Ask or search…
K

Available Permissions

Overview

This page will try to list and explain available permissions to use in Custom Roles.
This list is not complete, as the feature-set of RealmJoin is continually growing.
Please use Auto-Complete in Custom Roles' editor to see all currently available permissions.
We will expand this list over time.
As there are many permissions available, we will group them by topic for easier naviagtion.

Settings

CanReadSettingsDetails

The user gains access to to Settings

App Management

CanReadAppTable

The user gains read access to Package Management (Package Management List). This does not grant permission to the package details.

CanReadIntuneAppDetails

Given:
The user gains read only access to Intune packages / package details.

CanReadRealmJoinAppDetails

Given:
The user gains read only access to RealmJoin Client packages / package details.

CanChangeAppAssignments

Given:
The user gains the ability to add/remove user or group assignments in a packages details.

CanChangeAppAssignmentSettings

Given:
On RealmJoin Client Packages, the option to change per assignment settings will be shown and users can modify the settings.

CanEditAppArgs

Given:
The user gains the ability to modify an app's command line arguments in Package Details.

CanEditAppAutomation

Given:
The user gains the ability to modify an Intune app's automation settings ( = If and when newer versions of the package from the store will be automatically rolled out to existing users.)

CanEditAppDisplayName

Given:
The user gains the ability to modify an app's display name.

CanEditAppExpertSettings

Given:
The user gains the ability to modify an app's expert settings.

CanEditAppTechnicalApplicationOwners

Given:
The user gains the ability to modify an app's Technical App. Owners in Config.

CanDeleteApp

Given:
The user gains the ability to delete an app from a Package Management. This will not remove an app from the package store and will not trigger uninstallations on existing deployments.

CanRequestSoftware

The user gains the ability to submit a software packaging request to glueckkanja.
Please combine this with either CanRequestSoftwareOrganic or CanRequestSoftwarePaas

CanRequestSoftwareOrganic

The user gains the ability to submit an "organic" software package to glueckkanja for distribution via RealmJoin Client to specific users.
Organic packages contain raw and unprocessed application setups. When handling those, RealmJoin is used as a transport vehicle to move the zipped container to a specified location. Depending on its payload, the installer then has to be manually started by the user (if user mode) or a remote administrator or field service.
The software deployment will not be tested by glueckkanja.

CanRequestSoftwarePaas

The user gains the ability to submit a software packaging request to glueckkanja.
The software will be packaged by glueckkanja and will become available for consumption through the Package Store.

CanReadPackageStoreTable

The user gains access to the Package Store (Package Store List).
This does not grant permission to the package details or to subscribe to an app.

CanReadPackageStoreDetails

Given:
  • CanReadPackageStoreTable
Allow a user to inspect a package store offering. This does not grant permission to subscribe to an app.

CanSubscribeApp

Given:
  • CanReadPackageStoreDetails
Allow the user to subscribe to an offering from package store.

CanSeeIntuneAppJson, CanSeeIntuneAppStoreJson, CanSeeRealmJoinAppJson, CanSeeRealmJoinAppStoreJson

Allow to see additional, diagnostic JSON information for a package in Package Store or Package Management.

User Management

CanReadUserTable

The user gains the ability to see the list of all AzureAD users.

CanReadUserDetails

The user gains the ability to inspect an individual user's details.

CanSeeRealmJoinUserSettings

Given:
  • CanReadUserDetails
Allow the user to see/inspect RealmJoin Client Settings assigned to a specific user.

CanChangeRealmJoinUserSettings

Given:
  • CanReadUserDetails
  • CanSeeRealmJoinUserSettings
Allow the user to add/modify/delete RealmJoin Client Settings assigned to a specific user.

CanReadUserSettingTable

The user gains the ability to see the list of user settings (across all users) from the navigation.

CanReadUserSettingDetails

The user gains the ability to inspect all user settings' details.

CanSeeUserJsonAzureAD and CanSeeUserJsonRealmJoin

Given:
  • CanReadUserDetails
These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in Settings.

CanSeeUserSignIns

Given:
  • CanReadUserDetails
These permissions allow a user to see AzureAD user sign in information as JSON in a separate tab.

Group Management

CanReadGroupTable

The user gains the ability to see the list of all AzureAD and RealmJoin internal groups.

CanReadGroupDetails

The user gains the ability to inspect an individual AzureAD / RealmJoin internal group's details.

CanChangeGroupMembers

Given:
  • CanReadGroupDetails
The user gains the ability to add or remove members from groups.

CanDeleteGroup

Given:
  • CanReadGroupDetails
The user gains the ability to delete a group.

CanEditGroupDisplayName

Given:
  • CanReadGroupDetails
The user gains the ability to change a groups display name.

CanSeeGroupJsonAzureAD and CanSeeGroupJsonRealmJoin

Given:
  • CanReadGroupDetails
Allow the user to see diagnostic metadata about a AzureAD or RealmJoin internal group, if "Show advanced info" is enabled in Settings.

CanSeeRealmJoinGroupSettings

Given:
  • CanReadGroupDetails
Allow the user to see/inspect RealmJoin Client Settings assigned to a specific group.

CanChangeRealmJoinGroupSettings

Given:
  • CanReadGroupDetails
  • CanSeeRealmJoinGroupSettings
Allow the user to add/modify/delete RealmJoin Client Settings assigned to a specific group.

CanReadGroupSettingTable

The user gains the ability to see the list of group settings (across all groups) from the navigation.

CanReadGroupSettingDetails

The user gains the ability to inspect all group settings' details.

Device Management

CanReadDeviceTable

The user gains the ability to see the list of all AzureAD devices.

CanReadDeviceDetails

The user gains the ability to inspect an individual device's details.

CanRequestDeviceLogs

The user can trigger collecting "Extended Logs" for a device using RealmJoin Client .
Request RealmJoin Client Logs

CanScanDevice

The user can trigger a Defender for Endpoint scan for a Windows device.

CanSyncDevice

The user can trigger an Intune sync for a managed Windows device.

CanChangeRealmJoinPrimaryUser

Allow the user to assign a different primary user in RealmJoin.
When transfering a Windows device to a different user, you should change the RealmJoin primary user AND wipe the device. When a new user logs on after the wipe, this will also update the Intune primary user.

CanSeeDeviceAutopilotInformation

Allow the user to see a device's Autopilot information (if present)
Autopilot info

CanSeeDeviceExtendedSecurityInformation

Allow the user to see a device's extended sec. info from Defender for Endpoint - if available.
Extended Security Information
Allow the user to see links to Intune, AzureAD etc. Only useful if the user is allowed to use these portals.
Device External Links

CanSeeDeviceJson...

These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in Settings.
  • CanSeeDeviceJsonAtp
  • CanSeeDeviceJsonAutopilot
  • CanSeeDeviceJsonAzureAD
  • CanSeeDeviceJsonIntune
  • CanSeeDeviceJsonRealmJoin

CanSeeDeviceNetworkInformation

Allow the user to see network information for a device if available.
This will include "Delivery Optimization" information if available.
Network Information

CanSeeDeviceRealmJoinInformation

Allow the user to see RealmJoin Client details or a device.
RealmJoin Client Information

CanSeeDeviceSafeguardHold

Allow the use to see the Safeguard Holds for a device.
Safeguard Holds indicate that a Windows device can not upgrade to a newer version of Windows.

CanSeeDeviceSecurityInformation

Allow the user to see a device's security state, especially device compliance.
Device Security Information

CanSeeDeviceSecurityRecommendations and CanSeeDeviceSecurityVulnerabilities

RealmJoin Portal can pull security recommendations and vulnerabilities from the Microsoft Security Center. This permission allows a user to see these for a device respectively.
Security Vulnerability
Security Recommendations

CanSeeDeviceUsers

Allow the user to see the devices logged in user.
Be aware: If not given this permission, a user able to see the device's details can still see the device's owner.

CanSeeWarranty

Allow the user to use the warranty tab for a device.

CanUseDeviceAnyDeskInterface

Allow the user to use / connect to a device using AnyDesk AnyConnect from RealmJoin Portal.
AnyConnect Remote Support

Organization

CanReadOrganizationDetails

Allow the user to see / read the Organization details.

CanSeeOrganizationJsonAzureAD

These permissions allow a user to see specific diagnostic information as JSON in separate tabs if "show advanced info" is enabled in Settings.

Self Service Forms

CanReadSelfServiceFormsHistoryTable

The user can see the list of recent Self Service Forms submissions.

CanReadSelfServiceFormsHistoryDetails

The user can inspect individual Self Service Forms submission details and contents.

CanAddSelfServiceForms and CanDeleteSelfServiceForms

Given:
  • Self Service Forms are enabled for your tenant
  • User has access to Settings
The user can create new or delete Self Service Forms in Settings->Self Service Forms respectively.

Runbooks

CanSeeRunbooks

The user can see the list of available runbooks, limited by:
  • Object types (Users/Groups/Devices/Org) the user can see
  • Runbooks as limited by Runbook Permissions
This does not grant the right to actually start Runbook jobs.

CanRunRunbooks

The user can start Runbooks, if CanSeeRunbooks is given and the conditions listed there are met.

CanEditRunbookSchedules

If the user is able to see Runbooks, he/she can create/manage Runbook Schedules.

Logs

CanReadRunbookTable

Allow a user to see the Runbook Logs list.

CanReadRunbookDetails

Allow a user to inspect a Runbook Logs item and output.