Lunixar
Try for free
English
Menu

Platform

RMM software Device monitoring Device management IT automation Patch management Alerts Antivirus Inventory Remote access RBAC and tenant controls RMM abuse prevention

Who it's for

For MSPs For IT teams

Company

Pricing Blog Company FAQ Platform security Report RMM abuse
Try for free
Español (MX) English Português (BR)

RBAC and tenant controls

RBAC, device scope, and tenant controls in Lunixar RMM

Lunixar combines role-based access control, role-to-device assignment, organizations, locations, and tenant isolation so each operator works only inside the scope they are allowed to manage.

Start free trial View controls

The model applies to routes, actions, reports, remote tools, patching, scripts, installers, and sessions.

Access model

Roles, permissions, and operational scope in one control layer.

Roles package permissions, permissions block pages or actions, and device scope keeps each user inside the endpoint population they should manage.

  • Administrator, technician, read-only, billing, or custom roles.
  • Managed devices can be assigned to roles to limit which population each user operates.
  • Each request is validated against the user's tenant before exposing data or actions.
Lunixar RMM security screen with access controls and endpoint signals

Core controls

What RBAC controls in Lunixar

Permissions apply to views and actions. If a permission is missing, the route or operation is blocked.

Page-level and action-level permissions

Lunixar separates page access from in-page actions. A user can view a page without being able to run a sensitive operation when the role does not include that permission.

Role-to-device assignment

Roles can be linked to managed devices. This limits the endpoint population a technician can operate inside the tenant.

Organizations and locations

Endpoints retain organization and location context for client, business unit, branch, department, or site operations, depending on the workspace model.

Remote tools separation

Remote screen, CMD, PowerShell, Bash, scripts, schedules, patching, and security actions use specific permissions to reduce unnecessary privilege.

Billing and administration separation

Billing, users, roles, installers, alerts, reports, and support can be separated from daily technical operations permissions.

Separate Platform Admin surface

Lunixar cross-tenant administration is separated from normal customer-tenant permissions and requires its own controls.

Authorization flow

How Lunixar decides whether an action can run

Access does not depend on one signal. Lunixar combines identity, tenant, role, permission, device scope, and tenant operating state.

01

Identity and tenant

The session identifies the user and tenant. Data is queried with that tenant as the primary boundary.

02

Role, permission, and device

The platform checks whether the role includes the required permission and whether the user has scope over the affected device population.

03

Policy and audit trail

Sensitive actions still pass restricted-tenant, remote-trust, platform-compatibility, and audit controls.

For MSPs and IT teams

Built to separate responsibilities without slowing operations.

A tenant can organize clients, departments, or locations while roles limit who can view, administer, or execute actions on each population.

  • Create least-privilege roles for technicians, read-only users, billing, and administration.
  • Limit terminal, remote screen, scripts, patching, and security actions to authorized users.
  • Use organizations and locations for reports, installers, network discovery, and operational context.
  • Keep remote execution trust separate from RBAC: it does not grant permissions or break isolation.

FAQ

Questions about RBAC and tenant controls

Does Lunixar support role-based access control?

Yes. Roles package permissions and are assigned to users. Permissions control page and action access such as viewing devices, starting remote screen, running terminal, managing patches, viewing reports, or managing billing.

Can I limit which devices a technician operates?

Yes. Lunixar maintains relationships between roles and managed devices to limit the endpoint population a user can operate inside their tenant.

Do organizations and locations replace RBAC?

No. Organizations, locations, and workspace labels provide operational context for clients, business units, or sites, but they do not replace permissions. The user still needs the required permission for each page or action.

Does remote execution trust bypass RBAC?

No. Remote trust can only bypass specific content-policy blocks while it is active. It does not bypass RBAC, tenant isolation, demo-device limits, platform compatibility, audit logging, or session scope.

Related guides

Keep exploring this workflow

Blog resources connected to this capability for evaluating processes, risks, and implementation decisions.

Security evaluation

Publish clear evidence for RBAC and tenant controls

This page summarizes current controls for buyers, marketplaces, and security reviews that need to validate how operational access is limited in Lunixar RMM.

Try Lunixar Pricing