Help Center Home > Users > Set Admin/Sudo Permissions

Set Admin/Sudo Permissions

The JumpCloud agent lets you set user access controls to elevate the standard permissions on a user to Admin/Sudo or Passwordless Sudo. Specific, privileged permissions on devices ensure that your company's devices are secure and protected. 

There are two ways to manage access levels of users:

  • User Groups
    • Setting Permissions on a User Group per Device Group Bind
    • Setting Permissions on a User Group for All Associated Device Groups
  • Users
    • Setting Permissions on a User per Device Bind 
    • Setting Permissions on a User for All Associated Devices

User Groups

Setting Permissions on a User Group per Device Group Bind

Setting permissions at the User Group level centralizes management of elevated device permissions in a single place. Permissions set at the User Group level will be applied to associated Device Groups. Group members will inherit permissions to devices that are associated with those Device Groups.

Considerations

  • Permissions that are granted directly on a user supersede permissions granted at a User Group level.  
  • Permissions set at the User Group level supersede any permissions previously set on the User Group’s bind to a Device Group.
  • It’s possible to have permissions added on both the direct user association to the device and the indirect group association to the device. This is visible on the association of a user and a device. However, if there is an indirect group association to the device, you won’t be able to apply elevated permissions directly between a user and device. To be able to apply elevated permissions directly between the user and device, the user or device needs to be removed from the User Group.
  • It’s possible to remove duplicate permission assignments on a user to device association via removing the elevated permission on the associated device by selecting “No Elevated Permissions” or via removing the user from the group.  
  • If group permissions are inherited globally on a user group, the permissions can show up as inherited group permissions. 

There are two ways to provide Admin/Sudo access through User Groups:

  • Via the Device Groups tab, so that all users in a User Group have access to a specific Device Group(s) associated to that User Group.
  • Via the Details tab, so that all users in a User Group have access to all Device Groups that are bound to that User Group.

To give users within a User Group Admin/Sudo access to devices via the Device Groups tab:

  1. Log in to the JumpCloud Admin Portal
  2. Go to USER MANAGEMENT > User Groups.
  3. Select the applicable group by clicking on the User Group name under the Group column. 
  4. Click the Device Groups tab and then select the applicable Device Group under the Group column.
  5. Click the dropdown arrow under the Permissions column, select the desired permission, and click save. The sudo permission is now set for users in that User Group for every device associated with the Device Group. 

Note:
  • When unchecked, permissions can be managed from the Device Groups tab or on an individual user/device basis.
  • Passwordless Sudo is applicable to Linux and Mac devices and only recommended for service accounts.

Setting Permissions on a User Group for All Associated Device Groups

To give users within a User Group Global Admin/Sudo access via the Details tab:

  1. Log in to the JumpCloud Admin Portal
  2. Go to USER MANAGEMENT > User Groups.
  3. Select a User Group from the list. The administrator will see the Details tab for that User Group by default.
  4. Click the Enable users as Global Administrator/Sudo on all devices associated through device groups checkbox and click save. All users in that User Group will be given global admin permissions on all devices bound to any Device Group associated with the User Group.
    • Passwordless Sudo is applicable to Linux and Mac devices and only recommended for service accounts.
    • You can also go to the Device Groups tab to control this setting on a group to group basis.
  5. A Permission Settings Update email notification is sent.

Users

Setting Permissions on a User per Device Bind

Users that aren't admins on all of their devices can be given elevated permissions on a per-device basis.

Considerations

  • Elevated rights are only granted on the devices you explicitly choose. By default, users don’t have administrator permissions.
    • The only exception to this is ADE-enrolled users, who do have admin permissions.
  • If the user is bound to the device via group membership, an indirect device binding is created. To remove access to the device, remove the user from the group.
  • if you still wish to assign elevated permissions on a per device basis, make sure the device is not part of an existing user group. See Best Practices for Migration of Device Permissions from a User to a Group for more information.
  • Suspended or revoked users won’t have access to the device. See Suspend and Reactivate User Accounts to learn more. 
  • You can also manage device level permission from DEVICE MANAGEMENT >  Devices Users

To set a user as an Admin/Sudo on a connected device

  1. Log in to the JumpCloud Admin Portal
  2. Go to USER MANAGEMENT > Users.
  3. Select a user and click the Devices tab to view the devices connected to this user.
  4. Click No Elevated Permissions to change the user’s permission level for this device.
  5. Tip: You can also change or remove Admin/Sudo permissions here.
  6. Click save user.

Setting Permissions on a User for all Associated Devices

Admins can assign global Admin/Sudo permissions on a user to apply to all devices associated with that user.

Considerations

  • The enabled user is given global Admin/Sudo privileges on all devices to which they are bound.
  • When the Enable as Global Administrator/Sudo on all device associations option is cleared, you can manage global Admin/Sudo privileges on a per-device basis from the Devices tab.
  • Passwordless Sudo can also be assigned to Device Admins for Mac and Linux. You need to configure Windows device UAC settings to require an admin password.
  • Global settings can’t be modified on a per-device basis.
  • You can also manage a user’s permission level from DEVICE MANAGEMENT > Devices Users

To set a user as a global Admin/Sudo on all associated devices:

  1. Log in to the JumpCloud Admin Portal
  2. Go to USER MANAGEMENT > Users.
  3. Select a user and click the Details tab.
  4. Expand the User Security Settings and Permissions section.
  5. Click the Enable as Global Administrator/Sudo on all device associations checkbox to select it and click save. You’ll receive an email from JumpCloud confirming that the user now has global Admin/Sudo permissions on all associated devices.
  6. To remove global Admin/Sudo permissions for all of a user’s devices, uncheck the Enable as Global Administrator/Sudo on all device associations checkbox and click save.

Setting Permissions via Self-Service Account Provisioning

If you’ve enabled Self-Service Account Provisioning, you can set admin / sudo permissions for newly joined accounts from the Device Settings menu. See Provision New Users on Device Login.

A user’s permission level can be adjusted after provisioning by Setting Permissions on a User per Device Bind.

Back to Top

List IconIn this Article

Notebook IconLearn More

Get Started: User Groups

Get Started: Device Groups

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case