CanChangeRealmJoinGroupSettings

Given:

  • CanReadGroupDetails

  • CanSeeRealmJoinGroupSettings

Allow the user to add/modify/delete RealmJoin Client Settings assigned to a specific group.

CanReadGroupSettingTable

The user gains the ability to see the list of group settings (across all groups) from the navigation.

CanReadGroupSettingDetails

The user gains the ability to inspect all group settings' details.

Device Management

CanReadDeviceTable

The user gains the ability to see the list of all Entra ID devices.

CanReadDeviceDetails

The user gains the ability to inspect an individual device's details.

CanRequestDeviceLogs

The user can trigger collecting "Extended Logs" for a device using RealmJoin Client .

CanScanDevice

The user can trigger a Defender for Endpoint scan for a Windows device.

CanSyncDevice

The user can trigger an Intune sync for a managed Windows device.

CanChangeRealmJoinPrimaryUser

Allow the user to assign a different primary user in RealmJoin.

When transfering a Windows device to a different user, you should change the RealmJoin primary user AND wipe the device. When a new user logs on after the wipe, this will also update the Intune primary user.

CanSeeDeviceAutopilotInformation

Allow the user to see a device's Autopilot information (if present)

CanSeeDeviceExtendedSecurityInformation

Allow the user to see a device's extended sec. info from Defender for Endpoint - if available.

Allow the user to see links to Intune, Microsoft Entra etc. Only useful if the user is allowed to use these portals.

CanSeeDeviceJson...

These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in Settings.

  • CanSeeDeviceJsonAtp

  • CanSeeDeviceJsonAutopilot

  • CanSeeDeviceJsonAzureAD

  • CanSeeDeviceJsonIntune

  • CanSeeDeviceJsonRealmJoin

CanSeeDeviceNetworkInformation

Allow the user to see network information for a device if available.

This will include "Delivery Optimization" information if available.

CanSeeDeviceRealmJoinInformation

Allow the user to see RealmJoin Client details or a device.

CanSeeDeviceSafeguardHold

Allow the use to see the Safeguard Holds for a device.

Safeguard Holds indicate that a Windows device can not upgrade to a newer version of Windows.

See Safeguard Holds (Microsoft Docs).

CanSeeDeviceSecurityInformation

Allow the user to see a device's security state, especially device compliance.

CanSeeDeviceSecurityRecommendations and CanSeeDeviceSecurityVulnerabilities

RealmJoin Portal can pull security recommendations and vulnerabilities from the Microsoft Security Center. This permission allows a user to see these for a device respectively.

CanSeeDeviceUsers

Allow the user to see the devices logged in user.

Be aware: If not given this permission, a user able to see the device's details can still see the device's owner.

CanSeeWarranty

Allow the user to use the warranty tab for a device.

CanUseDeviceAnyDeskInterface

Allow the user to use / connect to a device using AnyDesk AnyConnect from RealmJoin Portal.

Organization

CanReadOrganizationDetails

Allow the user to see / read the Organization details.

CanSeeOrganizationJsonAzureAD

These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in Settings.

Self Service Forms

CanReadSelfServiceFormsHistoryTable

The user can see the list of recent Self Service Forms submissions.

CanReadSelfServiceFormsHistoryDetails

The user can inspect individual Self Service Forms submission details and contents.

CanAddSelfServiceForms and CanDeleteSelfServiceForms

Given:

  • Self Service Forms are enabled for your tenant

  • User has access to Settings

The user can create new or delete Self Service Forms in Settings->Self Service Forms respectively.

Runbooks

CanSeeRunbooks

The user can see the list of available runbooks, limited by:

  • Object types (Users/Groups/Devices/Org) the user can see

  • Runbooks as limited by Runbook Permissions

This does not grant the right to actually start Runbook jobs.

CanRunRunbooks

The user can start Runbooks, if CanSeeRunbooks is given and the conditions listed there are met.

CanEditRunbookSchedules

If the user is able to see Runbooks, he/she can create/manage Runbook Schedules.

Logs

CanReadRunbookTable

Allow a user to see the Runbook Logs list.

CanReadRunbookDetails

Allow a user to inspect a Runbook Logs item and output.

Last updated