Roles & Permissions
DeviceNexus uses a role-based access control (RBAC) system to manage what team members can see and do within the platform. This guide explains the available roles and their permissions.
Overview
When you invite team members to your organization, you assign them a role that determines their level of access. DeviceNexus uses a two-tier role system:
- Organization Roles - Assigned when inviting members (Owner, Admin, Member)
- Platform Roles - Automatically mapped from organization roles to control API access
Organization Roles
These are the roles you see when managing team members in Settings.
Owner
The organization owner has complete control over the account.
- Full access to all features and settings
- Can manage billing and subscription
- Can invite and remove any team member
- Can delete the organization
- Cannot be removed (ownership must be transferred)
Admin
Administrators have full operational access.
- Full access to all features and settings
- Can manage team members (invite, change roles, remove)
- Can configure integrations (AMAPI, etc.)
- Can manage organization settings
- Cannot manage billing or delete organization
Member
Members have device management capabilities.
- Can view and manage devices
- Can create and manage enrollment tokens
- Can execute device commands (lock, wipe, etc.)
- Can view policies (read-only)
- Cannot access organization settings
- Cannot configure integrations
- Cannot manage team members
Permission Matrix
| Feature | Owner | Admin | Member |
|---|---|---|---|
| Dashboard | |||
| View dashboard metrics | Yes | Yes | Yes |
| View alerts | Yes | Yes | Yes |
| Acknowledge alerts | Yes | Yes | Yes |
| Devices | |||
| View devices | Yes | Yes | Yes |
| Execute commands | Yes | Yes | Yes |
| Manage enrollment tokens | Yes | Yes | Yes |
| View device logs | Yes | Yes | Yes |
| Assign users to devices | Yes | Yes | Yes |
| Policies | |||
| View policies | Yes | Yes | Yes |
| Create/edit policies | Yes | Yes | No |
| Delete policies | Yes | Yes | No |
| Assign policies | Yes | Yes | No |
| Groups | |||
| View groups | Yes | Yes | Yes |
| Create/edit groups | Yes | Yes | Yes |
| Delete groups | Yes | Yes | No |
| Settings | |||
| View organization settings | Yes | Yes | No |
| Edit organization settings | Yes | Yes | No |
| Manage team members | Yes | Yes | No |
| Configure integrations (AMAPI) | Yes | Yes | No |
| View billing | Yes | No | No |
| Manage billing | Yes | No | No |
| Audit & Compliance | |||
| View audit logs | Yes | Yes | No |
| View auth events | Yes | Yes | No |
Role Mapping Details
When you assign an organization role, it maps to internal platform roles:
| Organization Role | Platform Role | Description |
|---|---|---|
| Owner | admin | Full platform access |
| Admin | admin | Full platform access |
| Member | device_manager | Device operations + read access |
Members are intentionally restricted from organization settings. This separation ensures that device operators can perform their daily tasks (managing devices, enrollment, commands) without accidentally modifying organization-wide configuration or integrations.
If a member needs settings access, an admin should upgrade their role to Admin.
Changing Roles
Admins and Owners can change member roles:
- Go to Settings > Team Members
- Find the member in the list
- Click the role dropdown next to their name
- Select the new role
- Upgrading to Admin: Member immediately gains access to settings and integrations
- Downgrading to Member: User loses access to settings on their next page load
Inviting Team Members
To invite a new team member:
- Go to Settings > Team Members
- Click the Invite Member button
- Enter their email address
- Select their role (Admin or Member)
- Click Send Invitation
The invited user will receive an email with instructions to join your organization.
Best Practices
Principle of Least Privilege
Assign the minimum role needed for each user's job function:
- IT Help Desk Staff - Member role (device troubleshooting)
- MDM Administrators - Admin role (full management)
- Security Auditors - Consider creating a separate admin account with read-only usage patterns
Regular Access Reviews
Periodically review team member access:
- Remove members who no longer need access
- Downgrade roles if elevated access is no longer required
- Audit admin accounts to ensure they're still necessary
Separate Accounts for Different Functions
If you need both operational and administrative access:
- Use your Member account for daily device operations
- Use your Admin account only when configuration changes are needed
Troubleshooting
"Access Restricted" Error on Settings Page
If you see this error, your account has the Member role which doesn't have settings access.
Solution: Contact your organization's Admin or Owner to either:
- Upgrade your role to Admin, or
- Have them make the settings changes on your behalf
Can't Invite Team Members
Only Admin and Owner roles can invite new members.
Solution: Ask an existing Admin or the Owner to send the invitation.
Can't See Audit Logs
Audit logs are restricted to Admin and Owner roles for security reasons.
Solution: If you need audit access for compliance purposes, request an Admin role upgrade.
Related Topics
- Settings Overview - General settings configuration
- Quick Start Guide - Getting started with DeviceNexus
- Best Practices - Security and operational guidelines