Role-Based Permissions is Evo's way of implementing "Zero Trust" for your administrative users. When an administrative user is first granted access to Evo, they will not have any roles or permissions assigned to them. The Global Admin must create a Role-Based Permissions group, and assign the appropriate roles to the admins that belong to that group. This is very beneficial for restricting or granting access to various parts of the portal, as well as the ability to use product features, such as Elevated Access. Many roles are self-explanatory, but some need a bit more detail. Please refer to this page for more detail of the roles - List of Roles within Role-Based Permissions
Permission groups can only be assigned to users with a user type of Admin. If you have added a directory that will sync users with Evo, you will first need to convert the user types to admin, as they would have been synced with a type of user.
Permission groups are managed from your main dashboard. Permissions for a given group are broken down into areas and screens within the Evo admin portal.
How to add a permission group
A user can only be assigned to one permission group. The group they are associated with be the same permissions granted for all tenants they have access to.
- From the dashboard, click Access.
- Click Role-Based Permissions.
- Click Create New Permission Group.
- Enter a name for the new group, and optionally a description.
- Click Next Step.
- Based on the groups access requirements, check each appropriate permission. Once all permissions have been checked, click Next Step.
- From the list of User Groups, assign a group.
- From the list of administrators. Check the row for each administrator to be included in the group.
- Click Add Permission Group.
Now that the permission group has been created. Don’t forget to set the users tenant access. Refer to How do I manage my tenant access permissions?
How to edit a permission group
- From the dashboard, click Access.
- Click Role-Based Permissions.
- In the displayed list of permission groups, find the one you want to edit. Click the name of the group in the appropriate row.
- Make the edits you want.
- Click Save Changes.
How to delete permission groups
- From the dashboard, click Access.
- Click Role-Based Permissions.
- In the displayed list of permission groups, find the one you want to delete. Click the "trashcan" at the end of the row.
- Click Delete.
List of Roles
Within Role-Based Permissions, you will see dozens of roles! Some of them are self-explanatory, while others may sound a bit confusing. This article will break down these roles and what they do:
Access
-
Add Role Group
- Allows the admin to create a new Role group
-
Delete Role Group
- Allows the admin to delete Role groups
-
Edit Role Group
- Allows the admin to edit Role groups
-
Edit User Access to Customer Access
- Allows the admin to view the Customer Access page
-
View Role-Based Permissions Section
- Allows the admin to view the Role-Based Permissions page
Access Token
-
Add Access Token
- Allows the admin to add/create an Access Token
-
Delete Access Token
- Allows the admin to delete Access Tokens
-
Edit Access Token
- Allows the admin to edit Access Tokens
-
View Access Token Section
- Allows the admin to view the Access Tokens page
Billing
-
View Billing & Licensing Section
- Allows the admin to view the Billing & Licensing page
Convert to Admin
-
Convert Admin to User
- Allows the admin to convert an admin user to an end-user
-
Convert User to Admin
- Allows the admin to convert an end-user to an admin
Customer Activity
-
View Customer Activity
- Allows the admin to view the activity of the customer
-
View Customer Audit Events
- Allows the admin to view the audit log
Customers
-
Add Customers
- Allows the admin to add/create a new Customer
-
Delete Customers
- Allows the admin to delete Customers
Dashboard
-
View Dashboard Section
- Allows the admin to view the dashboard (Overview page of the portal)
Devices
-
Delete Endpoint
- Allows the admin to delete a Device
-
Disable/Enable Endpoint
- Allows the admin to Enable/Disable the Device
-
View Endpoint Details
- Allows the admin to view the details of the Device
-
View Endpoints Section
- Allows the admin to view the Devices page
Directories
-
Add Directory
- Allows the admin to create directories
-
Delete Directory
- Allows the admin to delete directories
-
Edit Directory
- Allows the admin to edit directories
-
View Directories Section
- Allows the admin to view the Directories page
Elevated Access
-
Add Elevated Access
- Allows the admin to create/add an Elevated Access Assignment
-
Can be elevated Admin
- Allows the admin the ability to elevate to a domain account (important for Elevated Access)
-
Delete Elevated Account
- Allows the admin to delete an Elevated Access Assignment
-
Edit Elevated Access
- Allows the admin the ability to delete Elevated Access Assignments
- Allows the admin the ability to delete Elevated Access Assignments
-
View Elevated Access Section
- Allows the admin the ability to View the Elevated Access Page
Elevation Requests
-
Manage Elevation Notifications
- Allows the admin to create, enable, disable or delete notifications from the Elevation>Configuration section for a Tenant.
-
Manage Elevation Requests
- Allows the admin to approve or deny Elevation Requests.
-
Manage Elevation Rules
- Allows the admin to create, enable, disable or delete Rules at Tenant level.
-
Manage Environment Level Elevation Notifications
- Allows the admin to create, enable, disable or delete notifications from the Elevation>Configuration section at a Global Level.
-
Manage Environment Level Elevation Rules
- Allows the admin to create, enable, disable or delete Rules at Global level.
Groups
-
Add Group
- Allows the admin to create a User Group
-
Add Group Members
- Allows the admin to add users to a User Group
-
Delete Group
- Allows the admin to delete User Groups
-
Delete Group Members
- Allows the admin to delete members of a User Group
-
Edit Group
- Allows the admin to edit the User Group
-
View Group Section
- Allows the Admin to view the User Group Details page
-
View Groups Section
- Allows the admin to view the Groups page
Integrations
-
View Applications Section
- Allows the admin to view the Applications page
Keys
-
Add Key
- Allows the admin to add a key
-
Delete Key
- Allows the admin to delete keys
-
Disable/Enable Key
- Allows the admin to Enable or Disable Keys
-
View Keys Section
- Allows the admin to view the Keys page
Local Admin Accounts
-
Manage Local Admin Accounts
- Allows the admin to view and manage Local Admin Accounts
Onboarding
-
Add Onboarding
- Allows the admin to create a new onboarding campaign
-
Delete Onboarding
- Allows the admin to delete onboarding campaigns
-
Edit Onboarding
- Allows the admin to edit onboarding campaigns
-
View Onboarding Section
- Allows the admin to view the Onboarding page
Rules
-
Add New Rule
- Allows the admin to add a new policy
-
Delete Rule
- Allows the admin to delete policies
-
Disable/Enable Rule
- Allows the admin to disable/enable policies
-
Edit Rule
- Allows the admin to edit the policy
-
View Policies
- Allows the admin to view the Policies page
Users
-
Add new Evo cloud user
- Allows the admin to add a new Evo Cloud user
-
Delete User
- Allows the admin to delete Evo cloud users
-
View User
- Allows the admin to view the User Details
-
Disable/Enable MFA
- Allows the admin to Enable or Disable MFA for users
-
Disable/Enable User
- Allows the admin to Enable or Disable users
-
Send Welcome Email
- Allows the admin to send a Welcome E-mail to the user
-
Send Password Reset
- Allows the admin to send a Password reset to the user
-
View People Section
- Allows the admin to view the People page
Web Accounts
-
Manage Web Accounts
- This role will allow an admin to create and delete web accounts
-
Use Web Accounts
- This role will an admin to check-in/check-out a web account.
White Labeling
-
Edit Color Scheme
- Allows the admin to edit the color scheme of the Evo Portal
-
Reset Customizations
- Allows the admin to reset to default
-
Upload Logo
- Allows the admin to upload a logo
-
View Customization Section
- Allows the admin to view the White Labeling page