Managing administrator roles

Administrator roles control the actions that administrators can perform in the web-based Administrator interface or management API after they have been authenticated. You can map different administrator roles to different sets of users, based on their group membership within your chosen authentication provider, giving you greater control over the actions that individual administrators can perform. For example, you can configure a role that allows an administrator to only view (and not modify) specific items of configuration data or status information via the Administrator interface.

For information on using administrator roles in conjunction with your authentication provider, see Managing administrator access via LDAP, Managing administrator access via OIDC, or Managing API access via OAuth2 as appropriate.

Roles are not relevant to the local admin account, which will always have full read-write access.

When an administrator has restricted permissions, all navigation menu options are still displayed, but they are given an Access denied message if they try to select a menu option that they are not authorized to use. For read-only restrictions, the relevant Add <item> options are not displayed.

Two roles are present by default:

  • Read-only: allows read-only access to all configuration settings and status information when accessing the system via the web-based Administrator interface or the management API. An administrator with this role can also take diagnostic snapshots and backups, view logs, and make packet captures. Note that this role has full read access to sensitive information — you can create more restricted roles if necessary.
  • Read-write: allows full administrative access when accessing the system via the web-based Administrator interface or the management API.

To add, edit or delete administrator roles, go to Users & Devices > Administrator roles. When configuring roles, the options are:

Option Description
Name A descriptive name of the role, e.g. "auditor" or "management system".
Permissions

Select from the list of Available permissions the set of permitted actions for the role and then use the right arrow to move the selected actions into the Chosen permissions list. For more information on each permission, see Descriptions of all available administrator permissions.

All roles must include the Is an administrator permission for access to the system. In addition, the May use web interface and May use API permissions must be included for access via the web-based Administrator interface and management API respectively. You must then also add all of the other permissions, such as May modify system configuration and so on, that you want to apply to the role — if a role has, for example, only the Is an administrator and May use web interface permissions, an administrator with that role will be able to log in via the web-based Administrator interface but will not be able to perform any actions.

When creating an OAuth2 client for management API access, the permissions Is an administrator and May use API are assumed and do not need to be set explicitly.

The permissions that are applied to the default Read-only role are shown below:

Descriptions of all available administrator permissions

The table below describes each of the permissions that can be applied to an administrator role:

Permission Description
Is an administrator Required for any of the other permissions listed below
May use API Required to access the Pexip Infinity management API (via api/admin)
May use web interface Required to access the Management Node Administrator interface
May add/remove themes May add, change, delete and view themes
May view gateway configuration May view Call Routing Rules
May modify gateway configuration May change and view Call Routing Rules
May add/remove gateways May add or delete Call Routing Rules (does not include view permission)
May modify VMR configuration

May change and view:

  • Aliases
  • Automatically Dialed Participants
  • Device aliases
  • LDAP sync templates
  • Media Playback Playlist
  • Media Playback Service
  • Media Playback Upload
  • Registrar
  • Scheduled Conferences
  • Test Call Services
  • Users
  • Virtual Auditoriums
  • Virtual Meeting Rooms
  • Virtual Receptions
May view VMR configuration

May view:

  • Aliases
  • Automatically Dialed Participants
  • Device aliases
  • LDAP sync templates
  • Media Playback Playlist
  • Media Playback Service
  • Media Playback Upload
  • Registrar
  • Scheduled Conferences
  • Test Call Services
  • Users
  • Virtual Auditoriums
  • Virtual Meeting Rooms
  • Virtual Receptions
May add/remove VMRs

May add or delete (does not include view permission):

  • Aliases
  • Automatically Dialed Participants
  • Device aliases
  • LDAP sync templates
  • Media Playback Playlist
  • Media Playback Service
  • Media Playback Upload
  • Test Call Services
  • Users
  • Virtual Auditoriums
  • Virtual Meeting Rooms
  • Virtual Receptions
May view system configuration

May view:

  • AD FS OAuth 2.0 Clients
  • Automatic backups
  • Backup / Restore
  • Break-In attempt allow list
  • Certificate signing requests
  • Conferencing Nodes
  • DNS servers
  • Diagnostic Graphs
  • Event sinks
  • Global settings
  • Google Meet access tokens
  • Google Meet gateway token
  • Google OAuth 2.0 Credentials
  • H.323 gatekeepers
  • Identity Providers
  • Identity Provider Groups
  • LDAP sync fields
  • LDAP sync sources
  • Licensing
  • Log levels
  • Lync / Skype for Business servers
  • Management Nodes
  • Microsoft Teams Connectors
  • NTP servers
  • OTJ Endpoint Groups
  • OTJ Endpoints
  • OTJ Exchange Integrations
  • OTJ O365 Graph Integrations
  • OTJ Google Workspace Integrations
  • OTJ Meeting Processing Rules
  • OTJ Profiles
  • Packet captures
  • Policy profiles
  • Regular expression testers
  • SIP credentials
  • SIP proxies
  • SMTP servers
  • SNMP Network Management Systems
  • Software bundles
  • SSH authorized keys
  • STUN servers
  • Static routes
  • Syslog servers
  • System locations
  • System location status
  • TLS certificates
  • TURN servers
  • Teams Tenants
  • Teams Scheduled scaling policies
  • Telehealth Profiles
  • Intermediate CA certificates
  • Trusted CA certificates
  • Upgrades
  • User groups
  • VM managers
  • VMR Scheduling for Exchange Integrations
  • Web App Branding
  • Web App Paths
  • Web App Downloads
  • Web Proxies
May modify system configuration

May add, change, delete and view:

  • AD FS OAuth 2.0 Clients
  • Automatic backups
  • Backup / Restore
  • Break-In attempt allow list
  • Certificate signing requests
  • Conferencing Nodes
  • DNS servers
  • Diagnostic Graphs
  • Event sinks
  • Global settings
  • Google Meet access tokens
  • Google Meet gateway token
  • Google OAuth 2.0 Credentials
  • H.323 gatekeepers
  • Identity Providers
  • Identity Provider Groups
  • LDAP sync fields
  • LDAP sync sources
  • Licensing
  • Log levels
  • Lync / Skype for Business servers
  • Management Nodes
  • Microsoft Teams Connectors
  • NTP servers
  • OTJ Endpoint Groups
  • OTJ Endpoints
  • OTJ Exchange Integrations
  • OTJ O365 Graph Integrations
  • OTJ Google Workspace Integrations
  • OTJ Meeting Processing Rules
  • OTJ Profiles
  • Packet captures
  • Policy profiles
  • Regular expression testers
  • SIP credentials
  • SIP proxies
  • SMTP servers
  • SNMP Network Management Systems
  • SSH authorized keys
  • Software bundles
  • STUN servers
  • Static routes
  • Syslog servers
  • System locations
  • System location status
  • TLS certificates
  • TURN servers
  • Teams Tenants
  • Teams Scheduled scaling policies
  • Telehealth Profiles
  • Intermediate CA certificates
  • Trusted CA certificates
  • Upgrades
  • User groups
  • VM managers
  • VMR Scheduling for Exchange Integrations
  • Web App Branding
  • Web App Paths
  • Web Proxies

 

May change:

  • Cloud Bursting
May restore system backup

May change (does not include view permission):

  • Backup / Restore
May create/delete system backup

May add or delete:

  • Backup / Restore

 

May change and view:

  • Automatic backup
May download system backup

May view:

  • Backup / Restore
  • Automatic backup
May modify conference status

May view and perform available actions on:

  • Backplane status
  • Conference status (dial out, mute, lock, disconnect)
  • LDAP sync status
  • OTJ Endpoints
  • OTJ Meetings
  • Participants status
May view conference status

May view:

  • Backplane status
  • Conferences status
  • Live View
  • LDAP sync status
  • OTJ Endpoints
  • OTJ Meetings
  • Participants status
May view logs

May view:

  • Conference history
  • Participant history
  • Conferencing Node history
  • Alarm history
  • Usage statistics
  • Administrator log
  • Support log
  • Log levels
May configure logs

May add, change, or delete:

  • Log levels
May download TLS private key May download TLS private key
May create/delete packet capture

May add or delete (does not include view permission):

  • Packet captures
May download packet capture

May view:

  • Packet captures
May view authentication configuration

May view:

  • Administrator authentication
  • Administrator roles
  • Login history
  • LDAP role mappings
  • OAuth2 clients
  • OAuth2 tokens
May modify authentication configuration

May add, change, delete and view:

  • Administrator authentication
  • Administrator roles
  • Login history
  • LDAP role mappings
  • OAuth2 clients
  • OAuth2 tokens
May generate system snapshot

May view:

  • Diagnostic snapshot
May view system status

May view:

  • Alarms
  • Cloud overflow nodes
  • Conferencing Nodes
  • Microsoft Teams Connectors
  • Registered aliases
May upload software bundle

May upload (does not include view permission):

  • Software bundles