Assign Roles

Understanding scopes

Netwrix Auditor allows assigning roles on the product as a whole, or within a specific scope. A scope can be limited to a single monitoring plan or to the contents of a folder. This helps to ensure that only authorized personnel has access to the relevant data. For example, database administrators (DBAs) should not access Active Directory management data, and domain administrators do not need permissions to view database schema changes or update data collection settings, and so on.

Scopes for different Netwrix Auditor roles are as follows:

Scope Roles

Global (All monitoring plans)

Global administrator

Global reviewer


Folder level



Plan level



To delegate control to some scope, review, or revoke assigned roles

  1. On the main Netwrix Auditor page, navigate to the Monitoring Plans section.
  2. Browse your monitoring plans tree and select the scope you want to delegate to a user (e.g., All monitoring plans root folder, a folder, or a monitoring plan).
  3. Click Delegate.
  4. Review roles that are already defined for this scope.
  5. Do one of the following:

    To Do

    Assign a role

    1. Select Add User.
    2. In the dialog that opens, specify a user and a role.

    Revoke a role assignment

    • Click next to the user.
  6. Click Save or Save&Close.

Browser role on Report Server

Along with adding a new Global administrator, Global reviewer or Reviewer role, Netwrix Auditor will automatically assign this user the Browser role on the Report Server (SSRS).

The Browser role is required to generate reports. It is granted on all reports — or within a delegated scope.

If for some reason Netwrix Auditor is unable to grant the Browser role, configure it manually. See Configure SSRS Account for more information.

Default role assignments

By default, several accounts and local groups are assigned the following roles:

Account or group name Role Details

Local Administrators

Global administrator


Local service accounts

Global administrator

Global administrator

NOTE: Netwrix Auditor uses system accounts for data processing and interaction between product components.

Netwrix Auditor Administrators

Global administrator


Netwrix Auditor Client Users

Global reviewer


Delegating control via Windows group membership

During the Netwrix Auditor Server installation, Netwrix Auditor Administrators and Netwrix Auditor Client Users groups are created automatically. To delegate control via group membership, you need to add users to these groups on the computer where Netwrix Auditor Server resides.

NOTE: Users will be granted roles with extended permissions. You may need to limit their scope to a specific monitoring plan.

To add an account to a group

  1. On the computer where Netwrix Auditor Server is installed, start the Local Users and Computers snap-in.
  2. Navigate to the Groups node and locate the Netwrix Auditor Administrators or Netwrix Auditor Client Users group.
  3. In the group properties, click Add.
  4. Specify users you want to be included in this group.