# Pre-defined Roles
## Usage
All **pre-defined roles** can be **assigned** to **one or multiple Entra groups**. If wanted, you can manage those groups via Microsoft Entra Privileged Identity Management (e.g. implement just-in-time privileged access with approval mechanisms).
Simply click on "\[x] groups" and add or remove the desired Entra groups.
## Available roles
### Admin Permissions
This will grant **full administrative and configuration control** over RealmJoin Portal. This includes e.g.:
* Access to all features of [User, Group and Device Management](/ugd-management/user-group-device-management.md) and [Process Automation](/automation/runbooks.md)
* Access to all features of [Application Management](/app-management/packages.md)
* Full access to [Settings](/realmjoin-settings/settings.md) including:
* Modifying permissions / delegations
* Onboarding/modifying Runbook integration
* Modifying Runbooks permissions and customizing
* Changing package automation defaults
* Retrieval of LAPS credentials
* Manage Workplace Cloud Storage
### Auditor Permissions
This will grant read-only access to all areas of RealmJoin Portal.
* Read-only access to all areas of [User, Group and Device Management](/ugd-management/user-group-device-management.md)
* Read-only access to all features of [Application Management](/app-management/packages.md)
* Reading Runbook Job logs
This permission does not include:
* Starting Runbooks
* Subscribing to apps/packages
* Modifying group memberships / assignments
* Access to [Settings](/realmjoin-settings/settings.md)
* Retrieval of LAPS credentials
{% hint style="info" %}
If you combine Auditor with roles from down below, retrieval of LAPS credentials will not be possible.
{% endhint %}
### Supporter Permissions
This will grant:
* Read-only access to all areas of [User, Group and Device Management](/ugd-management/user-group-device-management.md)
* Initiate remote support sessions
* Retrieval of LAPS credentials
* Sync/scan devices
* Request device logs
This permission does not include:
* Subscribing to apps/packages
* Modifying group memberships / assignments
* Access to [Settings](/realmjoin-settings/settings.md)
* Starting Runbooks or Read Runbook Job logs
### Advanced Supporter Permissions
This will grant:
* Read-only access to all areas of [User, Group and Device Management](/ugd-management/user-group-device-management.md)
* Initiate remote support sessions
* Retrieval of LAPS credentials
* Sync/scan devices
* Request device logs
* Run proactive remediation scripts
* Change primary user
* Starting Runbooks and reading Runbook Job logs
* Several read-only permissions in areas like apps/packages with settings, package store, device health scripts, notifications, templates, favourites, organization files, software report etc.
This permission does not include:
* Subscribing to apps/packages
* Modifying group memberships / assignments
* Access to [Settings](/realmjoin-settings/settings.md)
### Runbook Runner Permissions
This will grant:
* Read-only access to all areas of [User, Group and Device Management](/ugd-management/user-group-device-management.md)
* Starting Runbooks
* Reading Runbook Job logs
This permission does not include:
* Subscribing to apps/packages
* Modifying group memberships / assignments
* Access to [Settings](/realmjoin-settings/settings.md)
### Software Agent Permissions
This will grant:
* Read-only access to [User and Group Management](/ugd-management/user-group-device-management.md)
* Full access on application management groups
* Access to all features of [Application Management](/app-management/packages.md)
This permission does not include:
* Starting Runbooks
* Modifying group memberships / assignments other than through application management
* [Device Management](/ugd-management/user-list.md)
* Access to [Settings](/realmjoin-settings/settings.md)
### Software Requester Permissions
This allows a user to file a request to RealmJoin for a new software package to be created and offered in his organization / tenant. Regular software requests will be processed by the "package as a service" team at RealmJoin.
This permission does not include:
* Access to [User, Group and Device Management](/ugd-management/user-group-device-management.md)
* Access to [Application Management](/app-management/packages.md)
* Starting Runbooks or reading Runbook Job logs
* Access to [Settings](/realmjoin-settings/settings.md)
### Organic Software Requester Permissions
This allows a user to automatically create a software package from uploaded sources in his organization / tenant. No manual check by the "package as a service" team at RealmJoin will be done on these packages.
This permission does not include:
* Access to [User, Group and Device Management](/ugd-management/user-group-device-management.md)
* Access to [Application Management](/app-management/packages.md)
* Starting Runbooks or reading Runbook Job logs
* Access to [Settings](/realmjoin-settings/settings.md)
### Notification Agent Permissions
This allows a user to create and publish notifications.
This permission does not include:
* Access to [User, Group and Device Management](/ugd-management/user-group-device-management.md)
* Access to [Application Management](/app-management/packages.md)
* Starting Runbooks or reading Runbook Job logs
* Access to [Settings](/realmjoin-settings/settings.md)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.realmjoin.com/realmjoin-settings/permission/pre-defined-roles.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.