App Volumes has built-in roles with assigned privileges for managing App Volumes Manager. In addition to the built-in roles, you can create custom roles and assign necessary privileges to this role.

You can assign built-in roles or custom roles to an active directory group. All users within the group inherit the privileges defined for the role. To change the active directory group, you can edit the assignment. You can also remove the role from the assigned active directory group. However, you can only edit or remove a custom role.

Built-in Roles

Roles Responsibilities
Administrators Perform all operations including adding and setting permissions for other administrators.
AppStacks Administrators
  • Perform all operations related to AppStacks such as create, import, rescan, update, and so on.
  • View-only access to other resources such as Directory or Infrastructure.
  • No access to Configuration or Writable Volumes.
Inventory Administrators
  • Perform operations related to applications such as create, import, rescan, update, and so on.
  • Perform operations related to Writable Volumes and Writable Volumes (2.x) such as create, import, update, rescan, and so on.
  • View-only access to other resources such as Directory or Infrastructure.
  • No access to Configuration resources.
Administrators (Read only) View resources but cannot make any modifications or perform other tasks.

For more information, see the Administrators (Read only) section in this document.

Security Administrators
  • Manage custom roles (perform tasks such as create, update, and delete custom roles).
  • Manage and change role assignments.
Writables Administrators
  • Perform all operations related to Writable Volumes and Writable Volumes (2.x) such as create, import, update, back up, and so on.
  • View-only access to other resources such as AppStacks, Directory, Infrastructure, Storage Groups, and so on.
  • No access to Configuration resource.

Administrators (Read only)

This administrator role can only view the resources and configuration information but cannot perform any other tasks. Specifically, a read-only administrator cannot perform the following functions:

  1. Make configuration changes to the App Volumes Manager.
  2. Create or import Application Packages.
  3. Create or import AppStacks.
  4. Make storage configuration changes.
  5. Add or remove Active Directory domains.
  6. Add or remove Machine Managers.
  7. Create, import, or update writable volumes.

Only an existing administrator, who has complete access to App Volumes Manager functionality, can add the Administrator (Read only) role.

As an administrator, you can add a read-only account to a group of users that belong to a particular domain. For example, if you have created a domain xyz.com, then you can create a read-only account belonging to the domain xyz.com.

Note: You cannot create a read-only account for a single user.

Custom Roles

You can create custom roles with specific privileges and assign them to groups. Whenever privileges are changed for the custom roles, they are dynamically updated and the members of the group receive the updated privileges immediately.

You can assign multiple roles to a group. In such a case, the group receives the union of the privileges of the different roles assigned to it.

Note:
  • When a new role is assigned to a group, the users of the group must log out and log in again to the system before they can get the privileges offered by the role.
  • When creating custom administrator roles, granting view privilege to either AppStacks or applications effectively grants view privileges to both functions.