The following roles can be applied to JumpCloud administrator accounts from the Administrators tab in Settings in the JumpCloud Admin Portal. These roles protect your organization by restricting access to only the areas people need to perform their daily job duties.
Learn more in Managing JumpCloud Administrator Accounts.
Note: Role based permissions apply to administrator actions both in product, and the API key of each administrator.
Administrator With Billing: This role is considered a Super Administrator. Important: Carefully consider who you give this level of access. Accounts with this role have all privileges and can:
- Perform all user management tasks: create, modify, and delete user and administrator accounts.
- Perform all group management tasks: create, modify, and delete user and device groups.
- Perform all device management tasks: create, modify, delete, and grant access to devices; configure and run commands; configure and run device configurations / policies; configure and manage MDM settings and policies.
- Perform all user authentication tasks: configure, grant access to, and require authentication resources such as LDAP, RADIUS, SSO and SCIM applications.
- Perform all directory integration tasks: configure and manage directory integrations, provision and deprovision users in integrated directories.
- Perform all security management tasks: configure and require Multi-factor Authentication factors; configure Password Settings.
- Perform all account management tasks: configure all of JumpCloud’s settings.
- Perform billing management tasks: update the account payment method. Only roles with billing privileges can manage payment methods for JumpCloud accounts. Learn about Billing roles.
- Perform all administration tasks for the Multi-Tenant Portal: all previously mentioned administration tasks for organizations in a Multi-Tenant Portal.
Administrator:
Important: Carefully consider who you give this level of access. This role has all of the privileges of an Administrator With Billingexcept privileges to manage payments (Billing), administrators, or the Multi-Tenant Portal.
Manager: Accounts with this role can manage users, devices, and groups.
Command Runner With Billing: Accounts with this role can manage account payment methods.
Command Runner: Accounts with this role can only run commands they're given access to.
Help Desk: Accounts with this role can access and view JumpCloud resources, submit support requests, and manage users in the following ways:
- Create and delete users
- Reset account passwords
- Unlock users
Read Only: Accounts with this role have read-only permissions; they can access and view users and other JumpCloud resources, but can't perform any management tasks.
When you apply roles with limited permissions, a banner is shown in the Admin Portal that explains the level of permissions the account has.
The following table outlines role permission scope for new and legacy roles.
Admin Portal Roles
Admin Role | |||||||
Scope | Administrator with Billing | Administrator | Manager | Command Runner with Billing | Command Runner | Help Desk | Read Only |
Administrators: administrator creation, edit, role assignment, & deletion | Edit | Read Only | Read Only | No Access | No Access | Read Only | Read Only |
Billing: addition, removal & management of billing & payment information | Edit | No Access | No Access | Edit | No Access | No Access | No Access |
Multi-Tenant Portal: organization & administrator management in the MTP | Edit | Read Only | Read Only | N/A | N/A | Read Only | Read Only |
Organization & User Portal: organization details, email configurations, User Portal session management | Edit | Edit | Read Only | No Access | No Access | Read Only | Read Only |
Authentication: authentication policies & MFA organization level configurations | Edit | Edit | Read Only | No Access | No Access | Read Only | Read Only |
Users: creation, viewing, attribute management, deletion, passwords, MFA requirements & enrollments on user, lockouts & direct assignments to resources | Edit | Edit | Edit | No Access | No Access | Edit | Read Only |
Groups: creation, viewing, deletion, configurations, attributes, membership & assignment of resources to groups | Edit | Edit | Edit | No Access | No Access | Read Only | Read Only |
Devices: agent installs, attribute management, viewing, deletion, policy application, MDM management of devices | Edit | Edit | Edit | No Access | No Access | Read Only | Read Only |
Directory & App User Management: directory integrations & application (SCIM Identity Management), user exports | Edit | Edit | Read Only | No Access | No Access | Read Only | Read Only |
In Product Support: submission of support tickets & feature requests in product | Edit | Edit | Edit | Edit | Edit | Edit | No Access |
Case Portal: view, filter and search all submitted tickets and feature requests. | Edit | Edit | Edit | Edit | Edit | Edit | Read Only |
Notifications: viewing & dismissal of notifications in Admin Portal | Edit | Edit | Read Only | Read Only | Read Only | Read Only | Read Only |
Insights: viewing & query of Directory Insights & System Insights | Edit | Edit | Edit | No Access | No Access | Edit | Edit |
Commands: creation, viewing, scheduling, running & assignment of commands | Edit | Edit | Edit | Running & Scheduling access to Commands for assigned Commands | Running & Scheduling access to Commands for assigned Commands | Read Only | Read Only |
Bulk User Imports: bulk imports of users leverage the JumpCloud job service | Edit | Edit | Edit | No Access | No Access | Edit | Read Only |
SSO Applications: configuration of SAML SSO for applications | Edit | Edit | Read Only | No Access | No Access | Read Only | Read Only |
RADIUS: creation, editing, viewing, deletion & configuration of RADIUS servers | Edit | Edit | Read Only | No Access | No Access | Read Only | Read Only |
Remote Assist: Launch remote sessions & view and control end-user devices | Edit | Edit | Edit | No Access | No Access | Launch RA session if allowed by Manage or above | No Access |