Pre-defined Roles
Usage
All pre-defined roles can be assigned to one or multiple Entra groups. If wanted, you can manage those groups via Microsoft Entra Privileged Identity Management (e.g. implement just-in-time privileged access with approval mechanisms).
Simply click on "[x] groups" and add or remove the desired Entra groups.
Available roles
Admin Permissions
This will grant full administrative and configuration control over RealmJoin Portal. This includes e.g.:
Access to all features of User, Group and Device Management and Process Automation
Access to all features of Application Management
Full access to Settings including:
Modifying permissions / delegations
Onboarding/modifying Runbook integration
Modifying Runbooks permissions and customizing
Changing package automation defaults
Retrieval of LAPS credentials
Manage Workplace Cloud Storage
Auditor Permissions
This will grant read-only access to all areas of RealmJoin Portal.
Read-only access to all areas of User, Group and Device Management
Read-only access to all features of Application Management
Reading Runbook Job logs
This permission does not include:
Starting Runbooks
Subscribing to apps/packages
Modifying group memberships / assignments
Access to Settings
Retrieval of LAPS credentials
Supporter Permissions
This will grant:
Read-only access to all areas of User, Group and Device Management
Initiate remote support sessions
Retrieval of LAPS credentials
Sync/scan devices
Request device logs
This permission does not include:
Subscribing to apps/packages
Modifying group memberships / assignments
Access to Settings
Starting Runbooks or Read Runbook Job logs
Advanced Supporter Permissions
This will grant:
Read-only access to all areas of User, Group and Device Management
Initiate remote support sessions
Retrieval of LAPS credentials
Sync/scan devices
Request device logs
Run proactive remediation scripts
Change primary user
Starting Runbooks and reading Runbook Job logs
Several read-only permissions in areas like apps/packages with settings, package store, device health scripts, notifications, templates, favourites, organization files, software report etc.
This permission does not include:
Subscribing to apps/packages
Modifying group memberships / assignments
Access to Settings
Runbook Runner Permissions
This will grant:
Read-only access to all areas of User, Group and Device Management
Starting Runbooks
Reading Runbook Job logs
This permission does not include:
Subscribing to apps/packages
Modifying group memberships / assignments
Access to Settings
Software Agent Permissions
This will grant:
Read-only access to User and Group Management
Full access on application management groups
Access to all features of Application Management
This permission does not include:
Starting Runbooks
Modifying group memberships / assignments other than through application management
Access to Settings
Software Requester Permissions
This allows a user to file a request to RealmJoin for a new software package to be created and offered in his organization / tenant. Regular software requests will be processed by the "package as a service" team at RealmJoin.
This permission does not include:
Access to User, Group and Device Management
Access to Application Management
Starting Runbooks or reading Runbook Job logs
Access to Settings
Organic Software Requester Permissions
This allows a user to automatically create a software package from uploaded sources in his organization / tenant. No manual check by the "package as a service" team at RealmJoin will be done on these packages.
This permission does not include:
Access to User, Group and Device Management
Access to Application Management
Starting Runbooks or reading Runbook Job logs
Access to Settings
Notification Agent Permissions
This allows a user to create and publish notifications.
This permission does not include:
Access to User, Group and Device Management
Access to Application Management
Starting Runbooks or reading Runbook Job logs
Access to Settings
Last updated
Was this helpful?