Permissions Reference
Least privilege is practical when the workflow boundaries stay explicit.
Veridominus is read-first. Most workflows need read access only. Higher-impact actions such as script save-back or MDM command submission need additional privileges only when you decide to use them.
Read-first product modelExplicit partial coverageOptional write privileges
Recommended API role approach
Review-only role
Use this for dependency review, Ghost Hunter, scope analysis, Smart Groups, Device Lookup, and dashboard work. It keeps the product useful without granting change rights.
Extended read role
Add Patch Management, Push Certificates, Computer History, Packages, or LAPS only if you use those workflows. This expands visibility without introducing write paths.
Operations role
Add write privileges only for the operators who submit MDM commands or save scripts back to Jamf. These permissions are not required for routine read-only review.
Jamf API permission matrix
| Permission | Used by | Role guidance |
|---|---|---|
| Read Computers | Overview Dashboard, Device Lookup, Ghost Hunter, Scope Inspector, Apple Updates fleet exposure, Hardware Lifecycle, Enrollment Monitor, Device Activity Timeline | Read baseline |
| Read Mobile Devices | Mobile-device inventory and enrollment views where supported, plus mobile-device extension attribute workflows when enabled | Optional read |
| Read Computer Extension Attributes | EA Dependency Scanner, dashboard counts, and supported dependency review workflows | Read baseline |
| Read Mobile Device Extension Attributes | Mobile-device EA scans when the mobile-device toggle is enabled | Optional read |
| Read Computer Groups | Smart Groups, Scope Inspector, Ghost Hunter, Blast Radius Analyzer, and dependency review | Read baseline |
| Read Advanced Computer Searches | EA Dependency Scanner advanced search criteria and display-column review | Optional read |
| Read Policies | Ghost Hunter, EA Dependency Scanner, Blast Radius Analyzer, Scope Inspector, Script Library usage context, and Device Activity Timeline policy history | Read baseline |
| Read Scripts | Script Library, Ghost Hunter, and strict script-literal dependency review | Read baseline |
| Read macOS Configuration Profiles | Profile Conflict Detection, Ghost Hunter, Scope Inspector, and Blast Radius Analyzer | Read baseline |
| Read Patch Management Software Titles, Configurations, and Reports | Patch Compliance and related reporting | Optional read |
| Read Packages | Package-focused investigation surfaces and package-linked operational review | Optional read |
| Read Push Certificates | Dashboard push certificate status and local expiry notifications | Optional read |
| Read Computer History | Device Activity Timeline and related policy-history inspection | Optional read |
| View Local Admin Password (LAPS) | Device Lookup LAPS retrieval where Jamf exposes it and your role allows it | Optional read |
| Send Computer Remote Commands | Device Lookup and Fleet Commander command submission | Write only when needed |
| Update Scripts | Saving script edits back to Jamf from Script Library | Write only when needed |
How missing permissions show up
Veridominus is designed to expose missing privileges as unavailable, partial, or blocked workflows. It should not silently turn missing permission into a zero count, an empty result, or a “no references found” claim.
Local macOS permissions
| Local permission | Used for | Required |
|---|---|---|
| Notifications | Optional local alerts for push certificate expiry and Ghost Hunter issue notifications. | Optional |
| User-selected file access | Saving exports or other operator-chosen files through standard macOS save panels. | Only when you export or save to a chosen location |
| Network client access | Direct connections from the app to Jamf Pro and to optional Apple release feeds used by Apple Updates. | Required for connected workflows |
Operational guidance
- Use separate Jamf API roles for review work and write-capable operational workflows.
- Test the role against a staging tenant before broad rollout if you rely on narrow least-privilege scopes.
- When a workflow is partial or unavailable, review the in-app error detail before expanding the role.
- Read Connecting to Jamf Pro for the connection path and Security and Privacy for the trust boundary.