Role-Based Access Control

PLAN AVAILABILITY COMPONENT. DO NOT EDIT ME

PDQ Connect supports the use of Role-Based Access Control (RBAC) to limit user permissions based on predefined roles. RBAC allows administrators to enhance security and control by ensuring that users only have access to the resources they need. 

Settings Page

To access the settings for Role-Based Access Control in PDQ Connect, click the gear icon located at the bottom left of the PDQ Connect interface. This will take you to the Settings page. Select the Teammates tab to view and assign user roles.

Assigning Roles

The Teammates tab contains a list of all users with access to your PDQ Connect organization along with their existing user role as seen in the Role column. To change a user’s role, click the down arrow to the right of their role and select a new role from the drop-down list.

Built-in (PDQ) Roles

PDQ Connect has two built-in roles: Admin and Member.

Admin

  • The Admin role has access to the full device management and tenant management capabilities of Connect, and they also have the ability to invite and manage other users, and migrate devices between tenants.

Member

  • The Member role cannot invite users, manage user permissions, or migrate devices between tenants, but can be granted any other permission as preferred. 
 

What about the Owner?

There is no Owner role in PDQ Connect, but that role does exist in the PDQ Portal. The Owner is a single, designated admin user in the billing portal who is the primary billing contact for your account. The default Owner is the user that signed up for the original PDQ Connect trial, but ownership can be transferred to any other user in the billing portal.

The Owner is automatically granted an Admin role in PDQ Connect, but they can be demoted from that role by another Admin, or even deleted as a user in Connect, while remaining the Owner of the account in Portal. In this way, you can designate a billing contact in a non-technical role (e.g. in Accounts Payable) as your account owner while keeping them out of actually managing devices.

Additional role info:

  • The built-in user roles cannot be deleted or edited. 
  • Users added in the future will be assigned the Member role by default.
  • The default role assigned to new teammates may be changed under the Roles tab of the Settings page.
  • Only users with the Admin role can change another users role. 
  • Users with the Admin role cannot change their own role. But they can change the role of other Admins.
  • To "demote" an Admin, grant another user the Admin role who will then change the previous Admin's role. 

Configuring Roles

To configure Roles, click Settings (gear icon) | Roles. 

The Roles page displays all user roles currently available in PDQ Connect. The built-in roles (Admin/Member) will appear with a Type of PDQ, while any custom roles that an admin creates will appear with a Type of Custom. 

Custom roles will be listed as such under the "Type" column, while the two built-in roles will be labeled as "PDQ." 

The Name column displays the friendly name of each role along with the designated default user role, noted by the blue "Default" icon. The default role is the initial role assigned to any teammate invited to join a PDQ Connect organization. Any role can be set as the default. 

To Edit, Delete, or Set as default, click on the kebab menu located on the right side of the row for that role, and select the desired option. 

The built-in PDQ roles can only be viewed or set as default - they cannot be edited or deleted. 

 

To Create a new Role, click the Create role button at the top right of the page. The Create Role window will appear, with with options to name the new role and configure its permissions. 

The options shown when creating a new role are identical to those available when editing an existing one.

RBAC permissions

Below is a complete list of the available RBAC permissions in PDQ Connect, along with a brief description. 

All permissions may be enabled or disabled based with the exception of Manage teammates, which is reserved for the Admin role. 

  • Deploy packages
    • User can initiate, cancel, and re-deploy package deployments
  • Manage automations
    • User can create, edit, and delete automations
    • This permission is unavailable if "Deploy packages" is disabled.
  • Manage Windows updates
    • This permission is unavailable if "Deploy packages" is disabled.
  • Manage custom packages
    • User can create, edit, and delete custom packages
  • View vulnerabilities
    • Users can view all vulnerabilities and details
  • Manage services and processes
    • User can start, stop, and restart services or end processes
  • Manage groups
    • User can create, edit, and delete device groups
  • Manage reports
    • User can create, edit, and delete reports
  • Manage custom scanners
    • User can create, edit, and delete custom scanners
  • Manage custom fields
    • User can create, edit, and delete custom fields
  • Run commands
    • User can run CMD and PowerShell commands directly on a device
  • Reboot devices
    • User can reboot devices (does not affect reboots performed through packages or commands)

 

  • Delete devices
    • User can permanently delete devices
  • Manage roles
    • User can create, edit, and delete teammate roles
  • Invite teammates
    • User can invite teammates to use Connect
  • Manage teammates
    • User can change teammate roles and remove them from the organization
    • Only users with the Admin role can manage teammates.
  • Manage custom variables
    • User can create, edit, and delete custom variables
  • View audit logs
    • User can view the audit logs
  • Manage API keys
    • User can view, create, and revoke API keys
  • Start remote desktop sessions
    • User can start remote desktop sessions
  • Manage remote desktop settings
    • User can change remote desktop connection settings in Connect 
      (Settings ⚙ | Remote desktop)
  • Manage multi-tenancy
    • User can create, edit, and delete tenants in the organization
  • Migrate devices
    • User can assign devices to different tenants
    • Only parent-level users with the Admin role can migrate devices.

 

Was this article helpful?