Although the built-in user roles provide options for different levels of feature access, users with sufficient permission can create new custom user roles and modify roles. You might want to have a special user role whose level of access falls between two of the built-in options. Creating a special user role can not only prevent unauthorized access to critical features but also might make it easier for users with limited roles to learn those roles without having to see features they will not use.

For example, you might want to allow members of a help desk team to view all information available through the console but only to be able to change policy for a computer, put a computer into local approval, or access debugging features. You can create a user role with these characteristics. See User Role Parameters for detailed information used to define a user role.

Create a New User Role

You can follow this procedure to create a new console user role.


  1. In the console menu, click the Settings (gear) icon and choose Login Accounts.
  2. In the Login Accounts page, click the User Roles tab.
  3. On the Login Accounts: User Roles page, click the Add User Role button. The Add User Role page appears.
  4. Enter a name for the new role, and optionally, a description to specify the purpose of the role, intended members, or any other information about the role.
  5. Assuming you want this role to be available immediately for login accounts, leave the Status radio button set to Enabled.
  6. Check the box next to each permission you want to enable for this role, and un-check any permissions you do not want this role to have. See Permissions Settings for User Roles for a complete list of permissions.
    Note: If you are giving this role permission to perform most console activities, it might be more efficient to click the Enabled box in the table header, which checks all boxes, and then remove the few permissions you don’t want to provide.
    The Add User Role page
  7. If you have AD account mapping enabled and want to automatically map members of an AD security group to this console role, put the name of the AD security group in the AD Mapping Name box.
  8. If you want to limit this role so that it has access to computers in certain policies only, scroll to the bottom of the page, click the Selected Policies radio button, and check the box next to each policy you want this role to have access to.
    The Scope of Policy Permissions settings showing the Selected Policies
  9. When you have finished configuring this role, click Create & Exit at the bottom of the page. The new role appears in the Login Accounts: User Roles table. Notice that it includes a delete button since, unlike a built-in role, a user-created role can be deleted.
    The User Roles table showing the new role and a delete button
  10. If you have AD mapping enabled, a new role is first in the mapping rank. Rank is significant if you have rules with Stop evaluation checked since no rules ranked lower than a Stop evaluation rule will be processed. If you want the new role to rank lower, use the arrow keys in the AD Rank column to move it down in rank, or to move another role up.Accounts that match multiple mappings are assigned all roles they match in rank order (beginning with number 1), until and unless they reach a Stop evaluation rule.
  11. If you are not using AD mapping to assign console login accounts, manually assign this new role to user accounts you want to have its permissions.

User Role Parameters

Table 1. User Role Parameters
Field Description 



Name that will appear in the Login Accounts: User Roles list and will be used when assigning a role to a login account.

Enter any combination of letters, numbers, or English-keyboard characters fewer than 40 characters in length. Role names are not case sensitive.

Note: User names created in the console cannot contain the “\” or “@” characters. This helps avoid conflicts with AD-based user names using user@domain or domain\user format.


Optional descriptive information about this role, such as who should be in it and perhaps a high-level summary of its permissions.

AD Mapping Name

If AD-based login mapping is enabled, the AD security group that you would like mapped to this role.


Determines whether this role is Enabled or Disabled. Note that disabling a role disables it for accounts it is assigned to and prevents AD-mapping from matching it. If you disable the only role assigned to a user, that user loses console access.


A table of checkboxes that determine what users with this role are allowed to do in the console. See Permissions Settings for User Roles for a complete description.