Role-Based Access Control (RBAC)

On this page

Updated 02/09/26

alt text

If you are beta testing this feature, please report any bugs or issues you find

Review API breaking changes

Overview

ImmyBot’s RBAC system provides granular permission management, allowing you to control exactly what users can access and modify within your environment. This system has been designed with a phased approach to ensure seamless migration from legacy permissions while introducing powerful new capabilities.

  1. Roles
  2. Groups
  3. Role Assignments
  4. Users
  5. Profile
  6. Object Authorization

Roles

A role grants one or more capabilities. There are 100+ capabilities to choose from. Some examples are ‘Manage Software’ and ‘Manage Billing’.

Built-In Roles

In an effort to provide a seamless transition for existing customers, four built-in legacy roles have been added that mirror existing permission structures:

RoleDescriptionLegacy User Type
System Administrator (Legacy)Grants every permission availableMSP Admin
System User (Legacy)Same as system admin but with a few restrictionsMSP Non-Admin
Administrator (Legacy)Broad access with no system permissionsTenant Admin
User (Legacy)Limited accessTenant Non-Admin

Additional built-in roles have been added to maintain compatibility with existing user settings and application preferences.

RoleDescriptionLegacy preference
Script ManagerPermission to manage scriptsUsed in favor of the ‘Allow Non-Admins and Non-MSP Users to Use Terminal and Edit Scripts’ application preference
Computer Terminal UserGrants access to run scripts against a computer in the terminal tabUsed in favor of the ‘Allow Non-Admins and Non-MSP Users to Use Terminal and Edit Scripts’ application preference
Deployment ManagerPermission to manage deploymentsUsed in favor of the ‘Allow Non-Admin Users to Manage Deployments’ application preference
Cross-Tenant Deployment ManagerPermission to manage cross-tenant deploymentsUsed in favor of the user checkox ‘Can Manage Cross Tenant Deployments’.
Cross-Tenant Deployment Change RequesterPermission to manage cross-tenant deployments through change requestsUsed in favor of the the ‘Require Change Requests for Non-Admin Cross-Tenant Deployments’ application preference.

Built-in roles are inherently available to all tenants. However, in order to assign a role that contains system permissions, a user must be granted the Assign Cross-Tenant Roles permission. Built-in roles are read-only and the permissions they grant cannot be modified.

alt text

Custom Roles

alt text

You are encouraged to create your own custom roles to suite your needs.

If you have the Manage Public Roles permission, then you can create a role that any user in the system can see.

Otherwise, a role is owned by a specific tenant. A user can only see public roles or roles that are managed by a tenant they have permission to manage roles for.

Role Capabilities

alt text

There are 100+ different permissions that can be granted for a given role.

System permissions

Many permissions can be scoped to a particular set of tenants or resources through role assignments. Other permissions, such as ‘Manage Billing’ are denoted as system permissions and cannot be limited to certain tenants. System permissions are traditionally reserved for MSP users and should be carefully considered when granted to non-MSP users.

Groups

A group is a collection of users that share the same permission requirements. Since, managing permissions for individual users can be very tedious, we encourage the adoption of groups.

A group can be granted one or more role assignments.

alt text

Members of a group inherit all role assignments assigned to the group.

alt text

If a group is owned by a specific tenant, then only users that belong to that tenant can be added to the group.

Role Assignments

Permissions are granted or denied to users through Role Assignments. Role assignments can be assigned to Groups or directly to users.

alt text

An assignment contains a selected role, a selected scope, and an “Allow” or “Deny” value. Users can have multiple role assignments where they are allowed the cumulative allowed permissions from allow role assignments. Denied role assignments take precedence when determining if a user has access to a particular permission or resource.

Role Assignment Scopes

ScopeDescription
OwnerScopes the role at the highest level where you have full access to all tenants in the system.
MSPScopes the role to the MSP tenant and all tenants that belong to the MSP.
Specific TenantScopes the role to the selected tenant.
Tenant TagScopes the role to all tenants with the selected tag.
User’s TenantScopes the role only to the tenant of the selected user. Useful for giving your customers access to their own tenant.
ResourceGrants the role at the selected resource scope. The only resource type supported for now is Computers.
alt text

Users

A user is a person who has been granted access to ImmyBot.

Creating a user

alt text

  1. Access Requests – Users can request access and will show up on the main Users & Roles page.
  2. From Existing People – Existing people can be promoted to a user. If you can’t find a specific person, you may need to link their azure customer to a tenant in ImmyBot.
  3. Manually – You can always manually create a user if you know their Azure Object ID.

View all direct role assignments

On the main Users & Roles page, we have a tab to view all direct role assignments. For existing customers, you will see that all of your users have been migrated over to direct role assignments. Consider replacing these direct role assignments with groups to better organize your users.

alt text

My User’s Group and Role Assignments

You can now view your own user’s group and role assignments on the profile page. The profile page can be accessed at /profile or by clicking the profile link in your account dropdown located in the top-right of the page.

Profile

A profile page has been added at /profile where you can easily view your own permissions.

alt text

Object Authorization

Scripts, Software, Tasks, Tags, and Media have authorization sections.

alt text

A user’s permissions under RBAC will be taken into account when determining whether a user is allowed to view or manage one of these objects.

Api Breaking Changes

Latest API Documentation

The central theme of this release is the full migration from the old tenant-relationship authorization model to the new RBAC system with granular user-role-assignments.

1. Removed Endpoints (UsersController)

Removed RouteOld ActionReplacement
POST /api/v1/users/create-from-personCreateFromPersonPOST /api/v1/users/bulk-create
POST /api/v1/users/grant-accessGrantAccessRbacNew UserRoleAssignmentsController
POST /api/v1/users/add-rolesBulkAssignRolesToPeopleNew UserRoleAssignmentsController
POST /api/v1/users/remove-rolesBulkRemoveRolesFromPeopleNew UserRoleAssignmentsController

POST /api/v1/users/bulk-create (replaces create-from-person)

Old request body (CreateUserFromPersonRequest):
{
  "personId": int,
  "hasManagementAccess": bool
}

New request body (CreateUserFromPersonRequest):
{
  "personIds": [int],        // min 1 required
  "expirationTime": string
}
  • Single PersonId โ†’ List<int> PersonIds
  • HasManagementAccess removed, ExpirationTime added
  • Return type changed from GetUserResponse to CreateUsersFromPersonIdsResponse

PUT /api/v1/users/{userId} (UpdateUserPayload changed)

Old: { id, isAdmin, tenantId, canManageCrossTenantDeployments, hasManagementAccess }
New: { id, isAdmin, tenantId, canManageCrossTenantDeployments }

HasManagementAccess removed.

GrantAccessRequest simplified

Old: { isAdmin, hasManagementAccess, expirationTime }
New: { expirationTime }

2. GetUserResponse Changes

Removed properties

  • bool HasManagementAccess
  • List<string> Roles

Added properties

  • int GroupCount
  • List<string> Groups
  • int DirectRoleCount

3. GetAuthDetailsResponse Changes

Removed from DTO

  • bool HasManagementAccess

No longer populated by controller (properties still exist on DTO but always default)

  • IsAdmin
  • IsSupportTechnician
  • CanManageCrossTenantDeployments
  • IsImmense

Behavior changes

  • BackendRegAppId โ€” was only set for MSP admins, now unconditionally set
  • OpenAccessRequestCount โ€” was gated on isMspAdmin, now gated on IUsersManageAccessRequestsPermission

New auth endpoints

  • GET /api/v1/auth/me/permissions/{permissionType}/tenants
  • GET /api/v1/me/permissions

4. Tenant Relationships โ†’ Authorized Viewers

Applies to all resource models: Software, Scripts, Maintenance Tasks, Media, and Tags.

Removed from all resource models

  • ICollection<TenantXxx> TenantRelationships
  • bool Owned

Added to all resource models

  • ICollection<XxxViewer> AuthorizedViewers
  • bool VisibleToAllTenants
  • int TenantId (owner tenant)
  • Tenant? OwnerTenant

New /authorization sub-endpoints

These replace per-entity tenant relationship management.

ControllerGETPOST
Scripts/api/v1/scripts/local/{id}/authorization/api/v1/scripts/local/{id}/authorization
Software/api/v1/software/local/{id}/authorization/api/v1/software/local/{id}/authorization
MaintenanceTasks/api/v1/maintenance-tasks/{id}/authorization/api/v1/maintenance-tasks/{id}/authorization
Media/api/v1/media/local/{id}/authorization/api/v1/media/local/{id}/authorization
Tags/api/v1/tags/{id}/authorization/api/v1/tags/{id}/authorization

5. ScriptType โ†’ DatabaseType

On IScriptDetailsBase and all implementing DTOs, the property ScriptType was renamed to DatabaseType.

6. Permission Type Renames

Roles permissions

OldNew
IRbacSubjectIRolesSubject
IRbacSubjectPermissionIRolesSubjectPermission
IRbacViewPermissionIRolesViewPermission
IRbacManagePermissionIRolesManagePermission

New permission added: IRolesManageApplicationLevelPermissionsPermission

ChangeRequests permissions (split from one into three)

OldNew
IChangeRequestManagePermissionIDeploymentsManageChangeRequestsPermission
IDeploymentsViewChangeRequestsPermission
IDeploymentsApproveChangeRequestsPermission

ChangeRequestsController endpoint permission mapping

EndpointsOld PermissionNew Permission
DELETE /api/v1/change-requests/{id}IChangeRequestManagePermissionIDeploymentsManageChangeRequestsPermission
POST .../approve, .../deny, .../require-changesIChangeRequestManagePermissionIDeploymentsApproveChangeRequestsPermission
POST .../comment, GET .../dx, GET .../open-countIChangeRequestManagePermissionIDeploymentsViewChangeRequestsPermission

RolesController GetPermissions authorization change

GetPermissions changed from IRbacViewPermission to INoAuthorizationPermission (accessible to all authenticated users).

IPermissionMetadata simplified

Removed properties:

  • string Claim
  • string DenyClaim
  • string SubjectClaimType
  • string TenantClaimType
  • string ResourceClaimType

Added: string SubjectPermissionClaimType

Retained: string AllowClaim (backwards compatibility with frontend)

IRoleClaimMetadataService

Deleted entirely, along with RoleClaimParseException.

7. New Controllers

GroupsController โ€” /api/v1/groups

MethodRouteAction
GET/api/v1/groupsGetAll
GET/api/v1/groups/{groupId}Get
POST/api/v1/groupsCreate
PUT/api/v1/groups/{groupId}Update
DELETE/api/v1/groups/{groupId}Delete
GET/api/v1/groups/{groupId}/role-assignmentsGetRoleAssignments
POST/api/v1/groups/{groupId}/membersAddUserToGroup
POST/api/v1/groups/{groupId}/members/bulkAddUsersToGroup
DELETE/api/v1/groups/{groupId}/members/{userId}RemoveUserFromGroup
GET/api/v1/groups/{groupId}/membersGetGroupMembers

UserRoleAssignmentsController โ€” /api/v1/user-role-assignments

MethodRouteAction
GET/api/v1/user-role-assignmentsDxGetAll
GET/api/v1/user-role-assignments/users/{userId}DxGetByUserId
GET/api/v1/user-role-assignments/users/{userId}/countGetUserRoleAssignmentsCount
POST/api/v1/user-role-assignments/owner/createCreateOwnerAssignments
POST/api/v1/user-role-assignments/msp/createCreateMspAssignments
POST/api/v1/user-role-assignments/tenant-tag/createCreateTenantTagAssignments
POST/api/v1/user-role-assignments/specific-tenant/createCreateSpecificTenantAssignments
POST/api/v1/user-role-assignments/user-tenant/createCreateUserTenantAssignments
POST/api/v1/user-role-assignments/tag-resource/createCreateTagResourceAssignments
POST/api/v1/user-role-assignments/specific-resource/createCreateSpecificResourceAssignments
POST/api/v1/user-role-assignments/category-resource/createCreateCategoryResourceAssignments
DELETE/api/v1/user-role-assignments/deleteDeleteUserRoleAssignments

EffectivePermissionsController โ€” /api/v1/effective-permissions

MethodRouteAction
POST/api/v1/effective-permissions/users/{userId}/evaluate/all-assignmentsEvaluateAllAssignments
POST/api/v1/effective-permissions/users/{userId}/evaluate/tenantEvaluateForTenant
POST/api/v1/effective-permissions/users/{userId}/evaluate/resourceEvaluateForResource
POST/api/v1/effective-permissions/groups/{groupId}/evaluate/all-assignmentsEvaluateAllAssignmentsForGroup
POST/api/v1/effective-permissions/groups/{groupId}/evaluate/tenantEvaluateForTenantForGroup
POST/api/v1/effective-permissions/groups/{groupId}/evaluate/resourceEvaluateForResourceForGroup

New endpoint on UsersController

MethodRouteAction
GET/api/v1/users/{userId}/groupsGetUserGroups

New endpoint on MaintenanceTasksController

MethodRouteAction
GET/api/v1/maintenance-tasks/tenant-managementGetTenantManagement

New endpoint on RolesController

MethodRouteAction
GET/api/v1/roles/{roleId}/assignmentsGetRoleAssignments

8. Roles & ChangeRequests Model Changes

CreateOrUpdateRoleRequest

Added required property:

int OwnerTenantId  // required

GetRoleResponse

Added properties:

int? OwnerTenantId
string OwnerTenantName

IChangeRequestStore

Both CreateChangeRequestForNewEntity and CreateChangeRequestForExistingEntity now require an additional int ownerTenantId parameter.

Was this article helpful?

Previous Article

Reporting

Next Article

Tenant Management