# Roles
A user role defines the access rights of a user to the features of the Nexthink web interface. The following roles exist:
* **Main role**, which can grant access to view domain, and can access data privacy, landing page, feature and content permissions. Each user account must have a main role.
* **Additional role**, which can grant access to data privacy, feature and content permissions. Additional roles are optional and each user account can have multiple additional roles.
## Accessing Roles
1. Select the **Administration** module from the main menu.
2. Select **Roles** under the **Account management** section.
3. Hover over an existing role to reveal the edit icon on the right side of the row. Select the edit icon to change an existing role.
## Creating a new role
To configure a new role:
1. Select the **New role** button in the top-right corner of the role administration page
2. Select the **Main role** or **Additional role** as the role type.
3. Select **Add role**.
{% hint style="info" %}
It is not possible to convert a Main role to an Additional role and vice versa.
{% endhint %}
### Role name and description
* **Name**: Enter the name of the role.
* **Description**: Enter a role description.
### Role landing page
{% hint style="info" %}
Landing pages are available for main roles only.
{% endhint %}
Define a custom landing page for the role. The users with this role land on the page after logging into the Nexthink web interface. Ensure that the users of the role have the necessary permissions to view the page, otherwise, an error message appears.
* Leave the textbox empty or enter `/` for the system to redirect the user to the first module in the main menu. The module may differ based on the user license and permissions.
* Enter a relative path to the page you want the users to land on after logging into the Nexthink web interface. For example, for the following URL:\
`https://eu.nameofinstance.cloud/strategic-eo/overview`\
The relative path is: `/strategic-eo/overview`\
If the string is not a valid path, an error message appears to the user after the login.
* Test if the landing page is working properly after assigning the role to a specific user.
### Data privacy
Define the **Data privacy** settings for the role to prevent users from seeing sensitive data:
* **Destinations and domains**: Set to **Hidden** to hide destinations and domains of connectivity events from the user.
* **Devices**: Set to **Hidden** to hide device names from the user.
* **Users**: Set to **Hidden** to hide user names from the user.
#### Data privacy for users set to Hidden
When you set users to **Hidden** for a role, Nexthink hides specific user-related fields in the platform interface and in exports for that role.
This setting affects fields in the users collection and user identifiers referenced in other collections.
List of hidden fields by Data privacy setting
### Destinations and domains
The following fields are hidden in the **connection.events**, **connection.udp\_events** and **connection.tcp\_events** collections:
* `destination.owner`
* `destination.country`
* `destination.datacenter_region`
* `destination.domain`
* `destination.ip_address`
* `destination.ip_subnet`
* `destination.port`
### Devices
The following fields are hidden in the **devices** collection:
* `sid`
* `name`
* `distinguished_name`
* `dns_name`
* `public_ip.ip_address`
* `collector.local_ip`
* `hardware.bios_serial_number`
* `hardware.machine_serial_number`
* `hardware.chassis_serial_number`
* `connectivity.last_local_ips`
* `connectivity.last_local_ip`
The following fields are hidden in the **mobile\_devices** collection:
* `name`
* `mobile_hardware.serial_number`
* `mobile_hardware.imei`
* `governance.name`
The following field is hidden in the **session.events** collection:
* `client_ip`
The following fields are hidden in the **connectivity.events** collection:
* `wifi.ssid`
* `wifi.bssid`
* `primary_physical_adapter.local_ips`
* `vpn.local_ips`
The following fields are hidden in the **collaboration.sessions** collection:
* `participant_device.mac_address`
### Users
The following fields are hidden in the **users** collection:
* `sid`
* `name`
* `upn`
* `upn_privacy_level`
* `ad.email_address`
* `ad.distinguished_name`
* `ad.full_name`
* `ad.username`
The following fields are hidden in the **devices** collection:
* `local_admins`
* `login.last_login_user_name`
The following field is hidden in the **mobile\_devices** collection:
* `primary_user_upn`
The following fields are hidden in the **platform.audit\_logs** collection:
* `account`
* `message`
### Data Model Visibility
Choose the [NQL data model](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nql-data-model) tables visible to this role; this requires full View domain access:
* [**AI tools**](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nql-data-model#ai_tool)**:** enables using NQL to view configured AI tools and their usage/interaction telemetry.
* [**Agent conversations**](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nql-data-model#agent_conversations)**:** enables using NQL to view Spark conversation data.
* [**Audit Logs**](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nql-data-model#platform_audit_log): enables users to view all Infinity audit events using NQL.
* [**Nexthink Usage**](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nql-data-model#usage)**:** enables using NQL to view tracked usage of Nexthink tools.
* [**Platform logs**](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nql-data-model#platform): enables using NQL to view all platform logs, such as custom trends computation, data export, and so on. Requires full View domain access.
### View domain
{% hint style="warning" %}
View domains are available for main roles only.
{% endhint %}
Define the scope of devices, related events, and inventory objects a role can view.
* **Full access**: The role can access all Nexthink data.
* **Limited access**: Select the list of entities that the role can see. Only devices, events, and inventory objects associated with those entities are visible to the user with this role.
The entities are defined in the Organization tab of the [Product configuration](https://docs.nexthink.com/platform/user-guide/administration/system-configuration/product-configuration) page.
A user role with a limited view domain can list all users but cannot drill down to related devices and events if they are not part of its view domain.
Refer to the [View domain](https://docs.nexthink.com/platform/user-guide/administration/account-management/roles/view-domain) documentation for more information.
## Permissions
The **Permissions** tab lets you configure the permissions granted to the users with the assigned role.
Grant permissions at the feature level, for example, **View all Campaign dashboards** or at the content level to view a specific Campaign dashboard, edit a specific investigation, or trigger a remote action.
{% hint style="warning" %}
Some permissions require specific licenses for visibility. Refer to each section below to check which permissions are hidden by default.
{% endhint %}
When you share a content item with a role, you can review and manage the permissions on the **Roles** page:
* **Set permissions on selected (content items)** enables users to change permissions for selected content items of the feature, for example, specific campaigns or remote actions.
* **Add (content items)** enables users to add specific content items to the feature, for example, specific investigations or live dashboards.
* Depending on your feature-level permissions, you can select or deselect permissions for each content item.
Specify permissions for each feature of the product:
{% hint style="info" %}
You may see permissions for features that you have not subscribed to or technical previews you are not participating in. Refer to the licenses your company has purchased from Nexthink.
{% endhint %}
### Administration
* **Administrator rights** enable users to (requires full View domain access):
* Create and manage other user accounts.
* Create and manage roles and permissions.
* Configure the product.
* Create and manage connectors.
* Manage the product license.
* **Data management** enables users to (requires administrator rights):
* Retrieve all the personal data linked to a user or device.
* Delete a user or device.
* Configure data retention. Refer to the [Data management](https://docs.nexthink.com/platform/user-guide/administration/content-management/data-management) documentation for more information.
* **Manage all custom fields** enables users to create, edit and delete custom fields, as well as to set values for manual custom fields. Requires full View domain.
* To delete custom fields, users also need the **Manage all ratings** permission. This is automatically granted to users with the **Manage all custom fields** permission.
* Users without **Manage all custom fields** permission enabled, but have permission to **View all checklists** (see [Diagnostics](#roles-diagnostics) permissions) can still see custom field values in checklists.
* The **Edit manual custom fields** permission enables users to set values for manual custom fields from Investigations. It can be granted to users with limited View domain and is automatically granted to users with the **Manage all custom fields** permission.
* **Manage all custom trend data** enables users to create daily snapshots of existing data and observe their evolution over time, for up to 13 months. Requires full View domain access and Run investigations permission.
* **Manage all NQL API queries** enables users to:
* Create new Nexthink Query Language (NQL) API queries
* Update all existing NQL API queries
* Read all NQL API queries
* Delete all NQL API queries
* **Manage all ratings** enable users to create, edit and delete ratings. Requires Manage all custom fields permission.
* Users without this permission enabled, but with the **Run investigations** permission, can still see rating values when writing NQL investigations.
* **Manage collectors** enables users to configure the Collector update groups. Requires full View domain access.
### Alerts and Diagnostics
* **Manage all alerts** enables users to (requires full View domain access):
* Create new alerts.
* Edit all existing alerts.
* Delete all alerts.
* Share all alerts.
* **View all alert dashboards** enables users to monitor all alerts in the overview dashboard.
* Users without this permission enabled, but with the **Run investigations** permission, can still access to the Alerts data using NQL or Device View.
* **View Diagnostics dashboards** enables users to see the Diagnostics panel to identify possible causes of issues.
### Amplify
{% hint style="warning" %}
These permissions require an Amplify license for visibility.
{% endhint %}
* **Manage Amplify** enables users to configure the Amplify Information Technology Service Management (ITSM) integration browser extension. It requires the Data Privacy to be set to *None* or *Anonymous users*.
* **View Amplify** enables users to access the Amplify ITSM browser extension. It requires the Data Privacy to be set to *None* or *Anonymous users*.
* **View installed packages in Amplify** enables users to see the Packages tabs in the Amplify extension to display with all installed applications and updates for the target device.
### Applications
* **Manage all applications** enables users to (requires full View domain access):
* Create new applications.
* Edit all existing applications.
* Delete all applications.
* Share all applications.
* Publish adoption guides.
* **View all application dashboards** enables users to monitor all applications on the Overview page and on all Applications dashboards.
* Users without this permission enabled, but with the **Run investigations** permission, can still access to the Applications data when using NQL or Device View.
{% hint style="danger" %}
Users with these permissions can create [adoption guides](https://docs.nexthink.com/platform/user-guide/adopt) that perform actions on behalf of the guide viewer. This carries a high level of risk in sensitive applications, such as finance and security.
As a security precaution, ensure that you grant these permissions only to trusted users.
{% endhint %}
### Campaigns
* **Manage all campaigns** enables users to (requires full View domain access):
* Create new campaigns
* Edit all existing campaigns
* Delete all campaigns
* Share all campaigns
* Publish all campaigns
* Configure campaign branding
* **Manage all manual campaigns** enables users to (only available for roles with limited View domain access):
* Create campaigns with a manual trigger
* Edit campaigns with a manual trigger
* Publish and retire campaigns with a manual trigger
* Duplicate non-manual campaigns into copied versions that can only be manually triggered
* **Trigger all manual campaigns** enables users to trigger all manual campaigns from the Investigation module.
* **View all campaign dashboards** enables users to see the results of all campaigns. Requires full View domain access.
* Users without this permission enabled, but with the **Run investigations** permission, can still access to the Campaigns data when using NQL or Device View.
* You can add **View**, **Edit** or **Trigger** permissions for specific campaigns to a role by selecting them from a list of available campaigns.
{% hint style="warning" %}
Even when granted the **Edit** permission at a campaign level, users with a limited View domain cannot edit non-manual campaigns. This is to prevent targeting users outside of their current View domain.
{% endhint %}
### Collaboration Tools
{% hint style="warning" %}
These permissions require a Collaboration Experience license for visibility.
{% endhint %}
* **View all collaboration tools dashboards** enables users to see the Collaboration Tools module and associated dashboards.
* Users without this permission enabled, but with the **Run investigations** permission, can still access to the Collaboration data when using NQL or Device View.
### Device view
* **Manage all checklists** enables users to:
* Create new checklists.
* Edit all existing checklists.
* Delete all checklists.
* Share all checklists.
* **View all checklists** enables users to view all checklists in the Device View. You can also map specific checklists to the role using the checklist content-sharing feature.
* **View device view** enables users to access the device timeline and checklists for detailed troubleshooting and analysis of the device.
### Desktop virtualization
{% hint style="warning" %}
These permissions require a VDI Experience license for visibility.
{% endhint %}
* **View Desktop Virtualization dashboards** enables users to view desktop virtualization dashboards.
### Digital Experience
The role requires full View domain access for Digital Experience permissions.
* **Manage Digital Experience Score** enables users to configure the list of applications and the score metrics monitored in the Digital Experience module.
* Users without this permission enabled, but with the **Run investigations** permission, can still access the DEX data when using NQL or Device View.
* **View Digital Experience dashboard** enables users to monitor the digital employee experience (DEX). Requires Experience Central license.
* Users without this permission enabled, but with the **Run investigations** permission, can still access the DEX data when using NQL or Device View.
### Investigations
* **Create private investigations; use global search** enables users to create, edit, and execute investigations using NQL. It provides access to global search.
* **Manage shared investigations** enables users to:
* Edit all shared investigations.
* Delete all shared investigations.
* Share all shared investigations.
* **Share private investigations** enables users to share the investigations they have created with other users of Nexthink.
* **View shared investigations** enables users to view all shared investigations.
### Library and packs
* **Import custom packs** enables users to import third-party custom packs to their Nexthink environment.
* **Manage all custom packs** enables users to create custom content packs (such as Live dashboards, remote actions, and so on) and publish them to other Nexthink environments.
### Live dashboards
* **Manage all dashboards** enables users to (requires **Run investigations** permission):
* Create new dashboards.
* Edit all existing dashboards.
* Delete all dashboards.
* Share all dashboards.
* **View all dashboards** enables users to view all dashboards created in the system.
### Nexthink Library
**View all Nexthink Library content** enables users to access the in-product **Nexthink Library** where they can view all the pre-configured content offered by Nexthink.
Users with this permission also need the **Manage all ...** permissions of the specific features for which they want to install the library content. For example, **Manage all remote actions** to install the content for remote actions.
### Remote actions
* **Execute all remote actions** enables users to execute all remote actions.
* **Manage all remote actions** enables users to (requires full View domain access):
* Create new remote actions.
* Edit all existing remote actions.
* Delete all remote actions.
* Share remote actions from the Remote Actions Administration page. Refer to the [Manage remote actions](https://docs.nexthink.com/platform/user-guide/remote-actions/managing-remote-actions) documentation for more information.
* **View all remote action dashboards** enables users to see all executions of remote actions in the overview dashboard.
* Users without this permission enabled, but with the **Run investigations** permission, can still access to all remote action results using NQL.
### Software metering
* **Manage all software metering** enables users to:
* Create new software metering.
* Edit all existing software metering.
* Delete all software metering.
* **View Software metering dashboards** enables users to see the Software metering overview page, as well as individual software metering pages.
* Users without this permission enabled, but with the **Run investigations** permission, can still access to the Software metering data when using NQL or Device View.
### Spark
* **View agent overview dashboards** enables users to see overview dashboards to monitor the adoption and value of Spark.
* **View all agent conversations** enables users to see a list of Spark conversations and their details, including the conversation content and Spark's reasoning.
* **Chat with agent through Infinity** enables users to interact with Spark in the Nexthink web interface as themselves.
* **Chat on behalf of another user through Infinity** enables users to interact with Spark in the Nexthink web interface on behalf of an employee.
* **Manage all agent actions** enables users to manage the agent actions that are available to Spark.
* **Manage agent knowledge sources** enables users to upload knowledge base articles that Spark can access.
* **Manage agent settings** enables users to configure Spark settings for ticket escalation.
### Workflows
{% hint style="warning" %}
These permissions require a Nexthink Flow license for visibility.
{% endhint %}
* **Execute all workflows** enables users to run all workflows.
* **Manage all workflows** enables users to (requires full View domain access):
* Create new workflows.
* Edit all existing workflows.
* Delete all workflows.
* Share all workflows.
* **View all workflows dashboards** enables users to see all workflow executions on the Workflows administration page. Users who do not have this permission enabled but have the **Run investigations** permission still have access to all workflow execution results using NQL.
### Workspace
* **View Nexthink Assist** (technical preview) allows users to interact with the AI-based system to write NQL queries and for other Nexthink platform help-related topics.
***
RELATED TASKS
* [Single sign-on](https://docs.nexthink.com/platform/user-guide/administration/account-management/single-sign-on)
* [Profiles (classic)](https://docs.nexthink.com/platform/user-guide/administration/account-management/profiles-classic)
