Introduction
Role-based access control (RBAC) helps you manage who has access to your organization's resources and what they can do with those resources. By assigning roles to your ArborXR users, you can limit what they can see and change. Each role has a set of permissions that determine what users with that role can access and change within your organization.
With ArborXR's release on May 31st, 2025, significant improvements have been made to the roles & permissions system. Notably, users can now be added to specific groups within ArborXR to limit their access to resources within specific group(s).
Key changes with the new permissions system:
Users can be granted access to the entire organization or to specific groups.
Users can be assigned distinct roles within each group.
Users can be prevented from accessing any groups and only have access to organization level resources such as the Content Library or Analytics.
Organization-Level Roles and Group-Level Roles
ArborXR now offers both organization-level roles and group-level roles:
Organization level roles: these roles are for users that should have access to all groups or to organization resources such as the Content Library.
Group level roles: these roles are for users that should only have access to resources within specific groups.
Predefined Roles
π‘ You can assign predefined roles to users without further configuration. You can't delete or edit the name, description, or permissions of a built-in role.
Predefined organization-level roles:
Owner: the organization owner role with unrestricted permissions, encompassing all administrative capabilities.
Admin: an organization-level role with comprehensive permissions, except for the ability to delete the organization, create custom roles, and manage billing.
Viewer: an organization-level role with view-only permissions of the entire organization.
Analyst: an organization-level role with permissions to view devices, groups, and analytics, enabling insights into device usage without modification rights.
Content Developer: an organization-level role focused on uploading and managing content in the content library. This role can only access the Content Library and Files; it cannot install content on devices.
Device Setup App User: an organization-level role with permission to use the Device Setup App and enroll devices into the organization, including any group.
Predefined group-level roles:
Group Admin: a group-level role with permissions to manage devices, content, and settings within assigned groups.
Group Viewer: a group-level role with view-only permissions for assigned groups.
Group Facilitator: a group-level role with permissions to cast devices, launch content, and reboot devices within assigned groups.
Group Device Setup App User: a group-level role with the permission to use the Device Setup App and enroll devices into assigned groups.
π‘ See this Google Sheet to view the comprehensive list of permissions assigned to each of these predefined roles.
You can also:
Navigate to the Roles page within organization Settings.
Select one of the roles.
Click on the Permissions tab.
β
Custom Roles
To meet your sophisticated requirements, ArborXR continues to support custom roles. With the latest release, custom group-level roles can now be created. For more information about custom roles, see Create Custom Roles.
Changes to Existing Roles
Role Prior to Release | Migrated Role |
Organization Owner | Unchanged |
Device Setup App User | Unchanged |
Admin | Unchanged unless you previously modified the Admin role and added or removed permissions. If you previously modified the Admin role, the modified Admin role is now a custom role. |
Member | This is now a custom organization-level role. Users with this role have default access to all groups, unless you previously restricted group READ access.  |
Facilitator | This is now a custom organization-level role. Users with this role have default access to all groups, unless you previously restricted group READ access.  |
Any custom roles created prior to this release | These are custom organization-level roles. Users with a custom role have default access to all groups, unless you previously restricted group READ access.
|
Migrate Existing Users to a Group Role
Step 1: Change the user's default role
π‘ The default role for existing users is the role assigned to them prior to this release. You may want to change certain users default role from their current organization-level role to a group-level role to restrict their access to certain groups of devices.
Navigate to the Users page in organization Settings.
Click on desired user's name in the users table to be taken to the user's details page.
β
In the Default Role section, select the desired default role.
β
Step 2: Grant the user access to groups:
π‘ Now that you have changed existing user's default role from an organization-level role to a group-level role, grant them access to groups.
Navigate to the Users page in organization Settings.
Click on desired user's name in the users table to be taken to the user's details page.
βIn the Group Access Control section, select Grant Group Access.
β
Select the group(s) the user should be added to then click Grant Access.
Moving Forward: Inviting New Users to Your Organization & Managing Group Access
See this help article for more information about adding new users to your organization and managing their group access.