# Available Permissions ## Overview This page will try to list and explain available permissions for Custom Roles. {% hint style="info" %} This list is not complete, as the feature-set of RealmJoin is continually growing. Please use [Auto-Complete](https://docs.realmjoin.com/realmjoin-settings/permission/custom-roles/..#auto-complete) in Custom Roles' editor to see all currently available permissions. {% endhint %} ## Settings ### CanReadSettingsDetails The user gains access to to [Settings](https://docs.realmjoin.com/realmjoin-settings/settings) ## App Management ### CanReadAppTable The user gains read access to [Package Management](https://docs.realmjoin.com/app-management/packages/package-management) (Package Management List). This does not grant permission to the package details. ### CanReadIntuneAppDetails **Given**: * User has access [Package Management](https://docs.realmjoin.com/app-management/packages/package-management) The user gains read only access to Intune packages / [package details](https://docs.realmjoin.com/app-management/packages/package-details). ### CanReadRealmJoinAppDetails **Given**: * User has access [Package Management](https://docs.realmjoin.com/app-management/packages/package-management) The user gains read only access to RealmJoin Client packages / [package details](https://docs.realmjoin.com/app-management/packages/package-details). ### CanChangeAppAssignments **Given**: * User has access to [Package Details](https://docs.realmjoin.com/app-management/packages/package-details) The user gains the ability to add/remove user or group assignments in a packages details. ### CanChangeAppAssignmentSettings **Given**: * User has access to [Package Details](https://docs.realmjoin.com/app-management/packages/package-details) On RealmJoin Client Packages, the option to change [per assignment settings](https://docs.realmjoin.com/app-management/packages/package-details#assignment-settings) will be shown and users can modify the settings. ### CanEditAppArgs **Given**: * User has access to [Package Details](https://docs.realmjoin.com/app-management/packages/package-details) The user gains the ability to modify an app's command line arguments in [Package Details](https://docs.realmjoin.com/app-management/packages/package-details). ### CanEditAppAutomation **Given**: * User has access to [Package Details](https://docs.realmjoin.com/app-management/packages/package-details) The user gains the ability to modify an [Intune app's automation](https://docs.realmjoin.com/app-management/packages/package-details#automation) settings ( = If and when newer versions of the package from the store will be automatically rolled out to existing users.) ### CanEditAppDisplayName **Given**: * User has access to [Package Details](https://docs.realmjoin.com/app-management/packages/package-details) The user gains the ability to modify an app's display name. ### CanEditAppExpertSettings **Given**: * User has access to [Package Details](https://docs.realmjoin.com/app-management/packages/package-details) The user gains the ability to modify an [app's expert settings](https://docs.realmjoin.com/app-management/packages/package-details#expert-settings). ### CanEditAppTechnicalApplicationOwners **Given**: * User has access to [Package Details](https://docs.realmjoin.com/app-management/packages/package-details) The user gains the ability to modify an app's Technical App. Owners in [Config](https://docs.realmjoin.com/app-management/packages/package-details#config). ### CanDeleteApp **Given**: * User has access to [Package Details](https://docs.realmjoin.com/app-management/packages/package-details) The user gains the ability to delete an app from a [Package Management](https://docs.realmjoin.com/app-management/packages/package-management). This will not remove an app from the package store and will not trigger uninstallations on existing deployments. ### CanRequestSoftware The user gains the ability to submit a software packaging request to RealmJoin. {% hint style="warning" %} Please combine this with either **CanRequestSoftwareOrganic** or **CanRequestSoftwarePaas** {% endhint %} ### CanRequestSoftwareOrganic The user gains the ability to submit an "organic" software package to RealmJoin for distribution via RealmJoin Client to specific users. Organic packages contain raw and unprocessed application setups. When handling those, RealmJoin is used as a transport vehicle to move the zipped container to a specified location. Depending on its payload, the installer then has to be manually started by the user (if user mode) or a remote administrator or field service. The software deployment will not be tested by RealmJoin. ### CanRequestSoftwarePaas The user gains the ability to submit a software packaging request to RealmJoin. The software will be packaged by RealmJoin and will become available for consumption through the [Package Store](https://docs.realmjoin.com/app-management/packages/package-store). ### CanReadPackageStoreTable The user gains access to the [Package Store](https://docs.realmjoin.com/app-management/packages/package-store) (Package Store List). This does not grant permission to the package details or to subscribe to an app. ### CanReadPackageStoreDetails Given: * CanReadPackageStoreTable Allow a user to inspect a package store offering. This does not grant permission to subscribe to an app. ### CanSubscribeApp Given: * CanReadPackageStoreDetails Allow the user to subscribe to an offering from package store. ### CanSeeIntuneAppJson, CanSeeIntuneAppStoreJson, CanSeeRealmJoinAppJson, CanSeeRealmJoinAppStoreJson Allow to see additional, diagnostic JSON information for a package in [Package Store](https://docs.realmjoin.com/app-management/packages/package-store) or [Package Management](https://docs.realmjoin.com/app-management/packages/package-management). ## User Management ### CanReadUserTable The user gains the ability to see the [list of all Entra ID users](https://docs.realmjoin.com/ugd-management/user-list). ### CanReadUserDetails The user gains the ability to inspect an individual [user's details](https://docs.realmjoin.com/ugd-management/user-list/user-details). ### CanSeeRealmJoinUserSettings **Given**: * CanReadUserDetails Allow the user to see/inspect [RealmJoin Client Settings](https://docs.realmjoin.com/ugd-management/user-and-group-settings) assigned to a specific user. ### CanChangeRealmJoinUserSettings **Given**: * CanReadUserDetails * CanSeeRealmJoinUserSettings Allow the user to add/modify/delete[ RealmJoin Client Settings](https://docs.realmjoin.com/ugd-management/user-and-group-settings) assigned to a specific user. ### CanReadUserSettingTable The user gains the ability to see the list of [user settings](https://docs.realmjoin.com/ugd-management/user-and-group-settings) (across all users) from the [navigation](#navigation). ### CanReadUserSettingDetails The user gains the ability to inspect all [user settings](https://docs.realmjoin.com/ugd-management/user-and-group-settings)' details. ### CanSeeUserJsonAzureAD and CanSeeUserJsonRealmJoin **Given**: * CanReadUserDetails These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in [Settings](https://docs.realmjoin.com/realmjoin-settings/general). ### CanSeeUserSignIns **Given**: * CanReadUserDetails These permissions allow a user to see Microsoft Entra user sign in information as JSON in a separate tab. ## Group Management ### CanReadGroupTable The user gains the ability to see the list of all [Entra ID and RealmJoin internal groups](https://docs.realmjoin.com/ugd-management/user-list). ### CanReadGroupDetails The user gains the ability to inspect an individual Microsoft Entra / RealmJoin internal [group's details](https://docs.realmjoin.com/ugd-management/user-list/group-details). ### CanChangeGroupMembers **Given**: * CanReadGroupDetails The user gains the ability to add or remove members from groups. ### CanDeleteGroup **Given**: * CanReadGroupDetails The user gains the ability to delete a group. ### CanEditGroupDisplayName **Given**: * CanReadGroupDetails The user gains the ability to change a group's display name. ### CanSeeGroupJsonAzureAD and CanSeeGroupJsonRealmJoin **Given**: * CanReadGroupDetails Allow the user to see diagnostic metadata about a Microsoft Entra or RealmJoin internal group, if "Show advanced info" is enabled in [Settings](https://docs.realmjoin.com/realmjoin-settings/general). ### CanSeeRealmJoinGroupSettings **Given**: * CanReadGroupDetails Allow the user to see/inspect [RealmJoin Client Settings](https://docs.realmjoin.com/ugd-management/user-and-group-settings) assigned to a specific group. ### CanChangeRealmJoinGroupSettings **Given**: * CanReadGroupDetails * CanSeeRealmJoinGroupSettings Allow the user to add/modify/delete[ RealmJoin Client Settings](https://docs.realmjoin.com/ugd-management/user-and-group-settings) assigned to a specific group. ### CanReadGroupSettingTable The user gains the ability to see the list of [group settings](https://docs.realmjoin.com/ugd-management/user-and-group-settings) (across all groups) from the [navigation](#navigation). ### CanReadGroupSettingDetails The user gains the ability to inspect all [group settings](https://docs.realmjoin.com/ugd-management/user-and-group-settings)' details. ## Device Management ### CanReadDeviceTable The user gains the ability to see the list of all [Entra ID devices](https://docs.realmjoin.com/ugd-management/user-list). ### CanReadDeviceDetails The user gains the ability to inspect an individual [device's details](https://docs.realmjoin.com/ugd-management/user-list/device-details). ### CanRequestDeviceLogs The user can trigger collecting "Extended Logs" for a device using RealmJoin Client .

Request RealmJoin Client Logs

### CanScanDevice The user can trigger a Defender for Endpoint scan for a Windows device. ### CanSyncDevice The user can trigger an Intune sync for a managed Windows device. ### CanChangeRealmJoinPrimaryUser Allow the user to assign a different primary user in RealmJoin. {% hint style="info" %} When transferring a Windows device to a different user, you should wipe the device from Intune. When a new user logs on after the wipe, this will update the Intune and RealmJoin primary user automatically. {% endhint %} ### CanSeeDeviceAutopilotInformation Allow the user to see a device's Autopilot information (if present)

Autopilot info

### CanSeeDeviceExtendedSecurityInformation Allow the user to see a device's extended sec. info from Defender for Endpoint - if available.

Extended Security Information

### CanSeeDeviceExternalLinks Allow the user to see links to Intune, Microsoft Entra etc. Only useful if the user is allowed to use these portals.

Device External Links

### CanSeeDeviceJson... These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in [Settings](https://docs.realmjoin.com/realmjoin-settings/general). * CanSeeDeviceJsonAtp * CanSeeDeviceJsonAutopilot * CanSeeDeviceJsonAzureAD * CanSeeDeviceJsonIntune * CanSeeDeviceJsonRealmJoin ### CanSeeDeviceNetworkInformation Allow the user to see network information for a device if available. This will include "Delivery Optimization" information if available.

Network Information

### CanSeeDeviceRealmJoinInformation Allow the user to see RealmJoin Client details or a device.

RealmJoin Client Information

### CanSeeDeviceSafeguardHold Allow the use to see the **Safeguard Holds** for a device. Safeguard Holds indicate that a Windows device can not upgrade to a newer version of Windows. See [Safeguard Holds (Microsoft Docs)](https://learn.microsoft.com/en-us/windows/deployment/update/safeguard-holds). ### CanSeeDeviceSecurityInformation Allow the user to see a device's security state, especially **device compliance**.

Device Security Information

### CanSeeDeviceSecurityRecommendations and CanSeeDeviceSecurityVulnerabilities RealmJoin Portal can pull security recommendations and vulnerabilities from the Microsoft Security Center. This permission allows a user to see these for a device respectively.

Security Vulnerability

Security Recommendations

### CanSeeDeviceUsers Allow the user to see the devices logged in user. {% hint style="warning" %} Be aware: If not given this permission, a user able to see the device's details can still see the device's owner. {% endhint %} ### CanSeeWarranty Allow the user to use the[ warranty tab](https://docs.realmjoin.com/ugd-management/user-list/device-details#warranty) for a device. ### CanUseDeviceAnyDeskInterface Allow the user to use / connect to a device using [AnyDesk AnyConnect](https://docs.realmjoin.com/realmjoin-agent/realmjoin-client/anydesk-integration) from RealmJoin Portal.

AnyConnect Remote Support

## Organization ### CanReadOrganizationDetails Allow the user to see / read the [Organization details](https://docs.realmjoin.com/ugd-management/organization-details). ### CanSeeOrganizationJsonAzureAD These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in [Settings](https://docs.realmjoin.com/realmjoin-settings/general). ## Self Service Forms ### CanReadSelfServiceFormsHistoryTable The user can see the list of recent [Self Service Forms](https://docs.realmjoin.com/realmjoin-settings/self-service-forms) submissions. ### CanReadSelfServiceFormsHistoryDetails The user can inspect individual [Self Service Forms](https://docs.realmjoin.com/realmjoin-settings/self-service-forms) submission details and contents. ### CanAddSelfServiceForms and CanDeleteSelfServiceForms **Given**: * Self Service Forms are enabled for your tenant * User has access to [Settings](https://docs.realmjoin.com/realmjoin-settings/settings) The user can create new or delete Self Service Forms in [Settings->Self Service Forms](https://docs.realmjoin.com/self-service-forms#settings-page) respectively. ## Runbooks ### CanSeeRunbooks The user can see the list of available runbooks, limited by: * Object types (Users/Groups/Devices/Org) the user can see * Runbooks as limited by [Runbook Permissions](https://docs.realmjoin.com/automation/runbooks/runbook-permissions) This does not grant the right to actually start Runbook jobs. ### CanRunRunbooks The user can start Runbooks, if CanSeeRunbooks is given and the conditions listed there are met. ### CanEditRunbookSchedules If the user is able to see Runbooks, he/she can create/manage [Runbook Schedules](https://docs.realmjoin.com/automation/runbooks/scheduling). ## Logs ### CanReadRunbookTable Allow a user to see the [Runbook Logs](https://docs.realmjoin.com/automation/runbooks/runbook-logs) list. ### CanReadRunbookDetails Allow a user to inspect a [Runbook Logs](https://docs.realmjoin.com/automation/runbooks/runbook-logs) item and output. ## Workplace Cloud Storage ### CanSeeOrganizationBackgroundFiles, CanSeeOrganizationSignatureFiles, CanSeeOrganizationOtherFiles and CanReadFavoritesTable View the named areas of Workplace Cloud storage. ### CanUploadOrganizationBackgroundFiles, CanEditOrganizationSignatureFiles, CanUploadOrganizationOtherFiles and CanEditFavorites Upload resp. edit the named areas of Workplace Cloud storage. ### CanDeleteOrganizationBackgroundFiles, CanDeleteOrganizationSignatureFiles, CanDeleteOrganizationOtherFiles and CanDeleteFavorites Delete files in the named areas of Workplace Cloud storage.