User & Role Management

⌘K

The User & Role Management section helps you onboard team members, assign the right level of access and control which parts of the platform each user can interact with. This is essential for ensuring security, accountability and role-based workflows within your organization.

Overview

Zecurit supports a role-based access control (RBAC) model, allowing organizations to define who can do what and where. This ensures only authorized users can perform critical operations like configuring settings, enrolling devices or viewing sensitive reports.

The section is divided into two main tabs:

  • Users: Manage user invitations, access, and scope
  • Roles: Define what each role can do across the platform

Users Tab

Inviting a New User

To add a new user:

  1. Go to Settings → Organization → Users
  2. Click on Add User
  3. Fill out the invitation form:
    • User Name – Name of user.
    • Email Address – User’s work email
    • Photo (Optional) – User’s Photo
    • Under Scope:
      • Assign Role – Select a default or custom role
      • Assign Device Groups – Select which device groups this user can manage

Only Super Admins can invite users and assign roles/groups.

An invitation email will be sent to the user with steps to complete their account setup.

Managing Existing Users

After users accept the invite and join your organization, Super Admins can manage their details by:

  • Editing username or profile photo
  • Reassigning roles
  • Changing device group scope
  • Deactivating/reactivating accounts
  • Resetting passwords

All changes are audited and logged in the Activity Log for compliance and security tracking.

Roles Tab

Zecurit offers three default roles, and Super Admins can also define custom roles:

Default Roles

RolePermissions Summary
Super AdminFull platform access, including user, role, security, and org-wide settings
AdminCan enroll devices, manage inventory, run reports, but cannot modify roles or critical settings
TechnicianLimited access, can view and manage assigned device groups only, no access to sensitive settings

Default Role Permissions

Here’s a breakdown of the default access permissions for each role:

FeatureSuper AdminAdminTechnician
Enrollment
DeploymentFullFullWrite
ConnectorFullFullNo Access
DomainFullFullNo Access
Enrollment ReportsFullFullWrite
Inventory
Scan DeviceFullWriteWrite
Schedule ScanFullFullRead
Software LicenseFullWriteRead
Software CategoryFullFullWrite
Geo LocationFullWriteRead
Audit
AlertsFullFullWrite
Activity LogFullWriteWrite
Reports & Analytics
Reports ScheduleFullWriteRead
Security ReportsFullFullWrite
Hardware ReportsFullFullWrite
Software ReportsFullFullWrite
License ReportsFullFullWrite
Certificate ReportsFullFullWrite
User Logon ReportsFullFullWrite
Settings
User ManagementFullWriteNo Access
RebrandingFullNo AccessNo Access
RolesFullWriteRead
GroupsFullWriteRead
2FA SettingsFullWriteNo Access
IP RestrictionFullWriteNo Access
Session SettingsFullWriteNo Access
Agent ProtectionFullWriteNo Access
Data Cleanup SettingsFullWriteNo Access

Custom Role Creation

To create a custom role:

  1. Navigate to Settings → Organization → Roles
  2. Click Create Role
  3. Provide a Role Name and optionally a description
  4. Select feature-level rights/permissions (on/off) for:

For details on module and functionality permissions in Roles, Please check this Custom Role Permissions documentation.

Assigning Device Groups

When assigning a user role, you must also define their device group scope. This limits the user’s visibility and control to only those devices, improving security and simplifying their workflow. A user can be assigned one or more unique groups.

Best Practices

  • Always use role-based access instead of sharing accounts
  • Periodically review active users and their roles
  • Assign minimum necessary permissions based on job function
  • Use device group scoping for better segmentation and accountability

Related Topics

How can we help?