Skip to main content

End User Scopes

An End User Scope is a collection of users that allows EndpointOps the assignment of granular permissions by segregating different user pools. It's best practice to match end user scopes with the support organization set up of your company. E.g.:

  • If a single helpdesk team supports all employees, consider creating a single End User Scope targeting an AAD Group with all users.
  • If your company supports employees based on the employee's location or division, consider creating a User Scope for each.

Required Permissions

End User Scopes are created and managed by EndpointOps Administrators.

image.png

Types of End User Scopes

EndpointOps supports different types of End User Scopes to support a wide range of setups.

image.png

Type: User group membership

A simple way to set up End User Scopes is relying on an account's membership to an AAD Group, Administrative Unit(AU), or Global Azure Role. When selecting multiple AAD Groups/AUs, the membership of any AAD Group/AU will assign the user to the respective End User Scope.

image.png
  1. Type the name of an AAD Group, Administrative Unit, or Global Azure Role

  2. Select an entry from the list

  3. Selected objects will appear on the right side. Undo the selection with the Remove Button

Type: User/Admin matching attribute

This option is recommended to set up country-, site-, or division-based End User Scope. 

Instead of manually creating an AAD Group, a single "User/Admin matching attribute"-End User Scope can be created. Such an End User Scope with the configuration of "Country" will dynamically assign the End User Scope to a user if the Helpdesk supporter's country property matches the end user's country property. Supported properties are Department, Country, State, City, and Postal code.

The Azure Active Directory Account properties are used for this assignment:

2023-10-30_14-26-44.png

On EndpointOps: Helpdesk> Search for a user > AAD Account Information:

image.png

2023-10-30_14-35-02.png

On the Azure Portal:

2023-10-30_14-24-39.png

Type: Device Attribute

This option is recommended to set up to assign an End User Scope to user-less devices.

When selecting this type, a Query editor will appear.

image.png
  1.  Select one of the device attributes you want to test against. All Intune-device attributes are available from the ManagedDevice object, and all Azure-device attributes from the AzureDevice attribute. Review the examples for additional guidance. Note the URL at the end of the list for all available attributes.
  2. Select the desired Comparison Operator to complete your query. Note that you can make your query case insensitive by adding an *  character after the operator (eg. attribute == 'sOmE vAlUe')
  3. You can combine multiple verifications with a logical operator
  4. Double-check or complete your query.
  5. Verify the validity of your query or review the errors that appear.

Once valid, you can proceed with the Next button

Type: User Attribute

Special use cases may require you to create a user attribute query. When selecting this type, a Query editor will appear.

image.png
  1.  Select one of the user attributes you want to test against. Review the examples for additional guidance. Note the URL at the end of the list for all available attributes.
  2. Select the desired Comparison Operator to complete your query. Note that you can make your query case insensitive by adding an * character after the operator (eg. attribute == 'sOmE vAlUe')
  3. You can combine multiple verifications with a logical operator
  4. Double-check or complete your query.
  5. Verify the validity of your query or review the errors that appear.

Once valid, you can proceed with the Next button

End User Scope Properties

The second step of any type of End User Scope allows you to set the properties. 

image.png
  1. The name of the End User Scope is visible to Helpdesk operators when searching for a user or device. Choose a unique and self explanatory name.
  2. Users and devices might be members of multiple End User Scopes. If the Priority of a user's or device's End User Scope is elevated, the user will only be part of the End User Scopes with the highest priority. Following this logic you can achieve exclusions for special cases. Imagine an End User Scope matching all users with the name "Default" and priority of 0, and second End User Scope called "VIP users" for a subset of users with a priority of 1 and higher. If a user is associated with the End User Scope "VIP users", they will no longer be member of the "Default" End User scope due to the elevated priority of the "VIP users" End User Scope. Depending on your use case this will allow you to assign different set of permissions to the admin scopes (this could be more permissions, less permissions, or grant specific access to another Admin scope)
  3. Enabled End User Scopes will be used in Endpoint Ops, whereas Disabled End User Scopes are omitted.
  4. Proceed with the Next button to Save your End User Scope.

Edit or delete End User Scopes

End User Scopes can be updated or deleted at any point. Simply use the Edit or Delete button on the respective End User Scope.

image.png

Back to top