If a restricted administrator or administrator-group has been configured to be able to access only some device group(s) and have the global permission to access profile related functions/tab, he/she can then view the status of the list of assigned profiles on the profile tab (pre v14) or configuration tab (v14+) associated with the device of interest. 

However, to be able to read/write the detailed settings in various payloads associated with such profile(s), the read/write permissions of each of the profiles has to be individually enabled for this admin/admin-group.

Hi Zenkyo, 

To add to Raymond's response, the minimum permissions needed for a user to view and assign profiles are below:

In v14, go to System Settings > Users and Console Security.

In Legacy View:

Security tab > Manage Users:

Check:

MobiControl Access
Web Console Access
View Profiles
Manage Profiles

- Note: you may also need to check "Configure Devices/Devices Groups" so the user can view the Devices as well
- Deny the rest or leave unchecked

Security tab > Device Group Permissions > Device Groups:

Check the groups you want the user to be able to see and manage

Security tab > Device Group Permissions > Manage Groups and Devices > Manage Groups:

Check:

View Groups
Target Groups
Manage Groups

- Leave the rest unchecked


When used in combination with the Profile Security Permissions that Raymond stated above, you can create a user with the just the minimal ability to view and assign Profiles to the devices.

Regards,
~G