Roles and Permissions Reference
AlloyScan ships with a two-role permission model at the site scope: Administrator and User. A separate Global Administrator role operates at the instance scope (across all sites). This reference lists the capabilities each role has within a site, and where the global role differs.
Roles
| Role | Scope | Description |
|---|---|---|
| Administrator | Site | Full site-scope access. Manages users, segments, credentials, schedules, customisation, notifications, logs, and integrations for the site. |
| User | Site | Read-oriented access. Inspects inventory and Analytics, applies existing tags, subscribes to notifications, and runs ad-hoc scans and audits within existing segments and schedules. |
| Global Administrator | Instance | Manages cross-site resources: sites, the site template, instance email client, manufacturer registry, and license. Does not bypass per-site role checks. |
Permissions matrix (site scope)
The matrix below covers capabilities visible to a site Administrator and User. A check (✓) means the role can perform the action; a dash (—) means it cannot.
Dashboard and inspection
| Capability | Administrator | User |
|---|---|---|
| View Dashboard widgets | ✓ | ✓ |
| Switch dashboards | ✓ | ✓ |
| Create, rename, delete, or set a default dashboard | ✓ | — |
| Add, move, resize, remove, undo, or save Dashboard widgets | ✓ | — |
| Drill from a widget into a filtered Inventory grid | ✓ | ✓ |
| Browse Inventory grids and open device forms | ✓ | ✓ |
| View device General, Details, Audit, and Change history tabs | ✓ | ✓ |
| Use the global search box | ✓ | ✓ |
Network and discovery
| Capability | Administrator | User |
|---|---|---|
| View Segments list and Segment Open view | ✓ | ✓ |
| Create, edit, or delete Segments | ✓ | — |
| Install, configure, or delete Audit Services | ✓ | — |
| Manage credentials in an Audit Service pool | ✓ | — |
| Deploy or remove Audit Agents | ✓ | — |
| Edit the Segment Ignore list | ✓ | — |
| Move a device to the Ignore list | ✓ | — |
| Trigger an ad-hoc scan on a Segment | ✓ | ✓ |
| Trigger an ad-hoc audit on selected devices | ✓ | ✓ |
Schedules
| Capability | Administrator | User |
|---|---|---|
| Create or delete Scan and Audit schedules | ✓ | — |
| Assign or unassign an existing Audit schedule to a device | ✓ | ✓ |
| Attach an existing Scan schedule to a Segment | ✓ | — |
Tags and customisation
| Capability | Administrator | User |
|---|---|---|
| Create, edit, or delete tags in the catalog | ✓ | — |
| Apply or remove an existing tag on a device | ✓ | ✓ |
| Define or edit Custom audit fields | ✓ | — |
| Edit the Tools catalog (built-in plus custom) | ✓ | — |
| Invoke Tools (Ping, RDP, VNC, PowerShell, custom) on a device | ✓ | ✓ |
Software and Analytics
| Capability | Administrator | User |
|---|---|---|
| Browse the Software catalog | ✓ | ✓ |
| Classify a software product (Required / Forbidden / Regular) | ✓ | — |
| Open and interact with Analytics charts | ✓ | ✓ |
| Create or save Analytics charts | ✓ | — |
| Add Analytics charts to dashboards | ✓ | — |
| Save grid views | ✓ | ✓ |
Notifications
| Capability | Administrator | User |
|---|---|---|
| Create, edit, or import Notification templates | ✓ | — |
| Subscribe to a Notification template (own subscription) | ✓ | ✓ |
| Manage other users' subscriptions in the Subscriptions grid | ✓ | — |
Identity and access (per site)
| Capability | Administrator | User |
|---|---|---|
| Invite users (+ New user) | ✓ | — |
| Change a user's role | ✓ | — |
| Activate or deactivate a user | ✓ | — |
| Create or edit App registrations | ✓ | — |
| Enable allowed SSO providers | ✓ | — |
Settings and logs
| Capability | Administrator | User |
|---|---|---|
| Edit Organization profile | ✓ | — |
| Configure Change tracking | ✓ | — |
| Configure Snapshot storage | ✓ | — |
| Configure Audit service settings, Audit agent settings, Inventory settings | ✓ | — |
| View Audit log and Scan log | ✓ | ✓ |
| View Notifications log, Change log, Security log | ✓ | — |
| Purge Change history | ✓ | — |
| Review Limits and usage (per site) | ✓ | — |
Account (self)
| Capability | Administrator | User |
|---|---|---|
| Change own password | ✓ | ✓ |
| Edit own Regional formats and preferences | ✓ | ✓ |
| Sign out | ✓ | ✓ |
Constraints
- A user account must have Active = Yes to sign in. Deactivated accounts cannot sign in even with a correct password.
- Per-site quotas (Max Users, Max Nodes audited, Audits per month, API transactions per month) apply on top of role checks. Reaching a quota produces failures even for Administrators.
- Saved credentials in an Audit Service pool are write-only. No role can read back stored secrets; the form shows Has password or Not set.
Note: The Global Administrator role is granted at the instance level and operates only on Admin Center > App management pages. It does not bypass per-site role checks for site-scope CRUD.
Global Administrator scope
Global Administrators manage the Site Template under Admin Center > App management > Site template. For Analytics defaults, they can enable or disable out-of-the-box Analytics charts, create additional template Analytics charts, and choose which charts are seeded into newly created Sites.
Global Administrators can turn on Show site users on Admin Center > App management > IAM > Users to include Site-level users in the Users grid. When this option is on, the grid shows the Site column.