NetLock RMMNetLock RMM Docs
V — Appendix

Permission reference

Canonical list of every permission flag in NetLock RMM, grouped by feature area, with a note on what each flag gates.

Permission reference

This appendix is the canonical catalogue of every permission flag NetLock RMM exposes to role configuration. Use it as a lookup when the User Settings matrix is too dense to navigate, when you are auditing an existing user's rights, or when you are designing a new role and need to see everything the product can gate.

For how to create a user and assign these flags, see Chapter 14 — Users & Roles.

X.2.1 The access model in one page

NetLock RMM has a flat, per-user permission model. Three things are worth internalising before you start assigning flags.

  • No role templates. The Role column on the Users list is a free-text label — cosmetic metadata that appears in the list and in audit entries but grants no permissions by itself. Two users with the same Role label can hold completely different flag sets. There is no Administrator template that implies a permission set. Set flags one user at a time, or duplicate an existing user's flags by hand.
  • Permissions are boolean flags. Each flag is either granted or not granted. Access control is exercised through the matrix on User Settings, where section-level switches enable a block and child checkboxes gate finer-grained actions within the block. Turning a parent switch off disables every child regardless of the child's stored value.
  • Tenant scoping is layered on top. Independent of flags, every user record holds a list of tenants they may act on. A user with every flag enabled but only tenant Acme selected sees and acts on devices, tickets, and events scoped to Acme alone. Global pages (Settings, Events, Audit, Users, Reports library) are not tenant-scoped; feature pages that operate on devices are.

Four specific facts shape how the flags below behave:

  • tickets_view_all_departments is a scope flag, not a feature flag. Users without it still see the Tickets page, create tickets, reply, and close tickets — but only on the department(s) they are assigned to. The flag widens their view across every department; it does not gate the ticket surface itself.
  • settings_system_mysql_console is a sub-permission. The System settings group is unlocked by settings_system_enabled, but the MySQL console that lives inside it takes a separate, narrower flag. Keep it off unless the user truly needs raw query access.
  • ai_enabled is the global AI master. It gates whether any AI affordance in the product activates for the user. The individual surfaces (Script Analysis, Remote Shell AI, Event Analysis, Sensor & Job Creation, Event Log Analysis) are not per-user flags — they are deployment-wide toggles under Settings → AI / LLM. See A.11.
  • reports_godmode is not a user permission. Raw-SQL access in the Report Builder is a deployment-wide setting, managed under Settings → Reports. The same applies to God Mode for Dashboards and Custom Fields, each of which is configured on its own settings page and applies to every eligible user on the deployment. See A.12.

The remaining sections enumerate every flag.

X.2.2 Dashboard

FlagGates
dashboard_enabledAccess to the Dashboard page and the Panel Builder.

See Chapter 2 — Dashboard.

X.2.3 Devices

FlagGates
devices_authorized_enabledThe main Devices list and device detail view.
devices_generalThe General tab on the device detail.
devices_softwareThe Software tab on the device detail.
devices_task_managerThe Task Manager tab.
devices_antivirusThe Antivirus tab (Windows Defender).
devices_eventsThe Events tab on the device detail.
devices_updatesThe Updates tab on the device detail.
devices_remote_shellThe Remote Shell action.
devices_remote_file_browserThe File Browser action.
devices_remote_controlRemote Control — H.264 over Relay, JPEG over SignalR fallback.
devices_remote_eventlog_viewerThe Remote Event Log viewer (Windows only).
devices_remote_registry_editorThe Registry Editor (Windows only).
devices_snmp_toolsThe SNMP Tools dialog.
devices_shutdownThe Shutdown command.
devices_rebootThe Reboot command.
devices_wake_on_lanWake on LAN.
devices_force_syncThe Force Sync action.
devices_deauthorizeThe Deauthorize action — removes the device and returns its Agent to the Unauthorized queue.
devices_moveMove a device between tenants, locations, or groups.
devices_unauthorized_enabledThe Unauthorized Devices list at /unauthorized_devices.
devices_unauthorized_authorizeThe action that authorises a pending device.
devices_world_map_enabledThe Device World Map.

See Chapter 3 — Devices.

X.2.4 Tenants, Locations & Groups

FlagGates
tenants_enabledThe Tenants list.
tenants_addCreate a tenant.
tenants_manageOpen tenant detail.
tenants_editSave tenant edits.
tenants_deleteDelete a tenant.
tenants_locations_addCreate a location.
tenants_locations_manageOpen location detail.
tenants_locations_editSave location edits.
tenants_locations_deleteDelete a location.
tenants_groups_addCreate a group.
tenants_groups_editEdit a group.
tenants_groups_deleteDelete a group.

See Chapter 4 — Tenants, Locations & Groups.

X.2.5 Automations

FlagGates
automation_enabledThe Automations page.
automation_addCreate an automation.
automation_editEdit an automation.
automation_deleteDelete an automation.

See Chapter 5 — Automations.

X.2.6 Policies

FlagGates
policies_enabledThe Policies list.
policies_addCreate a policy.
policies_manageOpen Policy Settings for editing.
policies_editSave changes in Policy Settings.
policies_deleteDelete a policy.

See Chapter 6 — Policies.

X.2.7 Patch Management

FlagGates
patch_management_enabledThe Patch Management page — all four tabs (Update Approval, Vulnerabilities, Update History, Settings).

The page enables or disables as a whole; there is no per-tab flag. See Chapter 7 — Patch Management.

X.2.8 Collections

Master switch

FlagGates
collections_enabledThe top-level Collections navigation group. Every sub-feature below requires this flag and its own flag.

Antivirus Controlled Folder Access

The UI for this feature is excluded from the current release. The flags still exist in the model and will apply if the UI ships in a future release.

FlagGates
collections_antivirus_controlled_folder_access_enabledAccess to the ACFA rulesets page.
collections_antivirus_controlled_folder_access_addCreate an ACFA ruleset.
collections_antivirus_controlled_folder_access_manageOpen an ACFA ruleset for viewing.
collections_antivirus_controlled_folder_access_editSave edits to an ACFA ruleset.
collections_antivirus_controlled_folder_access_deleteDelete an ACFA ruleset.
collections_antivirus_controlled_folder_access_processes_addAdd a process to an ACFA ruleset.
collections_antivirus_controlled_folder_access_processes_editEdit a process in an ACFA ruleset.
collections_antivirus_controlled_folder_access_processes_deleteRemove a process from an ACFA ruleset.

Application Control

FlagGates
collections_application_control_enabledThe rulesets page at /application_control_manage_rulesets.
collections_application_control_addCreate a ruleset.
collections_application_control_manageOpen a ruleset for viewing.
collections_application_control_editSave edits to a ruleset.
collections_application_control_deleteDelete a ruleset.
collections_application_control_rules_addAdd a rule to a ruleset.
collections_application_control_rules_editEdit an existing rule.
collections_application_control_rules_deleteDelete a rule.

See Chapter 8.6.

Device Control

FlagGates
collections_device_control_enabledThe whitelist and blocked-devices pages under /device-control.
collections_device_control_manageView the whitelist and the blocked-devices tab.
collections_device_control_deleteDelete a whitelist entry.

There is no _add flag — the only creation path is the approval flow on Blocked Devices, which is gated by the _manage flag plus the ability to act on the specific scope. See Chapter 8.7.

Sensors

FlagGates
collections_sensors_enabledThe Sensors page.
collections_sensors_addCreate a sensor.
collections_sensors_editEdit a sensor.
collections_sensors_deleteDelete a sensor.

See Chapter 8.3.

Scripts

FlagGates
collections_scripts_enabledThe Scripts page.
collections_scripts_addCreate a script.
collections_scripts_editEdit a script.
collections_scripts_deleteDelete a script.

See Chapter 8.1.

Jobs

FlagGates
collections_jobs_enabledThe Jobs page.
collections_jobs_addCreate a job.
collections_jobs_editEdit a job.
collections_jobs_deleteDelete a job.

See Chapter 8.2.

Custom Fields

FlagGates
collections_custom_fields_enabledThe Custom Fields page.
collections_custom_fields_addCreate a custom field definition.
collections_custom_fields_editEdit a definition.
collections_custom_fields_deleteDelete a definition.

See Chapter 8.4.

App Hub

FlagGates
collections_app_hub_enabledThe App Hub page.
collections_app_hub_addAdd a manual app entry.
collections_app_hub_manageEdit, delete, or refresh catalogues.
collections_app_hub_browse_wingetBrowse the Winget catalogue.
collections_app_hub_browse_flathubBrowse the Flathub catalogue.
collections_app_hub_browse_chocolateyBrowse the Chocolatey catalogue.

See Chapter 8.5.

Software Deployment

FlagGates
collections_software_deployment_enabledThe Manage Deployments page.
collections_software_deployment_viewOpen a deployment detail view.
collections_software_deployment_addCreate a deployment.
collections_software_deployment_manageCancel, retry, rename, clone, or delete a deployment.

See Chapter 8.8.

X.2.9 File Server

FlagGates
file_server_enabledThe File Server page.
file_server_addUpload a file or create a folder.
file_server_editEdit file metadata.
file_server_deleteDelete a file or a directory.
file_server_netlockAccess to the internal /netlock folder. Keep off for everyone except deployment operators.

See Chapter 9.1.

X.2.10 Relay Server

FlagGates
relay_server_enabledThe Relay Server page.
relay_server_manageThe Manage API Keys action.
relay_server_addCreate a relay session.
relay_server_editEnable or disable a persistent session.
relay_server_deleteClose or delete a session.

See Chapter 9.2.

X.2.11 Website Uptime Monitoring

FlagGates
website_uptime_monitoring_enabledAccess to the page.

The page has one access flag; add, edit, and delete affordances on the page are controlled by the single _enabled flag. See Chapter 9.3.

X.2.12 Port Scanner

FlagGates
port_scanner_enabledAccess to the page and every action on it.

See Chapter 9.4.

X.2.13 Events & Audit

FlagGates
events_enabledThe Events page.
audit_enabledThe Audit page.

The two are deliberately independent. Most operators need events_enabled; audit_enabled is usually reserved for security and compliance roles. See Chapter 12 — Events & Audit.

X.2.14 Users

FlagGates
users_enabledThe Users list.
users_addThe Add User dialog.
users_manageOpen User Settings for a user.
users_editSave changes in User Settings, including the permission matrix.
users_deleteDelete a user.

A user who holds users_edit can edit every other user's permission flags, including their own. Treat this flag the way you would treat a root bit on Unix. See Chapter 14 — Users & Roles.

X.2.15 Reports

FlagGates
reports_enabledThe Reports page.
reports_createCreate a report template.
reports_editEdit a template.
reports_deleteDelete a template.
reports_generateRun a one-off report generation.
reports_schedulesCreate or manage recurring report schedules.
reports_brand_templatesManage brand templates on the Brands tab.

reports_godmode is not listed here — it is a deployment-wide toggle under Settings → Reports, not a user permission. See Chapter 11 — Reports and A.12.

X.2.16 Tickets

FlagGates
tickets_enabledThe Tickets module — the list, the detail view, Time Tracking.
tickets_createCreate a ticket from the UI.
tickets_editEdit ticket metadata in the Details tab.
tickets_deleteDelete a ticket (hard delete — no recycle bin).
tickets_assignChange the assignee on a ticket.
tickets_manage_departmentsManage departments.
tickets_manage_templatesManage response templates.
tickets_manage_labels_typesManage labels and issue types.
tickets_manage_customersManage customer and contact records.
tickets_manage_slaManage SLAs.
tickets_view_time_trackingThe Time Tracking view.
tickets_manage_webhooksManage per-department ticket webhooks.
tickets_view_statisticsThe Statistics view.
tickets_view_all_departmentsScope flag. Widens the operator's view to every department. Without it, the operator sees only tickets on the department(s) they are assigned to.

See Chapter 10 — Tickets.

X.2.17 Settings

Every flag below gates a specific Settings sub-page. The top-level Settings nav group requires settings_enabled; each sub-page requires its own flag in addition.

Access to the Settings group

FlagGates
settings_enabledThe Settings navigation entry.

Overview & Licensing (self-hosted-only pages)

FlagGates
settings_overview_enabledThe Overview page.
settings_licensing_enabledThe Licensing page.

See A.1.

System & Maintenance

FlagGates
settings_system_enabledThe System settings sub-page.
settings_system_mysql_consoleThe MySQL console embedded in System settings. Narrower than settings_system_enabled — grant only to operators who truly need raw query access.
settings_maintenance_enabledThe Maintenance page.
settings_maintenance_manageCreate or edit maintenance tasks.
settings_protocols_enabledThe Logging page. The flag name is protocols for historical reasons; the Console labels the page Logging. See A.9.

Updates & Database

FlagGates
settings_updates_enabledThe Updates page.
settings_database_enabledThe Database management page.

See A.2 and A.3.

Security & Integration

FlagGates
settings_remote_screen_enabledThe Remote Screen defaults page.
settings_ip_whitelist_enabledThe IP Whitelist page.
settings_sso_enabledThe SSO configuration page.

See A.4 and A.7.

Customisation

FlagGates
settings_whitelabeling_enabledThe Whitelabeling page.
settings_globalization_enabledThe Globalization page.
settings_custom_fields_enabledThe Custom Fields settings page (allowed tables and God Mode for Custom Fields).

See A.5, A.6, and A.12.

Dashboards & Reports defaults

FlagGates
settings_dashboards_enabledThe Dashboards settings page (allowed tables and God Mode for Dashboards).
settings_reports_enabledThe Reports settings page (allowed tables and God Mode for Reports).

See A.12.

AI / LLM

FlagGates
settings_ai_llm_enabledThe AI / LLM configuration page.

See A.11.

X.2.18 Notifications

The Notifications page has one master flag and five per-channel flag groups. Every channel follows the same pattern, with Email adding one extra flag for SMTP.

Master

FlagGates
settings_notifications_enabledAccess to the Notifications page.

Per-channel pattern

For each channel <channel> in mail, microsoft_teams, telegram, ntfysh, webhook:

FlagGates
settings_notifications_<channel>_enabledThe channel's tab on the Notifications page.
settings_notifications_<channel>_addCreate a recipient on this channel.
settings_notifications_<channel>_testSend a test to a recipient on this channel.
settings_notifications_<channel>_editEdit a recipient on this channel.
settings_notifications_<channel>_deleteDelete a recipient on this channel.

Email extras

FlagGates
settings_notifications_mail_smtpThe deployment-wide SMTP configuration dialog. Separate from mail_edit — a user can manage recipients without being granted the ability to change the global SMTP server.

See A.8.

X.2.19 AI

FlagGates
ai_enabledThe global AI master. When off, every AI surface in the product is hidden for this user regardless of deployment settings.
ai_chat_page_enabledThe AI Chat page at /ai-chat.

The individual in-line AI surfaces (script analysis button, event-analysis button, sensor and job assistants, remote-shell AI, event-log AI) are enabled at the deployment level under Settings → AI / LLM — not per user. See Chapter 13 and A.11.

X.2.20 Designing a role

Because there are no templates, the pattern most deployments settle on is a handful of composed presets. As a practical starting point:

  • Read-only observerdashboard_enabled, devices_authorized_enabled, devices_general, events_enabled, reports_enabled, reports_generate.
  • Level-1 technician — observer plus devices_remote_shell, devices_remote_file_browser, devices_remote_control, devices_reboot, devices_force_sync, collections_enabled, collections_scripts_enabled, tickets_enabled, tickets_create, tickets_edit.
  • Level-2 engineer — L1 plus the policies_* flags, automation_*, most of the collections_*_add / _edit flags, patch_management_enabled, and audit_enabled for incident review.
  • Deployment operator — L2 plus settings_*_enabled for the settings sub-pages they own, users_enabled / _add / _manage / _edit if they onboard staff, and deliberately not settings_system_mysql_console or users_delete unless strictly required.

Treat these as a sketch, not a policy. The shipped product has no saved role templates, so every deployment ends up writing its own catalogue.

Glossary

One-paragraph definitions for every NetLock RMM term used in this manual, each cross-linked to its home chapter.

Troubleshooting

Symptom-cause-fix entries for the most common failure modes across the agent, policy pipeline, notifications, SSO, remote control, and content surfaces.

On this page

Permission referenceX.2.1 The access model in one pageX.2.2 DashboardX.2.3 DevicesX.2.4 Tenants, Locations & GroupsX.2.5 AutomationsX.2.6 PoliciesX.2.7 Patch ManagementX.2.8 CollectionsMaster switchAntivirus Controlled Folder AccessApplication ControlDevice ControlSensorsScriptsJobsCustom FieldsApp HubSoftware DeploymentX.2.9 File ServerX.2.10 Relay ServerX.2.11 Website Uptime MonitoringX.2.12 Port ScannerX.2.13 Events & AuditX.2.14 UsersX.2.15 ReportsX.2.16 TicketsX.2.17 SettingsAccess to the Settings groupOverview & Licensing (self-hosted-only pages)System & MaintenanceUpdates & DatabaseSecurity & IntegrationCustomisationDashboards & Reports defaultsAI / LLMX.2.18 NotificationsMasterPer-channel patternEmail extrasX.2.19 AIX.2.20 Designing a role