|
<< Click to Display Table of Contents >> RBAC Window |
RBAC, or Role-Based Access Control, provides a way to limit individual users' ability to make changes in PDQ Inventory and PDQ Deploy.
All roles and user assignments are defined in PDQ Inventory and available to PDQ Deploy via integration. For more information, see the RBAC section of the integration help page.
The RBAC window includes a session lock to ensure users cannot make conflicting edits. An instance of the PDQ Inventory console will obtain a lock as soon as a user begins making changes within the Assign, Define, or Control tabs. The lock will not be released until the RBAC window is closed. If a lock is active, the RBAC window's title bar will state: Locked by [user] on [machine]. While a lock is active, no other console sessions can make persistent changes within the RBAC window.
The PDQ Inventory RBAC window has five tabs for managing RBAC:
•View
Important: Role-Based Access Control (RBAC) within this product is not intended to replace Windows or other system-level access control mechanisms, and it should not be relied upon to enforce security restrictions on user activity. Due to the local nature of the software and its limited authority over the surrounding environment (unlike a hosted web application), RBAC is best understood as a mechanism for feature availability and user interface presentation rather than an ultimate security boundary.
Appropriate external access controls should continue to be used to govern access to systems managed through Deploy and Inventory, as well as any credentials stored within those systems.
The RBAC window automatically detects all console users defined in PDQ Inventory or PDQ Deploy and uses the results to populate the Assign tab.
The PDQ Inventory background service user will be assigned the Super User role and cannot be assigned a different role. All other users will be automatically assigned the Default role but can be assigned a different role.
Only individually defined console users will be detected by the Assign tab. Console user groups and their members will not automatically appear in the Assign tab. However, members of a console user group can still launch a console session. These users will be assigned the Default role when they first connect to the background service and will appear in the Assign tab the next time it is refreshed. Once available in the Assign tab, the user can be assigned a different role.
A user cannot be deleted from the Assign tab if they are explicitly defined as a console user in PDQ Inventory or PDQ Deploy. Users may be deleted if they are a member of a console user group or if the corresponding console user record has been removed. If a user is deleted from the Assign tab but is subsequently detected as a console user or connects to the background service as a member of a valid console user group, they will be assigned the Default role and will reappear in the Assign tab the next time it is refreshed.
When a change to a user role assignment is saved, all active console sessions will be notified and the change will be applied immediately.
In order to make changes within the Assign tab, RBAC must be enabled, the current console user must be assigned a role that grants permission to Manage RBAC, and the RBAC window must not be locked by a different console session.
NOTE: If the PDQ Inventory background service is modified to run as different user, the previous background service user will retain its Super User assignment but the assignment will no longer be locked. The new PDQ Inventory background service user will be assigned the Super User role and this assignment will be locked.
The Define tab allows users to view existing roles, create new roles, and delete or edit custom roles.
Reserved roles are defined by PDQ Inventory and cannot be modified or deleted.
The Super User role grants all available permissions. The PDQ Inventory background service user is always assigned the Super User role and cannot be assigned a different role.
The Default role denies all available permissions. All new console users are assigned the Default role when first detected.
Custom roles can be defined by any user with permission to Manage RBAC.
All custom roles can be deleted. If a user attempts to delete a custom role that has active user assignments, a warning pop-up will appear, prompting the user to confirm their choice. If confirmed, the role will be deleted. Any users previously assigned the deleted role will be automatically assigned the Default role.
When changes to role definitions are saved, all active console sessions will be notified and any changes to user permissions will be applied immediately.
In order to make changes within the Define tab, RBAC must be enabled, the current console user must be assigned a role that grants permission to Manage RBAC, and the RBAC window must not be locked by a different console session.
Any combination of the permissions described below can be granted by a custom role.
Name |
Description |
Applies to |
|---|---|---|
Assign roles, define roles, and disable RBAC |
PDQ Inventory* |
|
Create, edit, and delete Collections |
PDQ Inventory |
|
Create, edit, and delete Scan Profiles |
PDQ Inventory |
|
Create, edit, and delete Reports in PDQ Inventory |
PDQ Inventory |
|
View and export Audit Log records for all users in PDQ Inventory |
PDQ Inventory |
|
Make changes to the way PDQ Inventory Audit Log records are stored and retained |
PDQ Inventory |
|
Make changes to Database settings in PDQ Inventory |
PDQ Inventory |
|
Manage Deployments |
Create, edit, and delete Deployment Schedules. Deploy schedules and packages manually. |
PDQ Deploy |
Modify Packages |
Create, edit, and delete Packages |
PDQ Deploy |
Modify Target Lists |
Create, edit, and delete Target Lists |
PDQ Deploy |
Modify Reports |
Create, edit, and delete Reports in PDQ Deploy |
PDQ Deploy |
View Audit Logs |
View or export Audit Log records for all users in PDQ Deploy |
PDQ Deploy |
Modify Audit Log Settings |
Make changes to the way PDQ Deploy Audit Log records are stored and retained |
PDQ Deploy |
Modify Database Settings |
Make changes to Database settings in PDQ Deploy |
PDQ Deploy |
*NOTE: "Manage RBAC" applies to the ability to modify role definitions and assignments in PDQ Inventory but is also used to determine a user's ability to disable RBAC in both PDQ Inventory and PDQ Deploy.
The Compare tab displays a table that can be used to compare all available roles and the permissions they grant. The columns can be used to sort, filter, and group the results.
Roles and role assignments are not modified by interacting with the Compare tab. Therefore a user can continue to interact with the Compare tab even if the RBAC window is locked by another console session or the current user's role does not grant permission to Manage RBAC.
The Compare tab will be disabled if RBAC is disabled.
The View tab displays details about the current user and their assigned role. All available permissions are listed along with indicators to show whether or not each permission is granted by the assigned role.
If the user is assigned a different role or their assigned role is modified while the RBAC window is open, the View tab will update automatically. A notification will appear within the tab to indicate the date and time of the update.
The View tab is read-only. It will not be disabled if the RBAC window is locked by another console session and is not dependent on the user's permission to Manage RBAC.
If RBAC is disabled, the View tab will display the Super User role for all users and the contents of the tab will be grayed out.
The Control tab allows RBAC to be enabled or disabled.
If RBAC is enabled in PDQ Inventory, access to features in both PDQ Inventory and PDQ Deploy will be determined by the console user's assigned role. Portions of both applications may be disabled or read-only if the user's role does not grant permission to make use of the corresponding feature.
If RBAC is disabled in PDQ Inventory, all PDQ Inventory and PDQ Deploy users will be treated as having access to the Super User role. However, preexisting roles and role assignments will not be deleted. If RBAC is enabled in the future, any preexisting role assignments will be remembered. Any users without a preexisting assignment will be given the Default role.
In order to make changes within the Control tab, the RBAC window must not be locked by a different console session and one of the following must be true:
•RBAC is currently enabled and the current console user is assigned a role that gives them permission to Manage RBAC.
OR
•RBAC is currently disabled and the current Console User is the PDQ Inventory background service user.
NOTE: RBAC is not available when running PDQ Inventory in local mode.
RBAC Integration with PDQ Deploy
© 2026 PDQ.com Corporation. All rights reserved.
PDQ.com is a trademark of PDQ.com Corporation. All other product and company names are the property of their respective owners.
Help Version: 20.0.5.0