In enterprise security management, practicing the Principle of Least Privilege (PoLP) is essential. By default, HEIMDAL Dashboard administrators can view and manage all endpoints across an organization. However, you may need to restrict specific Dashboard users—such as regional IT staff, department managers, or tier-1 support agents—so they can only monitor and interact with a specific subset of machines.
This article guides you through utilizing Custom Roles and Claims to restrict a user's scope to specific Group Policies (GPs). This configuration ensures that restricted users can only see, manage, and execute actions on endpoints linked to their assigned policies.
Core Concepts: Roles, Claims, and Scope
Custom Roles: Tailored permission sets created at the customer or tenant level, separating full global administration from restricted, localized management.
Claims: Granular, modular checkboxes within a role that define exactly what features (e.g., viewing logs, approving elevation requests, modifying firewall rules) a user can access.
Policy-Based Scoping: By pairing custom role claims with targeted Group Policy assignments, a user's Dashboard view is dynamically filtered.
Step-by-Step Configuration
Step 1: Create a Custom Role
Log in to the HEIMDAL Dashboard using an account with "full" privileges.
Impersonate the customer/reseller for whom you are trying to configure the Custom Role and navigate to the Accounts area -> Custom Role Management tab.
Click the Create New Role button.
Provide a distinct, functional name for the role (e.g., Regional Support - Policy X Group).
(Optional) If your organization uses SAML 2.0 single sign-on, you can link this role to an Azure Active Directory (AAD) user group for automated role provisioning.
Step 2: Define Capabilities Using Claims
Within the role creation modal, scroll through the Access Control matrices to check or uncheck specific functional claims.
To allow role-based management of other restricted users, ensure the View Custom Role Management area is checked.
Deselect global management claims to limit full tenant-wide access, keeping only the specific modules (like Privileged Access Management or Patch & Asset Management) required for their scope.
Step 3: Restrict Scope to Specific Group Policies
To anchor the user's operational capabilities strictly to specific group policies:
Locate the policy restriction or scoping options under the role's management settings.
Under the scope restrictions dropdown, map the specific Group Policies (GPs) this role is authorized to view and save the role.
Note: Dashboard claims in HEIMDAL are cumulative. If a user is manually assigned multiple custom roles, or inherits a role via an Azure AD group sync, an "Enabled" claim in one role will override a "Disabled" status in another. Ensure scoped users do not belong to secondary, high-level administrative roles.
Step 4: Assign the Role to an Account
From the main Accounts tab, click on the target dashboard user’s email address.
Go to the user's Access Control or Account tab.
Locate the Custom Roles selection field.
Select the newly created custom role from the list and click Update Account.
What does the Restricted User Experiences
Once the policy-restricted custom role is applied, the user's Dashboard undergoes several immediate changes:
Filtered Views: On views like Unified Management -> Device Info, the user will only be able to take action related to their Group Policy settings on the endpoints running the exact Group Policy specified in their custom role.
Actionable Isolation: The user can only initiate administrative actions (such as pushing software patches, isolating an endpoint) on the endpoints visible within their filtered view.