.png)
Access rights and permissions
Overview
Nexthink users have the right to see and manage content depending on their profile and assigned roles. The definition of a profile includes the account type, view domains, mandatory roles, and other settings that determine the permissions of the users for managing content and performing system administration tasks.
The following tables display the access rights of the different types of users to the features of the product, including all the additional requirements to their profile or roles -when needed.
System management
Feature | Main administrator | Central administrator | User |
|---|---|---|---|
Manage accounts | Ok | Ok | No |
Manage profiles | Ok | Ok | No |
Manage roles | Ok | Ok | No |
Manage hierarchies | Ok | Ok | No |
Manage entities | Ok | Ok | No |
Manage engines | Ok | Ok | No |
Manage appliance | Ok | Ok | No |
Manage license | Ok | Ok | No |
Portal content
Feature | Main administrator | Central administrator | User |
|---|---|---|---|
Create modules and dashboards | Ok | Ok | Profile |
View published modules | Ok | Ok | Roles |
Manage published modules | Ok | Ok | Non-admin |
Manage service alerts | Ok | Ok | No |
Profile
Normal users can create modules if the option Allow creation of personal dashboards is checked in the definition of their profile. Additionally, normal users can publish their modules if the option Allow publication of modules is checked in their profiles.
Roles
Normal users can see the published modules included in their roles only.
Non-admin
Normal users can only manage the modules that they can see and have been created by themselves or by other normal (non-admin) users.
Finder and Engine content
Feature | Main administrator | Central administrator | User |
|---|---|---|---|
Access to the Finder | Ok | Profile1 | Profile1 |
Manage categories, services, metrics, global alerts, import and export content | Ok | Profile2 | Profile2 |
Manually tag objects | Ok | Profile3 | Profile3 |
Web API (NXQL) | Ok | Profile4 | Profile4 |
Management of Collector | Ok | Profile5 | Profile5 |
Editing (and manual triggering) of campaigns | Ok | Profile6 | Profile6 |
Editing of remote actions | Ok | Profile7 | Profile7 |
Execution of remote actions | Ok | Profile8 | Profile8 |
Profile1
The main administrator has the access to the Finder granted by default. Other users must have the option Finder access checked in the definition of their profile.
Profile2
Users with data privacy disabled (Data privacy settings in the profile set to none (full access)) are able to manage categories, services, metrics, scores, global alerts, as well as import and export content and manually synchronize users and devices with AD, if they have the suboption Allow system configuration checked, in addition to the Finder access option, in the definition of their profile.
Profile3
Users other than the main administrator can tag objects and edit applications if they have the suboption Allow editing of applications and object tags checked, in addition to the Finder access option, in the definition of their profile.
Profile4
Users other than the main administrator can access the Web API V2 (make requests to the Engine written in the NXQL language) if they have their Data privacy set to none (full access) and the option Finder access enabled in the definition of their profile.
Profile5
Users other than the main administrator are able to supervise the installation of the Collector with the Updater from the Finder if they have the suboption Allow management of Collectors checked in their profile.
Profile6
Users with data privacy disabled (Data privacy settings in the profile set to none (full access)) are able to edit and publish campaigns, if they have the suboption Allow editing of campaigns checked, in addition to the Finder access option, in the definition of their profile. For campaigns that target users manually, this profile enables the manual triggering of campaigns.
Profile7
Users with data privacy disabled (Data privacy settings in the profile set to none (full access)) are able to edit remote actions, if they have the suboption Allow editing of remote actions checked, in addition to the Finder access option, in the definition of their profile.
Profile8
Users with data privacy disabled (Data privacy settings in the profile set to none (full access)) are able to execute remote actions if, in addition to the Finder access option, they have either the suboption Allow editing of remote actions checked or the remote actions included as roles in the definition of their profile.
RELATED TASK