User Permissions: FAQ

Topic

This article answers questions that are frequently asked about user permissions and account creation.

Environment

NinjaOne Platform

Questions

Select a question to review the answers:

• What permission level is required in order to add or edit end users?
• Do end user invitations expire? Or, how do I reset a user's password?
• What permission needs to be set for a technician or end user to view tickets across multiple organizations?
• What permissions does a new technician have by default?
• What is the difference between full permissions and system administrator roles?
• What is the difference between a basic template and a full permissions template?
• Can a technician be added to multiple roles?
• How does NinjaOne determine access level when multiple roles are assigned that conflict?
• What happens when a user who previously had explicit permissions is added to a role?
• How do I control the permissions technicians are granted for new organizations or policies?
• I cannot find Node Approval access in User Permissions. Where is this permission located?
• What permissions are required for a technician to run Wake-on-LAN on a device?
• Can an end user reset their own password or MFA, or update information such as their email or phone number?

Answers

What permission level is required in order to add or edit end users?

All system administrators can configure and edit end users.

A system administrator can grant an account permission to add or edit end users by performing the following steps:

1. Open the technician account in NinjaOne and select Permissions → System.
2. Enable the permissions and select View, Update, Create from the End User Sharing drop-down menu.
3. Open the Organizations section. Enable the permissions and select at least View, Update from the Default Access or individual organization permission drop-down menu.

Do end user invitations expire? Or, how do I reset a user's password?

Yes. Invitations expire after 24 hours. If the end user does not accept the invitation and register for their account within the 24-hour window, you must send a new invitation. To do so, navigate to Administration → Accounts → All users and select the checkbox next to the user's name. From the Actions menu, select Reset password.

What permission is required for a technician or end user to view tickets across multiple organizations?

To view tickets across multiple organizations, Permission must be granted for both the Ticket section and each organization. 

• End users: On the Account Configuration page, under General, set the Organizations permissions to "All Organizations." 
• Technicians: In the Organizations tab on the account configuration page, set the Default Access permission to at least "View."

What permissions does a new technician have by default?

By default, new technicians have no permissions. They must either have permissions explicitly configured or be assigned a role to access anything on the NinjaOne platform.

What is the difference between full permissions and system administrator roles?

Branding (Website and Systray Icon), the Threats Dashboard, User Administration, and System Events can currently only be managed by system administrators.

What is the difference between a basic template and a full permissions template?

Basic templates have default permissions that limit user access, while full-permission templates are set to Full Access by default.

Can a technician be added to multiple roles?

Yes, technicians can be added to multiple roles.

How does NinjaOne determine access level when multiple roles are assigned that conflict?

The most permissive role wins if multiple roles are assigned to a technician. For example, if one role grants "view" permissions and another grants "update" permissions, that technician will gain "update" permissions.

What happens when a user who previously had explicit permissions is added to a role?

In this case, the role permissions override the user's explicit permissions.

How do I control the permissions technicians are granted for new organizations or policies?

The Default Access permissions determine this. For example, if the default access permissions for organizations are set to "No Access," the technician will not be granted access to any newly created organizations.

I cannot find Node Approval access in User Permissions. Where is this permission located?

Node Approval is built into the organization's permissions.

What permissions are required for a technician to run Wake-on-LAN on a device?

For technicians to access Wake-on-LAN, the default access for Script Library must be set to "Run" or higher, and the technician must have "View and Update" access or higher to the device.

Can an end user reset their own password or MFA, or update information such as their email or phone number?

Yes. Once logged in, end users can click the silhouette icon in the top-right corner of the page to make changes to their profile. From here, they can change their name, email, phone number, or language. They can also reset their password and MFA method, or configure additional MFA methods.