> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/rdm/user-group-based-access-control/legacy-information/small-to-medium-enterprise.md). # Small to medium enterprise This article presents a structure example that should be relevant for small to medium businesses. In this scenario, all the options in the ***Privileges*** section of the user properties will be left disabled. While this example might fit for many enterprises, keep in mind that any privilege should be granted only if needed, as per the Principle of Least Privilege (PoLP). Be extremely careful when granting permissions to a user or a user group. {% hint style="info" %} This feature is only available when using an [Advanced workspace](https://docs.devolutions.net/rdm/workspaces/workspace-types/native-workspaces/). {% endhint %} Our fictional company Windjammer has a HelpDesk (in blue) and a ServiceDesk department, an administrator and a MontrealConsultant. We can also see two customers: Downhill Pro and Telemark (in red). Here is a view of the workspace tree view structure: ![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6043.png) ### User configuration Here is an example of user configuration: The administrator: * When creating the user, select the ***Administrator*** in the drop-down menu to give it access to everything. ![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6077.png) The ServiceDesk: * ***Add*** * ***Edit*** ![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6137.png) The HelpDesk: * ***Add*** ![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6136.png) The MontrealConsultant has read-only access. They cannot see any password or entry detail. ![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6080.png) ### User groups configuration Now that the users are created we will add the user groups to which we will later grant the permissions. We just need the user groups to assign users to them. No need to grant them any privileges. * ServiceDesk * HelpDesk * MontrealConsultant ### Entries configuration Now everything is ready to grant or deny access to the user groups. * The ServiceDesk will have the permission to view and open all entries but will be able to edit only the entries in the customer groups/folders. * The HelpDesk will have the permission to view and open entries on the customer groups/folders only and will not be able to edit them. * The MontrealConsultant will have the permission to view and open entries on the Montreal group/folder only and will not be able to edit it nor its child items. We will begin with the root-level groups/folders: Downhill Pro, Telemark and Windjammer. For Downhill Pro, we will grant permissions to the ServiceDesk and the HelpDesk. ![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6072.png) * ***View***: HelpDesk, ServiceDesk * ***Add***: ServiceDesk * ***Edit***: ServiceDesk * ***Delete***: Since no user has the delete right we can leave this permission to ***Inherited***. We already have a good example of the flexibility of Remote Desktop Manager ’s Security. A ServiceDesk user can view and open all the entries in the Downhill Pro folder, even the credential entry, but it will never be able to see any password. Next for the Telemark folder, we will grant permissions to the ServiceDesk, the HelpDesk and the MontrealConsultant. This is where things get complex. If we want the MontrealConsultant to be able to view only the Montreal folder which is a child item of Telemark, we must grant to the consultant the permission to view the entire Telemark content. Then we will grant permissions on child items only to the user group that should have access to these items. This last step will deny the view permission for the consultant on the child items. ![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6075.png) * ***View***: HelpDesk, MontrealConsultant, ServiceDesk * ***Add***: ServiceDesk * ***Edit***: ServiceDesk * ***Delete***: Inherited Since we want the users to be able to use the credential entries, we will grant the ServiceDesk and the HelpDesk the permission to View the Credentials folder. This way they will be able to use the entries without being able to view the passwords. The ***Add*** and ***Edit*** permissions can be left to ***Inherited*** since the ServiceDesk is the only user group that has been granted these permissions in the parent folder. ![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6049.png) * ***View***: HelpDesk, ServiceDesk * ***Add***: Inherited * ***Edit***: Inherited * ***Delete***: Inherited We want the ServiceDesk to be able to use the Domain admin credential entry as well but not the HelpDesk. For this we must grant the ***View*** permission to the ServiceDesk only and change the ***Add*** and ***Edit*** permission to ***Never***. The ServiceDesk will still be able to edit the credential entry but will never see the password. If you prefer you can set the ***Edit*** permission to an Administrator user or user group to deny it to the ServiceDesk. ![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6050.png) * ***View***: ServiceDesk * ***Add***: Inherited (ServiceDesk) * ***Edit***: Inherited or Administrator user/user group * ***Delete***: Inherited The last step for the Telemark child items would be to set the ***View*** permission to the ServiceDesk and the HelpDesk on the Boston folder and leave every other permission to ***Inherited***. Now the MontrealConsultant will be able to view and open entries only in the Montreal folder. Every time a new folder is added the ***View*** permission must be set for ServiceDesk and HelpDesk to hide the new folder and its content from the consultant. ![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6073.png) * ***View***: HelpDesk, ServiceDesk * ***Add***: Inherited (ServiceDesk) * ***Edit***: Inherited (ServiceDesk) * ***Delete***: Inherited No need to set any permissions on the Montreal folder, since they are inherited from the parent folders. ![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6074.png) Finally, the permission to view the Windjammer folder will be set for the ServiceDesk only since we want them to be able to use its child entries. We do not want them to add or edit anything so we will set the ***Add*** and ***Edit*** permissions to the Administrator user/user group. ![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6053.png) ### In conclusion The permissions are now correctly set. Note that every entry added higher than the root-level groups/folders will have no security by default. This means they would be available for anyone, even the consultant. This can be confirmed by looking at the screenshot below in which the entry Daily routine is available for everyone. Here is what each user should see in the tree view: ![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6054.png) You can go further with granting permissions by using the ***Security*** and ***Attachments*** tabs of the permissions section. As always, a great care must be taken when granting permissions and users should have very strict privileges. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devolutions.net/rdm/user-group-based-access-control/legacy-information/small-to-medium-enterprise.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.