Skip to content

What roles and permissions are available?

Requires Basic

Every user carries one of four base rolesViewer, Technician, Manager, or Administrator — each bringing a fixed bundle of permissions. A user’s actual permissions are the union of the permissions from their base role and all custom roles assigned to them. A super admin implicitly holds all permissions.

Role management is included in all plans.

Notory has four base roles that build on one another. Each higher role includes the permissions of the one below it:

Permission (area)ViewerTechnicianManagerAdministrator
Read — assets, network, software, certificates, compliance, discovery, maintenance, operations, provisioning, reports
Write technical — edit assets/network/maintenance, start discovery
Write functional — edit software/certificates/compliance/operations/provisioning, delete assets
Administration — admin area, manage users, manage roles, instance settings, manage API tokens, read audit log
Manage tenants (create/delete)super admin only

The corresponding internal permission codes (also shown under those names in the role editor) include: assets.read, assets.write, assets.delete, network.read/write, software.read/write, certificates.read/write, compliance.read/write, discovery.read, discovery.run, maintenance.read/write, operations.read/write, provisioning.read/write, reports.read, as well as the admin permissions access_admin, users.manage, roles.manage, tenants.manage, instance.manage, apitokens.manage, and audit.read.

The 'Roles' section shows base and custom roles along with their permissions.
  1. Open a user. Administration → User Management → click a user. Change the base role directly in the Role field.

  2. Assign custom roles. Using “Assign roles”, you can additionally select one or more custom roles that give the user further permissions. These add to the base role — they never take anything away.

  • Effective permissions = base role ∪ custom roles. For every check, Notory forms the union of the base role’s standard permissions and the permissions of all assigned custom roles. This lets you add permissions, but a custom role can never take any away — for that, choose a lower base role.
  • A super admin trumps everything. A super admin implicitly holds every permission and completely bypasses the role check (they also see all data across tenants).
  • Access to the admin area. The admin area only appears for users with the access_admin permission — the Administrator base role includes it, or you can grant it specifically via a custom role.
  • Global vs. tenant-bound. Roles are either global (for all tenants, manageable only by a super admin) or bound to your tenant. A role from a different tenant can never be assigned.
  • System roles are protected. Built-in roles (is_system) can be edited but not deleted.