Roles and permissions

The emnify Portal is a powerful application to control the connectivity of devices of a production system.

Users across your Workspace may use the Portal, from operations and finance to development and product. That's why emnify offers four levels of access (referred to as Roles) to use and manage Portal features:

• SuperAdmin (provided for organizations with multiple Workspaces)
• Administrator (has access to all services and user management)
• User (has access to all services)
• Observer (has access to limited services)

To view and edit these roles, go to Workspace settings > Users.

The following tables describe the permissions for different roles.

Device management

Action	SuperAdmin	Administrator	User	Observer
Retrieve a device by ID	yes	yes	yes	yes
Update or delete a device by ID	yes	yes	yes	no
Retrieve the blocked networks for a device	yes	yes	yes	yes
Add or remove networks from the device blocklist by ID	yes	yes	yes	no
List all devices	yes	yes	yes	yes
Create a new device	yes	yes	yes	no
Retrieve connectivity information for a device	yes	yes	yes	yes
Reset device connectivity	yes	yes	yes	no
Create devices in factory test mode (FTM) from the SIM inventory	yes	yes	yes	no

SIM management

Action	SuperAdmin	Administrator	User	Observer
List available SIMs	yes	yes	yes	yes
List available SIM statuses	yes	yes	yes	yes
Retrieve SIMs by ID	yes	yes	yes	yes
Update or delete SIMs by ID	yes	yes	yes	no
Order SIMs from the SIM Shop	yes	yes	yes	no

Service policy

Action	SuperAdmin	Administrator	User	Observer
Retrieve a list of available countries	yes	yes	yes	yes
Retrieve a list of available currencies	yes	yes	yes	yes
Retrieve single currency details by ID	yes	yes	yes	yes
Retrieve a list of available services	yes	yes	yes	yes
List available traffic limits for a service by ID	yes	yes	yes	yes
Retrieve service policies	yes	yes	yes	yes
Create service policies	yes	yes	yes	no
Retrieve service policies by ID	yes	yes	yes	yes
Update or delete service policies by ID	yes	yes	yes	no
Add or delete services from service policies	yes	yes	yes	no
Add or delete traffic limit from a service	yes	yes	yes	no
Retrieve the SMS interface types	yes	yes	yes	no
Set or change a custom DNS	yes	yes	yes	no
Set or change data and SMS quotas	yes	yes	yes	no

Coverage policy

Action	SuperAdmin	Administrator	User	Observer
List of available coverage area statuses	yes	yes	yes	yes
List of available data plan statuses	yes	yes	yes	yes
Retrieve data plan details by ID	yes	yes	yes	yes
Retrieve data plans	yes	yes	yes	yes
Retrieve list of data plan statuses	yes	yes	yes	yes
Create coverage policies	yes	yes	yes	no
List coverage policies	yes	yes	yes	yes
Retrieve coverage area of a coverage policy	yes	yes	yes	yes
Retrieve country details by ID	yes	yes	yes	yes
List networks	yes	yes	yes	yes
Retrieve my currently active data plan	yes	yes	yes	yes
Block networks	yes	yes	yes	no
Block radio access technologies (RATs)	yes	yes	yes	no

IP address space management

Action	SuperAdmin	Administrator	User	Observer
View allocated IP address spaces	yes	yes	yes	yes
Add IP address spaces	yes	yes	no	no
Remove IP address spaces	yes	yes	no	no

User management

Action	All Workspaces	Per Workspace
	SuperAdmin	Administrator	User	Observer
Create or list Workspace users	yes	yes	no	no
Update or delete Workspace users	yes	yes	no	no
Reassign or delete a SuperAdmin	no	no	no	no
Retrieve your user role	yes	yes	yes	yes
Modify your user role	no	no	no	no
Add or delete per Workspace roles from a user	yes	yes	no	no
Update your password	yes	yes	yes	yes
Delete or list trusted devices for a user	yes	yes	no	no
Create or retrieve an application token	yes	yes	no	no
Edit an application token	yes	yes	no	no
Create a support token to assume user permissions by ID	no	no	no	no
View reports	yes	yes	yes	yes

info

A user can have different roles in different Workspaces, even if they're linked. SuperAdmin is the only role that is consistent across linked Workspaces by default. However, a user can be a SuperAdmin in one main organization but hold another role (for example, Observer) in an unrelated Workspace with a different main organization.

For more information, see Multiple Workspaces.

Workspace management

Action	SuperAdmin	Administrator	User	Observer
Automatically access Workspaces linked to your main organization by emnify	yes	no	no	no
Send a request to create a new Workspace	yes	yes	no	no
Send a request to link existing Workspaces	yes	yes	no	no
Switch between Workspaces you have access to	yes	yes	yes	yes
Transfer SIMs between Workspaces	yes	yes	no	no
View centralized reports with data from multiple Workspaces	yes	yes	yes	yes

Alerts

Action	SuperAdmin	Administrator	User	Observer
Retrieve organization or device alerts	yes	yes	yes	yes
Retrieve user events by ID	yes	yes	no	no
Retrieve IMSI and SIM events	yes	yes	yes	yes

Data streams

Action	SuperAdmin	Administrator	User	Observer
Add new data streams	yes	yes	yes	no
Delete existing data streams	yes	yes	yes	no
Update an existing data stream	yes	yes	yes	no
Retry an expired data stream	yes	yes	yes	no
Turn a data stream on or off	yes	yes	yes	no

Secure connection

info

The following actions are available in the Portal for AWS Transit Gateway and IPsec. OpenVPN isn't shown in the Secure Connection list. For more information, see OpenVPN.

Action	SuperAdmin	Administrator	User	Observer
Create secure connections	yes	yes	yes	no
Delete existing secure connections	yes	yes	no	no
Retry an expired secure connection	yes	yes	yes	no

MFA keys

Action	SuperAdmin	Administrator	User	Observer
Generate user shared secret key for MFA	yes	yes	yes	yes
Activate user shared secret key for MFA	yes	yes	yes	yes
List available MFA key statuses	yes	yes	yes	yes
Delete shared secret key for MFA of a user by ID	yes	yes	no	no
List your trusted devices	yes	yes	yes	yes
Delete a trusted device from your list by ID	yes	yes	yes	yes
List available MFA key types	yes	yes	yes	yes
Delete my shared secret for MFA	yes	yes	yes	yes