The basic idea of customized role is that we have features once available to admin/owner become selectable permission, and device access permission also become selectable instead of binding to some fixed roles. So the combination of organization permission and devices access permission defines what the user can do in the organization.

Settings

Within User tag. You will find a new button called role setting on the upper right corner. In there, you will see role settings for you to pick features you would like for customized role to have.

And the page where you manage user permission is the same, it is still within each user. Here you can manage user’s role in the organisaion, and assign device access to each device.

Things to know

• You cannot create roles with permissions you don’t already have yourself. For example, to grant someone the ability to manage access control or alarm management, you must have those permissions yourself.

• There’s a built-in Admin role that inherently has the highest privileges in the org (cannot be removed).

• In practice, each role assigned is limited to what the creator has access to — following the principle of least privilege.

Bottom line: You can’t escalate privileges beyond your own when assigning roles and granting access to devices. The system respects your current permission set as an upper bound.

For example:

John Doe has Role/Users/Profile/integration, he can only assign org role with users/profile/integration or fewer to another user.