Access rights and permissions

Contents

Access rights and permissions

Overview

Nexthink users have the right to see and manage content depending on their profile and assigned roles. The definition of a profile includes the account type, view domains, mandatory roles, and other settings that determine the permissions of the users for managing content and performing system administration tasks.

The following tables display the access rights of the different types of users to the features of the product, including all the additional requirements to their profile or roles -when needed.

System management

Feature Main administrator Central administrator User
Manage accounts Ok Ok No
Manage profiles Ok Ok No
Manage roles Ok Ok No
Manage hierarchies Ok Ok No
Manage entities Ok Ok No
Manage engines Ok Ok No
Manage appliance Ok Ok No
Manage license Ok Ok No

Portal content

Feature Main administrator Central administrator User
Create modules and dashboards Ok Ok Profile
View published modules Ok Ok Roles
Manage published modules Ok Ok Non-admin
Manage service alerts Ok Ok No
Profile
Normal users can create modules if the option Allow creation of personal dashboards is checked in the definition of their profile. Additionally, normal users can publish their modules if the option Allow publication of modules is checked in their profiles.
Roles
Normal users can see the published modules included in their roles only.
Non-admin
Normal users can only manage the modules that they can see and have been created by themselves or by other normal (non-admin) users.

Finder and Engine content

Feature Main administrator Central administrator User
Access to the Finder Ok Profile1 Profile1
Manage categories, services, metrics, global alerts, import and export content Ok Profile2 Profile2
Manually tag objects Ok Profile3 Profile3
Web API (NXQL) Ok Profile4 Profile4
Management of Collector Ok Profile5 Profile5
Editing (and manual triggering) of campaigns Ok Profile6 Profile6
Editing of remote actions Ok Profile7 Profile7
Execution of remote actions Ok Profile8 Profile8
Profile1
The main administrator has the access to the Finder granted by default. Other users must have the option Finder access checked in the definition of their profile.
Profile2
Users with data privacy disabled (Data privacy settings in the profile set to none (full access)) are able to manage categories, services, metrics, scores, global alerts, as well as import and export content and manually synchronize users and devices with AD, if they have the suboption Allow system configuration checked, in addition to the Finder access option, in the definition of their profile.
Profile3
Users other than the main administrator can tag objects and edit applications if they have the suboption Allow editing of applications and object tags checked, in addition to the Finder access option, in the definition of their profile.
Profile4
Users other than the main administrator can access the Web API V2 (make requests to the Engine written in the NXQL language) if they have their Data privacy set to none (full access) and the option Finder access enabled in the definition of their profile.
Profile5
Users other than the main administrator are able to supervise the installation of the Collector with the Updater from the Finder if they have the suboption Allow management of Collectors checked in their profile.
Profile6
Users with data privacy disabled (Data privacy settings in the profile set to none (full access)) are able to edit and publish campaigns, if they have the suboption Allow editing of campaigns checked, in addition to the Finder access option, in the definition of their profile. For campaigns that target users manually, this profile enables the manual triggering of campaigns.
Profile7
Users with data privacy disabled (Data privacy settings in the profile set to none (full access)) are able to edit remote actions, if they have the suboption Allow editing of remote actions checked, in addition to the Finder access option, in the definition of their profile.
Profile8
Users with data privacy disabled (Data privacy settings in the profile set to none (full access)) are able to execute remote actions if, in addition to the Finder access option, they have either the suboption Allow editing of remote actions checked or the remote actions included as roles in the definition of their profile.
Related tasks