search

Available Permissions

hashtag
Overview

This page will try to list and explain available permissions for Custom Roles.

circle-info

This list is not complete, as the feature-set of RealmJoin is continually growing.

Please use Auto-Complete in Custom Roles' editor to see all currently available permissions.

hashtag
Settings

hashtag
CanReadSettingsDetails

The user gains access to to Settings

hashtag
App Management

hashtag
CanReadAppTable

The user gains read access to Package Management (Package Management List). This does not grant permission to the package details.

hashtag
CanReadIntuneAppDetails

Given:

The user gains read only access to Intune packages / package details.

hashtag
CanReadRealmJoinAppDetails

Given:

The user gains read only access to RealmJoin Client packages / package details.

hashtag
CanChangeAppAssignments

Given:

The user gains the ability to add/remove user or group assignments in a packages details.

hashtag
CanChangeAppAssignmentSettings

Given:

On RealmJoin Client Packages, the option to change per assignment settings will be shown and users can modify the settings.

hashtag
CanEditAppArgs

Given:

The user gains the ability to modify an app's command line arguments in Package Details.

hashtag
CanEditAppAutomation

Given:

The user gains the ability to modify an Intune app's automation settings ( = If and when newer versions of the package from the store will be automatically rolled out to existing users.)

hashtag
CanEditAppDisplayName

Given:

The user gains the ability to modify an app's display name.

hashtag
CanEditAppExpertSettings

Given:

The user gains the ability to modify an app's expert settings.

hashtag
CanEditAppTechnicalApplicationOwners

Given:

The user gains the ability to modify an app's Technical App. Owners in Config.

hashtag
CanDeleteApp

Given:

The user gains the ability to delete an app from a Package Management. This will not remove an app from the package store and will not trigger uninstallations on existing deployments.

hashtag
CanRequestSoftware

The user gains the ability to submit a software packaging request to RealmJoin.

circle-exclamation

Please combine this with either CanRequestSoftwareOrganic or CanRequestSoftwarePaas

hashtag
CanRequestSoftwareOrganic

The user gains the ability to submit an "organic" software package to RealmJoin for distribution via RealmJoin Client to specific users.

Organic packages contain raw and unprocessed application setups. When handling those, RealmJoin is used as a transport vehicle to move the zipped container to a specified location. Depending on its payload, the installer then has to be manually started by the user (if user mode) or a remote administrator or field service.

The software deployment will not be tested by RealmJoin.

hashtag
CanRequestSoftwarePaas

The user gains the ability to submit a software packaging request to RealmJoin.

The software will be packaged by RealmJoin and will become available for consumption through the Package Store.

hashtag
CanReadPackageStoreTable

The user gains access to the Package Store (Package Store List).

This does not grant permission to the package details or to subscribe to an app.

hashtag
CanReadPackageStoreDetails

Given:

  • CanReadPackageStoreTable

Allow a user to inspect a package store offering. This does not grant permission to subscribe to an app.

hashtag
CanSubscribeApp

Given:

  • CanReadPackageStoreDetails

Allow the user to subscribe to an offering from package store.

hashtag
CanSeeIntuneAppJson, CanSeeIntuneAppStoreJson, CanSeeRealmJoinAppJson, CanSeeRealmJoinAppStoreJson

Allow to see additional, diagnostic JSON information for a package in Package Store or Package Management.

hashtag
User Management

hashtag
CanReadUserTable

The user gains the ability to see the list of all Entra ID users.

hashtag
CanReadUserDetails

The user gains the ability to inspect an individual user's details.

hashtag
CanSeeRealmJoinUserSettings

Given:

  • CanReadUserDetails

Allow the user to see/inspect RealmJoin Client Settings assigned to a specific user.

hashtag
CanChangeRealmJoinUserSettings

Given:

  • CanReadUserDetails

  • CanSeeRealmJoinUserSettings

Allow the user to add/modify/delete RealmJoin Client Settings assigned to a specific user.

hashtag
CanReadUserSettingTable

The user gains the ability to see the list of user settings (across all users) from the navigation.

hashtag
CanReadUserSettingDetails

The user gains the ability to inspect all user settings' details.

hashtag
CanSeeUserJsonAzureAD and CanSeeUserJsonRealmJoin

Given:

  • CanReadUserDetails

These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in Settings.

hashtag
CanSeeUserSignIns

Given:

  • CanReadUserDetails

These permissions allow a user to see Microsoft Entra user sign in information as JSON in a separate tab.

hashtag
Group Management

hashtag
CanReadGroupTable

The user gains the ability to see the list of all Entra ID and RealmJoin internal groups.

hashtag
CanReadGroupDetails

The user gains the ability to inspect an individual Microsoft Entra / RealmJoin internal group's details.

hashtag
CanChangeGroupMembers

Given:

  • CanReadGroupDetails

The user gains the ability to add or remove members from groups.

hashtag
CanDeleteGroup

Given:

  • CanReadGroupDetails

The user gains the ability to delete a group.

hashtag
CanEditGroupDisplayName

Given:

  • CanReadGroupDetails

The user gains the ability to change a group's display name.

hashtag
CanSeeGroupJsonAzureAD and CanSeeGroupJsonRealmJoin

Given:

  • CanReadGroupDetails

Allow the user to see diagnostic metadata about a Microsoft Entra or RealmJoin internal group, if "Show advanced info" is enabled in Settings.

hashtag
CanSeeRealmJoinGroupSettings

Given:

  • CanReadGroupDetails

Allow the user to see/inspect RealmJoin Client Settings assigned to a specific group.

hashtag
CanChangeRealmJoinGroupSettings

Given:

  • CanReadGroupDetails

  • CanSeeRealmJoinGroupSettings

Allow the user to add/modify/delete RealmJoin Client Settings assigned to a specific group.

hashtag
CanReadGroupSettingTable

The user gains the ability to see the list of group settings (across all groups) from the navigation.

hashtag
CanReadGroupSettingDetails

The user gains the ability to inspect all group settings' details.

hashtag
Device Management

hashtag
CanReadDeviceTable

The user gains the ability to see the list of all Entra ID devices.

hashtag
CanReadDeviceDetails

The user gains the ability to inspect an individual device's details.

hashtag
CanRequestDeviceLogs

The user can trigger collecting "Extended Logs" for a device using RealmJoin Client .

Request RealmJoin Client Logs

hashtag
CanScanDevice

The user can trigger a Defender for Endpoint scan for a Windows device.

hashtag
CanSyncDevice

The user can trigger an Intune sync for a managed Windows device.

hashtag
CanChangeRealmJoinPrimaryUser

Allow the user to assign a different primary user in RealmJoin.

circle-info

When transferring a Windows device to a different user, you should wipe the device from Intune.

When a new user logs on after the wipe, this will update the Intune and RealmJoin primary user automatically.

hashtag
CanSeeDeviceAutopilotInformation

Allow the user to see a device's Autopilot information (if present)

Autopilot info

hashtag
CanSeeDeviceExtendedSecurityInformation

Allow the user to see a device's extended sec. info from Defender for Endpoint - if available.

Extended Security Information

hashtag
CanSeeDeviceExternalLinks

Allow the user to see links to Intune, Microsoft Entra etc. Only useful if the user is allowed to use these portals.

Device External Links

hashtag
CanSeeDeviceJson...

These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in Settings.

  • CanSeeDeviceJsonAtp

  • CanSeeDeviceJsonAutopilot

  • CanSeeDeviceJsonAzureAD

  • CanSeeDeviceJsonIntune

  • CanSeeDeviceJsonRealmJoin

hashtag
CanSeeDeviceNetworkInformation

Allow the user to see network information for a device if available.

This will include "Delivery Optimization" information if available.

Network Information

hashtag
CanSeeDeviceRealmJoinInformation

Allow the user to see RealmJoin Client details or a device.

RealmJoin Client Information

hashtag
CanSeeDeviceSafeguardHold

Allow the use to see the Safeguard Holds for a device.

Safeguard Holds indicate that a Windows device can not upgrade to a newer version of Windows.

See Safeguard Holds (Microsoft Docs)arrow-up-right.

hashtag
CanSeeDeviceSecurityInformation

Allow the user to see a device's security state, especially device compliance.

Device Security Information

hashtag
CanSeeDeviceSecurityRecommendations and CanSeeDeviceSecurityVulnerabilities

RealmJoin Portal can pull security recommendations and vulnerabilities from the Microsoft Security Center. This permission allows a user to see these for a device respectively.

Security Vulnerability
Security Recommendations

hashtag
CanSeeDeviceUsers

Allow the user to see the devices logged in user.

circle-exclamation

Be aware: If not given this permission, a user able to see the device's details can still see the device's owner.

hashtag
CanSeeWarranty

Allow the user to use the warranty tab for a device.

hashtag
CanUseDeviceAnyDeskInterface

Allow the user to use / connect to a device using AnyDesk AnyConnect from RealmJoin Portal.

AnyConnect Remote Support

hashtag
Organization

hashtag
CanReadOrganizationDetails

Allow the user to see / read the Organization details.

hashtag
CanSeeOrganizationJsonAzureAD

These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in Settings.

hashtag
Self Service Forms

hashtag
CanReadSelfServiceFormsHistoryTable

The user can see the list of recent Self Service Forms submissions.

hashtag
CanReadSelfServiceFormsHistoryDetails

The user can inspect individual Self Service Forms submission details and contents.

hashtag
CanAddSelfServiceForms and CanDeleteSelfServiceForms

Given:

  • Self Service Forms are enabled for your tenant

  • User has access to Settings

The user can create new or delete Self Service Forms in Settings->Self Service Forms respectively.

hashtag
Runbooks

hashtag
CanSeeRunbooks

The user can see the list of available runbooks, limited by:

  • Object types (Users/Groups/Devices/Org) the user can see

  • Runbooks as limited by Runbook Permissions

This does not grant the right to actually start Runbook jobs.

hashtag
CanRunRunbooks

The user can start Runbooks, if CanSeeRunbooks is given and the conditions listed there are met.

hashtag
CanEditRunbookSchedules

If the user is able to see Runbooks, he/she can create/manage Runbook Schedules.

hashtag
Logs

hashtag
CanReadRunbookTable

Allow a user to see the Runbook Logs list.

hashtag
CanReadRunbookDetails

Allow a user to inspect a Runbook Logs item and output.

hashtag
Workplace Cloud Storage

hashtag
CanSeeOrganizationBackgroundFiles, CanSeeOrganizationSignatureFiles, CanSeeOrganizationOtherFiles and CanReadFavoritesTable

View the named areas of Workplace Cloud storage.

hashtag
CanUploadOrganizationBackgroundFiles, CanEditOrganizationSignatureFiles, CanUploadOrganizationOtherFiles and CanEditFavorites

Upload resp. edit the named areas of Workplace Cloud storage.

hashtag
CanDeleteOrganizationBackgroundFiles, CanDeleteOrganizationSignatureFiles, CanDeleteOrganizationOtherFiles and CanDeleteFavorites

Delete files in the named areas of Workplace Cloud storage.

Last updated

Was this helpful?