One key management task in an Horizon 7 environment is to determine who can use Horizon Administrator and what tasks those users are authorized to perform. With role-based delegated administration, you can selectively assign administrative rights by assigning administrator roles to specific Active Directory users and groups.
Understanding Roles and Privileges The ability to perform tasks in Horizon Administrator is governed by an access control system that consists of administrator roles and privileges. This system is similar to the vCenter Server access control system.
Using Access Groups to Delegate Administration of Pools and Farms By default, automated desktop pools, manual desktop pools, and farms are created in the root access group, which appears as / or Root(/) in Horizon Administrator. Published desktop pools and application pools inherit their farm's access group. You can create access groups under the root access group to delegate the administration of specific pools or farms to different administrators.
Understanding Permissions Horizon Administrator presents the combination of a role, an administrator user or group, and an access group as a permission. The role defines the actions that can be performed, the user or group indicates who can perform the action, and the access group contains the objects that are the target of the action.
Manage Administrators Users who have the Administrators role can use Horizon Administrator to add and remove administrator users and groups.
Manage and Review Permissions You can use Horizon Administrator to add, delete, and review permissions for specific administrator users and groups, for specific roles, and for specific access groups.
Manage and Review Access Groups You can use Horizon Administrator to add and delete access groups and to review the desktop pools and machines in a particular access group.
Manage Custom Roles You can use Horizon Administrator to add, modify, and delete custom roles.
Predefined Roles and Privileges Horizon Administrator includes predefined roles that you can assign to your administrator users and groups. You can also create your own administrator roles by combining selected privileges.
Required Privileges for Common Tasks Many common administration tasks require a coordinated set of privileges. Some operations require permission at the root access group in addition to access to the object that is being manipulated.
Best Practices for Administrator Users and Groups To increase the security and manageability of your Horizon 7 environment, you should follow best practices when managing administrator users and groups.