> For the complete documentation index, see [llms.txt](https://documentation.2pintsoftware.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://documentation.2pintsoftware.com/stifler/3.1/configuration/roles-and-permissions-rbac.md). # Roles and Permissions (RBAC) StifleR RBAC is built from two separate concepts: * **Rules** — define *who* matches. A rule contains a claim matcher: either a Windows AD group or an OIDC claim. Rules are managed under **System > Rules** and can be reused across multiple roles. * **Roles** — define *what* matched users can do. A role is a named grouping with a set of permissions. Rules are assigned to roles to determine membership. When a user authenticates, StifleR checks which rules match their identity, finds all roles those rules belong to, unions the permissions across those roles, and applies the result for the session. Changes take effect on the user's next login. ## Create a rule Rules define the claim that identifies a user or group. Create rules first, then assign them to roles. Go to **System > Rules** and click **New rule**. ### Windows AD group 1. Enter a **Name** for the rule (e.g. `AD – Network Admins`). 2. Set **Claim type** to `Windows`. 3. Set **Claim name** to the fully qualified AD group name: `DOMAIN\GroupName`. 4. Click **Save**. ### OIDC (Entra ID / Ping Identity) 1. Enter a **Name** for the rule (e.g. `Entra – Network Admins`). 2. Set **Claim type** to `External`. 3. Set **Claim name** to the claim type your identity provider sends — typically `groups`. 4. Set **Claim id** to the claim value for the group — for Entra ID this is the group's **object ID** (a GUID, not the display name). 5. Click **Save**. > **Entra ID tip:** To find a group's object ID, go to **Entra ID > Groups**, open the group, and copy the **Object ID** field. To confirm the claim is present in the token, sign in as a test user and inspect the token at [jwt.ms](https://jwt.ms/) . If the `groups` claim is missing, group claims must be enabled in the app registration under **Token configuration**. ## Create a role 1. Go to **System > Roles** and click **New role**. 2. Enter a descriptive name, for example `Network Admins` or `DeployR – Read Only`. 3. Click **Save**. ## Assign rules to the role 1. In the **Role list**, expand the role by clicking the arrow next to it. 2. Click **Add rule**. 3. Select the rule you created and confirm. A role can have multiple rules. A user is included in the role if they match **any** of the assigned rules. ## Assign permissions 1. Open the role editor for the role. 2. You will see a matrix of feature sets, with subjects as rows and Read / Write / Delete as columns. 3. Check the verbs you want to grant for each subject. 4. Click **Save**. ## Editing a role To change who belongs to a role, expand it in the Role list and add or remove rules. To change what the role can do, open the role editor and update the permissions matrix. ## Deleting a role Go to **System > Roles**, select the role, and click **Delete**. Affected users lose the permissions that role granted on their next login. ## Assigning permissions In the role editor you will see a matrix of feature sets, each with its subjects as rows and Read / Write / Delete as columns. Check the verbs you want to grant for each subject: * **Read** — view data, navigate to pages * **Write** — create and modify records * **Delete** — remove records Subjects within a feature set are independent — you can grant `BootImage: Read+Write` without granting `TaskSequence` access at all. A user with no permissions for a feature set cannot navigate to any of its pages. > **Feature set visibility:** If a feature set is unlicensed or disabled (via the Features page), all permissions under it are denied regardless of role configuration. Subjects for unlicensed features will appear greyed out in the matrix. ## Permission reference by feature set ### Administration Controls access to system configuration. | Subject | Read | Write | Delete | | --------------------- | ---------------------------- | ----------------------- | ---------------- | | License | View license details | — | — | | Feature | View feature state | Enable/disable features | — | | User | View users and sessions | — | — | | Rule | View claim rules | Create/edit rules | Delete rules | | Role | View roles | Create/edit roles | Delete roles | | Policy | View policies | Create/edit policies | Delete policies | | InfrastructureService | View infrastructure services | — | — | | ServerHealth | View server health | — | — | | NetworkGroupTemplate | View templates | Create/edit templates | Delete templates | ### Devices | Subject | Read | Write | Delete | | --------- | -------------------------------------------- | --------------- | -------------- | | Device | View clients, search, hardware info, history | Set power level | Delete clients | | Elevation | View local admins, sessions, elevation stats | — | — | ### Networks | Subject | Read | Write | Delete | | ------------ | ------------------- | ---------------------------------------------------------- | --------------------- | | Area | View areas | Create/edit areas | Delete areas | | Location | View locations | Create/edit locations | Delete locations | | NetworkGroup | View network groups | Create/edit groups, Resume/Suspend/Cancel, WoL | Delete network groups | | Network | View networks | Create/edit networks, Resume/Suspend/Cancel, WoL, Reassign | Delete networks | ### BandwidthManagement | Subject | Read | Write | Delete | | ---------------------------- | ----------------- | -------------------- | --------------- | | ThrottlingPolicy | View policies | Create/edit policies | Delete policies | | BranchCacheSettings | View settings | Modify settings | — | | DeliveryOptimizationSettings | View settings | Modify settings | — | | Traffic | View traffic data | — | — | ### DeployR | Subject | Read | Write | Delete | | ------------------ | ------------------------ | ---------------------------- | ----------------------- | | BootImage | View boot images | Create/edit boot images | Delete boot images | | TaskSequence | View task sequences | Create/edit task sequences | Delete task sequences | | StepDefinition | View step definitions | Create/edit step definitions | Delete step definitions | | ApplicationContent | View application content | — | — | | OsContent | View OS content | — | — | | DriverPackContent | View driver pack content | — | — | | OtherContent | View other content | — | — | ### CacheManagement | Subject | Read | Write | Delete | | ------- | -------------------------- | ----- | ------ | | Usage | View cache usage reporting | — | — | ### OsdDeployments | Subject | Read | Write | Delete | | --------- | -------------------------- | --------------------------------- | ---------------------------- | | Osd | View OSD deployments | Create/edit OSD deployments | Delete OSD deployments | | Autopilot | View Autopilot deployments | Create/edit Autopilot deployments | Delete Autopilot deployments | | Generic | View generic deployments | Create/edit generic deployments | Delete generic deployments | ### CacheR | Subject | Read | Write | Delete | | ------------------ | ------------------------ | ----- | ------ | | Packages | View packages | — | — | | DistributionPoints | View distribution points | — | — | | TrackedContent | View tracked content | — | — | ### RemoteR > **Note:** RemoteR permissions control access to individual remote tools. Users without the relevant permission will see each tool disabled with a "No permission" message. Accessing the client page itself requires Devices.Device read permission. ## Testing a role To test without logging out of your admin session, open a separate browser profile or private window and sign in as the test user. For Windows Integrated Auth, you can also launch Edge under a different identity from a command prompt: ``` **runas /user:DOMAIN\testuser msedge.exe ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://documentation.2pintsoftware.com/stifler/3.1/configuration/roles-and-permissions-rbac.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.