The predefined administrator roles combine all of the individual privileges required to perform common administration tasks. You cannot modify the predefined roles.

Note: Assigning users a combination of predefined or custom roles can give users access to operations that are not possible within the individual predefined or custom roles.

The following table describes the predefined roles and indicates whether a role can be applied to an access group.

Table 1. Predefined Roles in Horizon Console
Role User Capabilities Applies to an Access Group
Administrators Perform all administrator operations, including creating additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role can configure and manage a pod federation and manage remote pod sessions.

Administrators that have the Administrators role on the root access group are super users because they have full access to all of the inventory objects in the system. Because the Administrators role contains all privileges, you should assign it to a limited set of users. Initially, members of the local Administrators group on your Connection Server host are given this role on the root access group.

Important: An administrator must have the Administrators role on the root access group to perform the following tasks:
  • Add and delete access groups.
  • Manage ThinApp applications and configuration settings in Horizon Console.
  • Use the vdmadmin , vdmimport, and lmvutil commands.
Yes
Administrators (Read only)
  • View, but not modify, global settings and inventory objects.
  • View, but not modify, ThinApp applications and settings.
  • Run all PowerShell commands and command line utilities, including vdmexport but excluding vdmadmin, vdmimport, and lmvutil.

In a Cloud Pod Architecture environment, administrators that have this role can view inventory objects and settings in the Global Data Layer.

When administrators have this role on an access group, they can only view the inventory objects in that access group.

Yes
Agent Registration Administrators Register unmanaged machines such as physical systems, standalone virtual machines, and RDS hosts. No
Global Configuration and Policy Administrators View and modify global policies and configuration settings except for administrator roles and permissions, and ThinApp applications and settings. No
Global Configuration and Policy Administrators (Read only) View, but not modify, global policies and configuration settings except for administrator roles and permissions, and ThinApp applications and settings. No
Help Desk Administrators Perform desktop and application actions such as shutdown, reset, restart, and perform remote assistance actions such as end processes for a user's desktop or application. An administrator must have permissions on the root access group to access Horizon Help Desk Tool.
  • Read-only access to Horizon Help Desk Tool.
  • Manage global sessions.
  • Can log in to Horizon Console.
  • Perform all machine and session-related commands.
  • Manage remote processes and applications.
  • Remote assistance to the virtual desktop or published desktop.
No
Help Desk Administrators (Read Only) View user and session information, and drill down on session details. An administrator must have permissions on the root access group to access Horizon Help Desk Tool.
  • Read-only access to Horizon Help Desk Tool.
  • Can log in to Horizon Console.
No
Inventory Administrators
  • Perform all machine, session, and pool-related operations.
  • Manage persistent disks.
  • Resync, Refresh, and Rebalance linked-clone pools and change the default pool image.
  • Manage automated farms.

When administrators have this role on an access group, they can only perform these operations on the inventory objects in that access group.

Administrators with this role cannot create a manual farm or an unmanaged manual pool or add or remove RDS hosts to the farm or unmanaged manual pool.

Yes
Inventory Administrators (Read only) View, but not modify, inventory objects.

When administrators have this role on an access group, they can only view the inventory objects in that access group.

Yes
Local Administrators Perform all local administrator operations, except for creating additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role cannot perform operations on the Global Data Layer or manage sessions on remote pods.
Note: An administrator with the Local Administrators role cannot access Horizon Help Desk Tool. Administrators in a non-CPA environment do not have the Manage Global Sessions privilege, which is required to perform tasks in Horizon Help Desk Tool.
Yes
Local Administrators (Read Only) Same as the Administrators (Read Only) role, except for viewing inventory objects and settings in the Global Data Layer. Administrators that have this role have read-only rights only on the local pod.
Note: An administrator with the Local Administrators (Read Only) role cannot access Horizon Help Desk Tool. Administrators in a non-CPA environment do not have the Manage Global Sessions privilege, which is required to perform tasks in Horizon Help Desk Tool.
Yes