Product Documentation

Role Based Access Controls (RBAC) Permissions

Dec 21, 2015

You can use role-based access control (RBAC) to create custom roles in Device Manager, beyond the default roles. Custom roles grant permissions to user accounts to target specific functionality within Device Manager.

For example, you can create roles to allow the following capabilities:

  • To give limited access to devices for administrators whom you want to only perform basic device operations and run reports. After the administrator logs on to Device Manager, only the Devices and Reports tabs appear. When a user only has Report rights, then the Device tab will not appear for that user, but the About tab will display, The About tab also will by default display for users who have no other rights at all.
  • To allow an administrator to view, add, locate, edit, and lock a device.

You can associate both user and groups with roles. For example, if you import Active Directory groups into Device Manager, you can apply fine-grained access control to the Active Directory groups.

The following table describes the list of features and accessibility you can associate with a role:

Role Functionality

Super Admin

Access to all functionality within Device Manager (all functionality listed in this table).

Authorised Access

Access to the Admin console and/or the Self Help Portal, as well as device access for remote support and remote support access:
  • Admin Console Access
  • Self Help Portal Access
  • Device Access (when Remote Support is enabled)
  • Remote Support


Access to view all of the Device Manager Dashboard and the ability to customize the Dashboard. In order to perform actions in the Dashboard, however, such as send notification, wipe/selective wipe, revoke, locate, and so on, a user must be granted those specific permissions. Also, if a user is restricted from viewing specific groups, the devices that belong to users in those blocked groups will not appear in the Dashboard.


Access to the Devices tab and the ability to perform general device management tasks, such as connecting to iOS devices, importing devices, editing device properties, locating, locking/unlocking, revoking, wiping, and selectively wiping a device. Specific permissions include:

  • Full wipe device
  • Selective wipe device
  • View locations - when selected, users can see location and locate/track device. Includes:
    • Locate device
    • Track device
  • Lock device
  • Unlock device
  • Deploy to a Device - allows you to push a deployment package to a device.
  • Edit device properties
  • Notification to a device - gives you the ability to select a notification template, send ad-hoc notifications to a device or group of devices from the devices tab using email, SMS, or agent push notifications.
  • Add/Delete device
  • Devices import
  • Revoke device
  • View Software Inventory - when selected, user is allowed to view a device software inventory.


Ability create users and groups. Includes the following permissions:
  • Add/delete groups
  • Add/delete users
  • Edit a user's property
  • Can manage admin users
  • Users import - ability to import list of users from a file


Access to the Options dialog all functionality related to enrollment, including setting default enrollment modes, configuring enrollment notification servers (SMTP/SMS Gateway), modifying and creating enrollment templates, and sending enrollment notifications. Includes the following permissions:
  • Edit enrollment
  • Notify user


Access to the Policies tab and all features related to defining and implementing policies, such as security and password policies, Exchange ActiveSync polies, app tunneling (Windows and Android), server groups, registry configurations (Windows), configurations, applications access (blacklist/whitelist), Sharepoint policies, and more. Includes the following permissions:
  • Add/delete policy
  • Edit policy
  • Download policies
  • Apply policies (deploy polices in a deployment package)


Access to the Files tab and adding, deleting, and downloading files. Includes the following permissions:
  • Add/delete files
  • Edit files
  • Download files
Applications Allows access to the Applications tab, where you can upload and define applications and create application categories to organize the apps you want to deploy to users' devices. Includes the following permissions:
  • Add/delete applications
  • Edit applications
  • Application download
  • Manage category (create custom app categories for organization)


Access to the Deployment tab and all functionality related to device deployment, such as the ability to create, edit, deploy, and delete packages. Includes the following permissions:
  • Add/delete package
  • Edit package
  • Deploy packages


Access to the Reporting tab and the ability to run and view Device Manager reports.


Access to the About tab features:
  • Edit and upload an APNS certificate
  • Edit XenMobile MDM license
  • Connections information - provides visibility into server related information, such as security parameters, JVM information, and system health.


The Options feature provides a user access to the Options dialog box and the following features in the Options dialog box:

  • Role-Based Access Control
  • LDAP
  • Mobile Service Provider
  • ActiveSync Gateway
  • Network Access Control
  • AppC WebServices API
  • GoToAssist
  • PKI Entity
  • Scheduling
  • Security
  • General service parameters
Note: If you want this role to have access to the Remote-Based Access Control feature, you need to specifically select the Remote-Based Access Control option in the dialog box.

Restrict Group Access

Allows you to associate groups with the current role. When a group is associated with a role, users in that group can only see devices associated with that group. If a user belongs to more than one group, and some of those groups provide a range or permissions, all permissions related to all groups are merged into the role.