Roles and Permissions Reference
AlloyScan ships with a two-role permission model at the site scope: Administrator and User. A separate Global Administrator role operates at the instance scope (across all sites). This reference lists the capabilities each role has within a site, and where the global role differs.
Roles
| Role |
Scope |
Description |
| Administrator |
Site |
Full site-scope access. Manages users, segments, credentials, schedules, customisation, notifications, logs, and integrations for the site. |
| User |
Site |
Read-oriented access. Inspects inventory and reports, applies existing tags, subscribes to notifications, and runs ad-hoc scans and audits within existing segments and schedules. |
| Global Administrator |
Instance |
Manages cross-site resources: sites, the site template, instance email client, manufacturer registry, license, and multi-site reports. Does not bypass per-site role checks. |
Note: Granular sub-roles beyond Administrator and User are not available. Capability is governed only by role plus per-site quotas and deployment-level availability.
Permissions matrix (site scope)
The matrix below covers capabilities visible to a site Administrator and User. A check (✓) means the role can perform the action; a dash (—) means it cannot.
Dashboard and inspection
| Capability |
Administrator |
User |
| View Dashboard widgets |
✓ |
✓ |
| Drill from a widget into a filtered Inventory grid |
✓ |
✓ |
| Browse Inventory grids and open device forms |
✓ |
✓ |
| View device General, Details, Audit, and Change history tabs |
✓ |
✓ |
| Use the global search box |
✓ |
✓ |
Network and discovery
| Capability |
Administrator |
User |
| View Segments list and Segment Open view |
✓ |
✓ |
| Create, edit, or delete Segments |
✓ |
— |
| Install, configure, or delete Audit Services |
✓ |
— |
| Manage credentials in an Audit Service pool |
✓ |
— |
| Deploy or remove Audit Agents |
✓ |
— |
| Edit the Segment Ignore list |
✓ |
— |
| Move a device to the Ignore list |
✓ |
— |
| Trigger an ad-hoc scan on a Segment |
✓ |
✓ |
| Trigger an ad-hoc audit on selected devices |
✓ |
✓ |
Schedules
| Capability |
Administrator |
User |
| Create or delete Scan and Audit schedules |
✓ |
— |
| Assign or unassign an existing Audit schedule to a device |
✓ |
✓ |
| Attach an existing Scan schedule to a Segment |
✓ |
— |
| Capability |
Administrator |
User |
| Create, edit, or delete tags in the catalog |
✓ |
— |
| Apply or remove an existing tag on a device |
✓ |
✓ |
| Define or edit Custom audit fields |
✓ |
— |
| Edit the Tools catalog (built-in plus custom) |
✓ |
— |
| Invoke Tools (Ping, RDP, VNC, PowerShell, custom) on a device |
✓ |
✓ |
Software and reports
| Capability |
Administrator |
User |
| Browse the Software catalog |
✓ |
✓ |
| Classify a software product (Required / Forbidden / Regular) |
✓ |
— |
| Run a built-in report |
✓ |
✓ |
| Create, upload, or edit custom report templates |
✓ |
— |
| Save personal grid views |
✓ |
✓ |
| Save shared grid views |
✓ |
— |
Notifications
| Capability |
Administrator |
User |
| Create, edit, or import Notification templates |
✓ |
— |
| Subscribe to a Notification template (own subscription) |
✓ |
✓ |
| Manage other users' subscriptions in the Subscriptions grid |
✓ |
— |
Identity and access (per site)
| Capability |
Administrator |
User |
| Invite users (+ New user) |
✓ |
— |
| Change a user's role |
✓ |
— |
| Activate or deactivate a user |
✓ |
— |
| Create or edit App registrations |
✓ |
— |
| Configure SSO providers |
✓ |
— |
Settings and logs
| Capability |
Administrator |
User |
| Edit Organization profile |
✓ |
— |
| Configure Change tracking |
✓ |
— |
| Configure Snapshot storage |
✓ |
— |
| Configure Audit service settings, Audit agent settings, Inventory settings |
✓ |
— |
| View Audit log and Scan log |
✓ |
✓ |
| View Notifications log, Change log, Security log |
✓ |
— |
| Purge Change history |
✓ |
— |
| Review Limits and usage (per site) |
✓ |
— |
Account (self)
| Capability |
Administrator |
User |
| Change own password |
✓ |
✓ |
| Edit own Regional formats and preferences |
✓ |
✓ |
| Sign out |
✓ |
✓ |
Constraints
- A user account must have Active = Yes to sign in. Deactivated accounts cannot sign in even with a correct password.
- Per-site quotas (Max Users, Max Nodes audited, Audits per month, API transactions per month) apply on top of role checks. Reaching a quota produces failures even for Administrators.
- Deployment-level configuration controls whether some Admin Center menu entries, such as Security log, Change log, and SSO providers, appear at all. An unavailable entry is hidden regardless of role.
- Saved credentials in an Audit Service pool are write-only. No role can read back stored secrets; the form shows Has password or Not set.
Note: The Global Administrator role is granted at the instance level and operates only on Admin Center > App management pages. It does not bypass per-site role checks for site-scope CRUD.