Go Up
You are here: AdministrationRole-based access and delegationAssign roles

Assign Roles

Understand Scopes and Assign Roles Correctly

NOTE: Only Global administrator can delegate control, grant and revoke permissions.

Netwrix Auditor allows assigning roles not only on the product as a whole but also on a specific scope that can be limited to a single monitoring plan or to the contents of a folder. This is helpful when you want to achieve more granular separation of duties with the product. For example, to ensure that database administrators (DBAs) have no access to Active Directory management data, domain administrators have no permissions to view database schema changes or update data collection settings.

Global administrator, Global reviewer, and Contributor roles are assigned on the global scope only. On folder and plan levels, you may leverage role separation capabilities too: designate Configurators and Reviewers. The roles are inherited from a higher level and cannot be revoked locally, i.e., Global reviewer has access to all collected data while local Reviewer can generate reports and run search on data limited to his or her scope.

Scope Roles

Global (All monitoring plans)

Global administrator

Global reviewer


Folder level



Plan level



To delegate control to some scope, review, or revoke assigned roles

  1. On the main Netwrix Auditor page, navigate to the Monitoring Plans section.
  2. Browse your monitoring plans tree and select the scope you want to delegate to a user (e.g., All monitoring plans root folder, a folder, or a monitoring plan).
  3. Click Delegate.
  4. Review roles that are already defined for this scope.
  5. Do one of the following:

    To Do

    Assign a role

    1. Select Add User.
    2. In the dialog that opens, specify a user (or a group) and a role.

    Revoke a role assignment

    • Click next to the user.
  6. Click Save or Save&Close.

Along with adding a new Global administrator, Global reviewer, or Reviewer, Netwrix Auditor will automatically assign this user the Browser role on the Report Server. The Browser role is required to generate reports and is granted on all reports or within a delegated scope. If for some reason, Netwrix Auditor is unable to grant the Browser role, configure it manually. See Netwrix Auditor Installation and Configuration Guide for more information.

Review Default Role Assignments

By default, some accounts and local groups are assigned the following roles:

Account or group name Role

Local Administrators

Global administrator

Local service accounts

Global administrator

NOTE: Netwrix Auditor uses system accounts for data processing and interaction between product components.

Netwrix Auditor Administrators

Global administrator

Netwrix Auditor Client Users

Global reviewer

During the Netwrix Auditor Server installation, Netwrix Auditor Administrators and Netwrix Auditor Client Users groups are created automatically. To delegate control through group membership, add users to these groups on the computer where Netwrix Auditor Server resides. Keep in mind that users will be granted roles with extended permissions while it may be reasonable to limit their scope to a specific monitoring plan.

To add an account to a group

  1. On the computer where Netwrix Auditor Server is installed, start the Local Users and Computers snap-in.
  2. Navigate to the Groups node and locate the Netwrix Auditor Administrators or Netwrix Auditor Client Users group.
  3. In the group properties, click Add.
  4. Specify users you want to be included in this group.

Go Up