If you use Active Directory and the Carbon Black App Control Server has been joined to an Active Directory domain, you can use AD accounts to log in to the console.
When a user logs into the console with an AD-based account name, that account is added as a Carbon Black App Control Console account. Users attempting to login to the console with a legitimate AD account but who are not members of a group that is not mapped to any role will be added to the console accounts table, but without any privileges. As such, they will not be able to login to the console.
You can map an AD account to multiple Carbon Black App Control Console roles, either intentionally or because the account happens to match more than one mapping rule. If you choose, you can stop evaluation when an account matches the highest ranking mapping rule in the list. See “ Managing Console User Roles for more details.