Understanding Roles & Permissions
Role-Based Access Control in Senturo
Overview
Senturo uses role-based access control (RBAC) to determine what each team member can see and do within the platform. Assigning the right role ensures your team can perform their responsibilities effectively while keeping sensitive actions and settings appropriately restricted.
This article covers the Owner account, all seven assignable roles, their permissions across each area of the platform, and guidance on choosing the right role for each team member.
Available Roles
Senturo has one account-level role and seven assignable roles:
| Role | Type | Best For |
|---|---|---|
| Owner | Account | The account created during setup. Has full platform access and can invite all other roles. |
| Group Admin | Assignable | IT managers who need Admin permissions plus user and role management |
| Admin | Assignable | Senior IT staff with broad device and platform management access |
| Helpdesk | Assignable | IT support staff who need hands-on device control without platform configuration access |
| Investigator | Assignable | Security analysts and compliance officers who need full visibility |
| Analyst | Assignable | Junior staff or monitors who need read-only access |
| Broadcaster | Assignable | Staff responsible for managing device messaging and broadcasts |
| Remote | Assignable | Third-party consultants or temporary staff with limited device control |
Permissions by Area
Device Management
| Permission | Owner | Group Admin | Admin | Helpdesk | Investigator | Analyst | Broadcaster | Remote |
|---|---|---|---|---|---|---|---|---|
| View Quick Filters / Custom Filters | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| View Groups & Tags | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Edit Groups | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Edit Tags | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ |
| View Notes | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Edit Notes | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| View Location History | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| View Network Info | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| View Screenshots | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| View Policies | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
Mass Actions — Device Control
| Action | Owner | Group Admin | Admin | Helpdesk | Investigator | Analyst | Broadcaster | Remote |
|---|---|---|---|---|---|---|---|---|
| Change Security Status | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Remote Lock | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ |
| Remote Wipe | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ |
| MDM Remote Lock / Wipe | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ |
| MDM Lost Mode | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ |
| Move to Group | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
Mass Actions — Administrative
| Action | Owner | Group Admin | Admin | Helpdesk | Investigator | Analyst | Broadcaster | Remote |
|---|---|---|---|---|---|---|---|---|
| Automation Pulse | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Download Report | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Request Data | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Assign to User | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Add Groups | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ |
| Add Tags | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ |
| Add Notes | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Device Enrollment | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Delete Tracking Data | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Delete Devices | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
Broadcasts
| Permission | Owner | Group Admin | Admin | Helpdesk | Investigator | Analyst | Broadcaster | Remote |
|---|---|---|---|---|---|---|---|---|
| View Table & Calendar | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Edit Table & Calendar | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ |
| Delete Table & Calendar | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| View Templates | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Edit Templates | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Delete Templates | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Create & Send Broadcasts | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
Security Policies
| Permission | Owner | Group Admin | Admin | Helpdesk | Investigator | Analyst | Broadcaster | Remote |
|---|---|---|---|---|---|---|---|---|
| View Policies | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ |
| Edit Policies | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Delete Policies | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Add Policies | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
Platform & Account
| Permission | Owner | Group Admin | Admin | Helpdesk | Investigator | Analyst | Broadcaster | Remote |
|---|---|---|---|---|---|---|---|---|
| Audit Log | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Notification Center | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Integrations (connect/edit) | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Role Management | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Org Settings | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
Choosing the Right Role
The Owner account can invite users and assign any of the seven roles below based on each team member's responsibilities.
Assign Group Admin to:
- IT managers who oversee other users and device groups
- Those who need Admin-level access plus the ability to manage roles
Assign Admin to:
- Senior IT staff managing devices, policies, and integrations
- Security team leads who don't need to manage users
Assign Helpdesk to:
- IT support staff handling day-to-day device issues
- Those who need to locate devices, change security status, lock or wipe devices, and enroll new devices — but should not be able to modify policies or platform settings
Assign Investigator to:
- Security analysts conducting device investigations
- Compliance officers who need full visibility but shouldn't make administrative changes
Assign Analyst to:
- Junior IT staff or monitoring personnel
- Those who need to view device data without making any changes
Assign Broadcaster to:
- Communication coordinators managing device messaging
- Staff responsible for emergency or scheduled broadcasts
Assign Remote to:
- Third-party support staff or temporary consultants
- Those who only need basic device control (lock, wipe, move to group)
Best Practices
Principle of Least Privilege Always assign the minimum role required for a team member's responsibilities. Promote to a higher role only when a specific need arises, and review role assignments regularly.
Role Assignment Tips
- Limit Group Admin, and Admin roles to essential personnel
- Use the Helpdesk role for support staff who need active device control without access to destructive actions or platform configuration
- Use the Analyst role for new team members during onboarding and training
- Remove access promptly when team members leave the organization
Security
- Review user roles regularly
- Monitor the Audit Log for unexpected or unauthorized actions
- Enable multi-factor authentication (MFA) for all users, especially those with Admin-level roles or above
How to Change a User's Role
- Navigate to Account Settings
- Click on the Role Management tab
- Find the user in the Current Users list
- Click the three-dot menu next to their name
- Click on Edit
- In the Edit User Info modal, select the new role from the Role dropdown
- Click Save
Changes take effect immediately.
Conclusion
Senturo's role-based access control gives you the flexibility to align platform permissions with each team member's responsibilities. Starting with the principle of least privilege and reviewing roles regularly ensures your platform remains both functional and secure.
FAQs
Q: Can a user have multiple roles? A: No, each user is assigned a single role at a time. Choose the role that best reflects their primary responsibilities.
Q: What is the difference between Group Admin and Admin? A: Group Admin includes all Admin permissions, plus the ability to manage users and assign roles. Admin cannot manage user accounts or change role assignments.
Q: What is the difference between Helpdesk and Analyst? A: Helpdesk is an active support role — users can change security status, lock and wipe devices, enroll devices, and send broadcasts. Analyst is read-only; users can view device data but cannot take actions or make changes.
Q: Can I create custom roles? A: Currently, Senturo offers seven assignable roles. Custom roles are not available.
Q: Who can assign or change user roles? A: The Owner account and users with the Group Admin role can invite users and modify role assignments.