Documentation Index
Fetch the complete documentation index at: https://docs.iru.com/llms.txt
Use this file to discover all available pages before exploring further.
About Team Member Roles
Invite team members from Access: click your name at the bottom of the left navigation, then select Access. The account owner has full access like an administrator, but other administrators cannot remove that person or strip the role. The first account owner is created when the tenant is set up; ownership can later transfer to another admin. To change or remove users, see Modify or Remove Team Members.Access Levels
Account Owner
Full access to all functionality. Other team members cannot delete the Account Owner.When creating your Iru account, the first team member has 24 hours to activate their account via email.
Administrator
Full access to all functionality. Accounts with this role can be deleted by other administrators.Additional administrators have 24 hours to activate their Iru account via email. If 24 hours pass before the account is created, an existing admin must resend the invitation from Access.
Standard
Same permissions as Administrator accounts without access to Settings.Help Desk
No access to Settings and read-only access to Blueprints and Library Items. Help Desk users can run all device actions, including deleting a device.Auditor
Limited read-only access to the Iru Web App.Secrets Auditor
Limited read-only access to the Iru Web App plus the ability to read:- macOS FileVault recovery keys
- Activation lock bypass codes
- Recovery lock password
- Device unlock PIN
Permissions Overview
| Category | Permission | Owner | Admin | Standard | Help Desk | Secrets Auditor | Auditor |
|---|---|---|---|---|---|---|---|
| Configuration | Manage Blueprints | ✅ | ✅ | ✅ | Read Only | Read Only | Read Only |
| Manage Parameters | ✅ | ✅ | ✅ | Read Only | Read Only | Read Only | |
| Manage Library Items | ✅ | ✅ | ✅ | Read Only | Read Only | Read Only | |
| Manage Enrollment Portal | ✅ | ✅ | ✅ | Read Only | Read Only | Read Only | |
| Device Management | Enroll Devices | ✅ | ✅ | ✅ | ✅ | Read Only | Read Only |
| Manage Devices | ✅ | ✅ | ✅ | ✅ | Read Only | Read Only | |
| Manage User Assignments | ✅ | ✅ | ✅ | ✅ | Read Only | Read Only | |
| Device Tags | ✅ | ✅ | ✅ | ✅ | Read Only | Read Only | |
| Device Notes | ✅ | ✅ | ✅ | ✅ | Read Only | Read Only | |
| Basic Device Actions | Send Blank Push | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Set Device Name | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | |
| Renew MDM Profile | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | |
| Reinstall Agent | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | |
| Unlock User Account | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | |
| Sensitive Device Actions | Lock Device | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Erase Device | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | |
| Restart Device | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | |
| Shutdown Device | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | |
| Set Auto Admin Password | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | |
| Delete User Account | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | |
| Delete device record | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | |
| Device Secrets | Access Device Secrets | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Settings & Integrations | Company Settings | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| User Management | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | |
| Integrations | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | |
| Apple Integrations | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | |
| Self Service Settings | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | |
| API Token | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | |
| Ownership | Account Permanence | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Transfer Account Ownership | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
Web App Authorization & Session Duration
For security, team members must re-authenticate their Iru Web App session on a schedule, regardless of role.- Sign in at least once every 24 hours.
- After 60 minutes of inactivity, the session ends automatically.
Related Articles
- Compliance Permissions: roles and permissions in Iru Compliance, including Compliance-only roles that align with the access patterns above.