Streamlining N‑central Agent Installation: Minimum Permissions Required

When it comes to scripting the install of the N‑able N‑central agent, one of the most common questions I’m asked is: what are minimum permissions needed to carry out this task? 

Well it took some testing, but I’ve managed to get a definitive answer and despite all the permissions available to a user in N‑central you might be surprised to learn that in total you only need three. So in this blog I’m going to outline exactly what you need if you wish to configure a restricted role in N‑central for this purpose.

Creating a Restricted User Role

First up, we are going to create a new User Role so that we can assign the relevant permissions. From the SO level navigate to Administration>User Management and click on Roles in the left-hand navigation menu. Here you will see the current user roles available on your N‑central server. Click on Create Role, then provide a name for this role as well as a description so that other N‑central users can understand the purpose of this user role. I’d suggest something along the lines of “Locked down user role used with minimum access to trigger the agent install”.  It’s always good practice to be as descriptive as possible when it comes to naming and descriptions of anything in N‑central.

Configuring the Necessary Permissions

With the name and description set the next step is to set the permissions you need. I’m going to include a few screenshots here to so you can see what exactly is required. For starters no permissions are required in the Administration, Reporting, and Tickets & Notifications sections, so everything in those sections can be set to None. 

Scroll down to the Configuration section. In here the very first option you will see is Discovery Jobs under Asset Discovery, this is the first of the three permissions you need. From the Discovery Jobs dropdown menu, ensure that the value selected is Manage, by default everything in the new role should be set to None, so you will need to change this.

Once you have configured the Discovery Jobs permission under configuration, the other two permissions you need to set are in the Devices section.  The second permission you need to set is the All Devices permission under Devices View. Here you will only have the option to set this to Read Only, so ensure that is selected from the dropdown.

The third and final permission you need to set is the Add/Import Devices permission under Network Devices. Just like the first permission you select Manage from the dropdown menu here as well.

Applying the Role and Enhancing Security

Once these three permissions are configured, save the role. This new role can now be assigned to a user instead of a broader, more privileged role. You can also create an API-only user account with this restricted role and use it within your deployment scripts to install the N‑central agent securely.

By leveraging least privilege access, you’re enhancing security for both yourself and your customers. Limiting user permissions ensures that only the necessary actions can be performed, reducing potential risks.

Need Help?

If you have any questions about this process, or anything else related to N‑central, feel free to reach out to me directly. My contact details are below. Also, don’t forget to join me each month for N‑central Office Hours, where I’ll be joined by a special guest Product Manager to discuss the latest updates and best practices. See you there!

 Paul Kelly is the Head Nerd at N‑able. You can follow him on Twitter at @HeadNerdPaul, LinkedIn and Reddit at u/Paul _Kelly. Alternatively you can email me direct.