Overview
Every person you invite to AssetGullak gets one role and a scope — the part of your company they’re allowed to see and act on. There are five roles. Owner is always company-wide — there’s exactly one per company, set automatically for whoever signs up, and it isn’t something you invite someone into. Every other role — Admin, IT Admin, IT Operator, Auditor — has its scope chosen independently of which role it is: when you invite someone, you pick their role and separately choose whether they’re company-wide or tied to a specific location or department. Two Admins at the same company can have entirely different scopes. If you only remember one thing from this page: the role decides what someone can do, and the scope — chosen at invite time, for every role except Owner — decides where they can do it. Assuming a role name implies a fixed scope is the most common source of “why can’t I see this device” confusion.The five roles at a glance
| Role | Who it’s for | Scope |
|---|---|---|
| Owner | The account holder — set automatically at signup | Always company-wide |
| Admin | A trusted deputy who runs day-to-day operations | Company-wide or scoped |
| IT Admin | Manages IT for one office, site, or department (or the whole company) | Company-wide or scoped |
| IT Operator | Handles routine device/asset work day-to-day | Company-wide or scoped |
| Auditor | Reviews activity and compliance — read-only | Company-wide or scoped |
What “scoped” actually means
This is the part worth reading carefully, because it’s easy to assume a role name tells you the whole story. It doesn’t — scope is a separate choice made at invite time, not a fixed property of the role. Owner is the one exception: always company-wide, automatically, with no assignment needed — every location, every department, everything. Every other role — Admin, IT Admin, IT Operator, Auditor — is either company-wide or scoped, decided when they’re invited (and changeable later). Company-wide means the same as it does for Owner: no restrictions. Scoped means the person is tied to one or more specific locations and/or departments. Once scoped:- They can only see devices, assets, and employees inside their assigned location(s)/department(s) — everything outside that scope simply doesn’t appear in their dashboard, lists, or search results.
- They can only act (update a device, run a command, change an asset’s status) within that same scope.
- If they try to reach something outside their scope directly — say, by guessing a URL — the request is denied the same way it would be for someone outside your company entirely.
A scoped user can be assigned to more than one location or department at once — for example, an IT Admin covering both your Gurgaon and Pune offices. Their scope is the union of everything they’re assigned to.
Permission matrix
The full breakdown, grouped by area. Read generally means “can view,” Create/Update/Delete are self-explanatory. Owner always applies company-wide. For every other role, whether a permission applies company-wide or only within an assigned scope depends on how that person was invited — see What “scoped” actually means above.Company & Organization
| Permission | Owner | Admin | IT Admin | IT Operator | Auditor |
|---|---|---|---|---|---|
| View company profile | ✅ | ✅ | — | — | — |
| Update company profile | ✅ | — | — | — | — |
| View locations | ✅ | ✅ | ✅ | ✅ | ✅ |
| Create/update/delete locations | ✅ | ✅ | — | — | — |
| View departments | ✅ | ✅ | ✅ | ✅ | ✅ |
| Create/update/delete departments | ✅ | ✅ | — | — | — |
Users
| Permission | Owner | Admin | IT Admin | IT Operator | Auditor |
|---|---|---|---|---|---|
| View users | ✅ | ✅ | ✅ | — | — |
| Create/update/delete users | ✅ | ✅ | — | — | — |
Enrollment Keys
| Permission | Owner | Admin | IT Admin | IT Operator | Auditor |
|---|---|---|---|---|---|
| Create/view/delete enrollment keys | ✅ | ✅ | ✅ | — | — |
Devices
| Permission | Owner | Admin | IT Admin | IT Operator | Auditor |
|---|---|---|---|---|---|
| View devices | ✅ | ✅ | ✅ | ✅ | ✅ |
| Update device (rename, reassign, etc.) | ✅ | ✅ | ✅ | ✅ | — |
| Delete device | ✅ | ✅ | — | — | — |
Assets
| Permission | Owner | Admin | IT Admin | IT Operator | Auditor |
|---|---|---|---|---|---|
| View assets | ✅ | ✅ | ✅ | ✅ | ✅ |
| Create assets | ✅ | ✅ | ✅ | — | — |
| Update assets (incl. status changes) | ✅ | ✅ | ✅ | ✅ | — |
| Delete assets | ✅ | ✅ | — | — | — |
Asset status updates — marking something Faulty, In Maintenance, Retired, and so on — fall under “update,” so both IT Admin and IT Operator can make these transitions. See Asset Lifecycle for what each status means.
Employees
| Permission | Owner | Admin | IT Admin | IT Operator | Auditor |
|---|---|---|---|---|---|
| View employees | ✅ | ✅ | ✅ | ✅ | ✅ |
| Create/update employees | ✅ | ✅ | ✅ | — | — |
| Delete employees | ✅ | ✅ | — | — | — |
Policies
| Permission | Owner | Admin | IT Admin | IT Operator | Auditor |
|---|---|---|---|---|---|
| View policies | ✅ | ✅ | ✅ | ✅ | ✅ |
| Create/update/delete policies | ✅ | ✅ | ✅ | — | — |
Commands
| Permission | Owner | Admin | IT Admin | IT Operator | Auditor |
|---|---|---|---|---|---|
| View command history | ✅ | ✅ | ✅ | ✅ | ✅ |
| Issue commands | ✅ | ✅ | ✅ | ✅ | — |
Events, Logs & Audit
| Permission | Owner | Admin | IT Admin | IT Operator | Auditor |
|---|---|---|---|---|---|
| View device/asset event history | ✅ | ✅ | ✅ | ✅ | ✅ |
| View audit log | ✅ | ✅ | — | — | ✅ |
Subscription & Billing
| Permission | Owner | Admin | IT Admin | IT Operator | Auditor |
|---|---|---|---|---|---|
| View subscription & billing | ✅ | ✅ | — | — | — |
| Change plan, renew, update billing | ✅ | — | — | — | — |
A note on Remote Commands
Look closely at the Commands section above and you’ll notice IT Operator can issue commands — restart a device, collect logs, refresh inventory. That’s intentional: these are routine, low-risk actions that make up most day-to-day IT work. Running a custom script is different, and more restricted. Only Owner, Admin, and IT Admin can run scripts on a device. IT Operator is deliberately excluded, even though they can issue every other command type. See Remote Commands for what each command type actually does.Assigning roles when you invite someone
Enter their email and pick a role
The role dropdown shows a one-line description of what that role can do as you select it.
Choose their access scope
Pick Company-wide, Location, or Department — this choice appears for every role. Selecting Location or Department lets you pick which one(s) they’re tied to.
Changing someone’s role later
Only Owner and Admin can change an existing user’s role or their scope — go to Users in the sidebar, find the person, and use the ⋯ menu on their row. Changing someone’s role takes effect immediately — there’s no need for them to log out and back in.Every role change is recorded in the audit log, including who made the change and what the role was before and after.
FAQ
Can one person have more than one role?
Can one person have more than one role?
Not at the same time. Each user has exactly one role. If someone needs broader access, the fix is usually their scope, not a second role — give them a company-wide scope, or add another location/department to their existing scope, from Users in the sidebar.
Can an Admin (or IT Admin, IT Operator, Auditor) be scoped to just one location?
Can an Admin (or IT Admin, IT Operator, Auditor) be scoped to just one location?
Yes — scope is chosen independently of role for everyone except Owner. An Admin can be company-wide or scoped to a single location, exactly like an IT Admin can. Check the person’s row on the Users page — it shows both their role and their scope, e.g. “IT Admin · Company-wide” or “IT Operator · Finance.”
Why can't my IT Admin see devices in another office?
Why can't my IT Admin see devices in another office?
Check their scope on the Users page — this isn’t about their role, it’s about what location(s)/department(s) they were assigned when invited (or edited later). If they need visibility into another office, an Owner or Admin can add that location to their scope, or switch them to company-wide.
Why can't my IT Operator run a script?
Why can't my IT Operator run a script?
This is intentional, not a missing permission — see the note above. Scripts can do anything a person at the keyboard could do, so we restrict them to Owner, Admin, and IT Admin.
What happens to a scoped user's access if I remove their location?
What happens to a scoped user's access if I remove their location?
If a scoped user’s last remaining location or department is removed, they effectively lose access to everything until a new scope is assigned — they aren’t automatically promoted to company-wide. An Owner or Admin will need to assign them a new scope.
Can an Auditor make any changes at all?
Can an Auditor make any changes at all?
No — Auditor is strictly read-only, including for audit logs themselves. They can view everything within their scope (company-wide or assigned location/department) but cannot create, update, or delete anything, and cannot issue commands.