Admin Roles are part of the foundation of protecting your organization by restricting access to only the areas people need to perform their daily job duties. JumpCloud offers a variety of roles to help keep things organized and secure.
To set these roles, see Settings in the JumpCloud Admin Portal.
Note: Role based permissions apply to administrator actions both in product, and the API key of each administrator.
Administrator With Billing
This role is considered a Super Admin.
Important: Carefully consider who you give this level of access. Accounts with this role have all privileges and can:
- Perform all user management tasks: create, modify, and delete user and administrator accounts.
- Perform all group management tasks: create, modify, and delete user and device groups.
- Perform all device management tasks: create, modify, delete, and grant access to devices; configure and run commands; configure and run device configurations / policies; configure and manage MDM settings and policies.
- Perform all user authentication tasks: configure, grant access to, and require authentication resources such as LDAP, RADIUS, SSO and SCIM applications.
- Perform all directory integration tasks: configure and manage directory integrations, provision and deprovision users in integrated directories.
- Perform all security management tasks: configure and require Multi-factor Authentication factors; configure Password Settings.
- Perform all account management tasks: configure all of JumpCloud's settings.
- Perform billing management tasks: update the account payment method. Only roles with billing privileges can manage payment methods for JumpCloud accounts. Learn about Billing roles.
- Perform all administration tasks for the Multi-Tenant Portal: all previously mentioned administration tasks for organizations in a Multi-Tenant Portal.
Administrator
Important: Carefully consider who you give this level of access.
This role has all of the privileges of an Administrator With Billing except privileges to manage payments (Billing), administrators, or the Multi-Tenant Portal.
Manager
Accounts with this role can manage users, devices, and groups.
Command Runner With Billing
Accounts with this role can manage account payment methods.
Command Runner
Accounts with this role can only run commands they're given access to.
Help Desk
Accounts with this role can access and view JumpCloud resources, submit support requests, and manage users in the following ways:
- Create and delete users
- Reset account passwords
- Unlock users
- Set Admin/Sudo permissions on a user's device from the User > Devices tab
Billing Only
Accounts with this role can access the Account tab in the MTP, with Read Only permissions everywhere else. From the Account tab, Admins can review the Account Overview, review payment history, update mailing and billing information, and view the usage associated with the account.
Read Only
Accounts with this role have read-only permissions; they can access and view users and other JumpCloud resources, but can't perform any management tasks.
When you apply roles with limited permissions, a banner is shown in the Admin Portal that explains the level of permissions the account has.
The following table outlines role permission scope for new and legacy roles.
Admin Portal Roles
Admin Role | ||||||||||||||
Scope | Administrator with Billing | Administrator | Manager | Command Runner with Billing | Command Runner | Help Desk | Read Only | Billing Only | ||||||
Administrators:
|
Edit | Read Only | Read Only | No Access | No Access | Read Only | Read Only | No Access | ||||||
Billing: Billing payment information, including:
|
Edit | No Access | No Access | Edit | No Access | No Access | No Access | Edit | ||||||
Multi-Tenant Portal:
|
Edit | Read Only | Read Only | N/A | N/A | Read Only | Read Only | No Access | ||||||
Organization & User Portal:
|
Edit | Edit | Read Only | No Access | No Access | Read Only | Read Only | No Access | ||||||
Authentication:
|
Edit | Edit | Read Only | No Access | No Access | Read Only | Read Only | No Access | ||||||
Users:
|
Edit | Edit | Edit | No Access | No Access |
Edit*
*Read Only for direct assignments to resources |
Read Only | No Access | ||||||
Groups:
|
Edit | Edit | Edit | No Access | No Access | Read Only | Read Only | No Access | ||||||
Devices:
|
Edit | Edit | Edit | No Access | No Access | Read Only | Read Only | No Access | ||||||
Directory & App User Management:
|
Edit | Edit | Read Only | No Access | No Access | Read Only | Read Only | No Access | ||||||
In-Product Support:
|
Edit | Edit | Edit | Edit | Edit | Edit | No Access | Edit | ||||||
Case Portal: Actions relating to submitted tickets and feature requests, including:
|
Edit | Edit | Edit | Edit | Edit | Edit | Read Only | Edit | ||||||
Notifications in the Admin Portal:
|
Edit | Edit | Read Only | Read Only | Read Only | Read Only | Read Only | Read Only | ||||||
Insights: Actions in Directory Insights and System Insights, including:
|
Edit | Edit | Edit | No Access | No Access | Edit | Edit | No Access | ||||||
Commands:
|
Edit | Edit | Edit | Running & Scheduling access to Commands for assigned Commands | Running & Scheduling access to Commands for assigned Commands | Read Only | Read Only | No Access | ||||||
Bulk User Imports:
|
Edit | Edit | Edit | No Access | No Access | Edit | Read Only | No Access | ||||||
SSO Applications:
|
Edit | Edit | Read Only | No Access | No Access | Read Only | Read Only | No Access | ||||||
RADIUS servers:
|
Edit | Edit | Read Only | No Access | No Access | Read Only | Read Only | No Access | ||||||
Remote Assist:
|
Edit | Edit | Edit | No Access | No Access | Launch Remote Assist (if Remote Assist is enabled in Settings) | No Access | No Access | ||||||
SaaS Management:
|
Edit | Edit | Edit | No Access | No Access | Read Only | Read Only | No Access |