The predefined administrator roles combine all of the individual privileges required to perform common administration tasks. You cannot modify the predefined roles.

1 describes the predefined roles and indicates whether a role can be applied to an access group.

Table 1. Predefined Roles in Horizon Administrator

Role

User Capabilities

Applies to an Access Group

Administrators

Perform all administrator operations, including creating additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role can configure and manage a pod federation and manage remote pod sessions.

Administrators that have the Administrators role on the root access group are super users because they have full access to all of the inventory objects in the system. Because the Administrators role contains all privileges, you should assign it to a limited set of users. Initially, members of the local Administrators group on your Connection Server host are given this role on the root access group.

Important:

An administrator must have the Administrators role on the root access group to perform the following tasks:

  • Add and delete access groups.

  • Manage ThinApp applications and configuration settings in Horizon Administrator.

  • Use the vdmadmin , vdmimport, and lmvutil commands.

Yes

Administrators (Read only)

  • View, but not modify, global settings and inventory objects.

  • View, but not modify, ThinApp applications and settings.

  • Run all PowerShell commands and command line utilities, including vdmexport but excluding vdmadmin, vdmimport and lmvutil.

In a Cloud Pod Architecture environment, administrators that have this role can view inventory objects and settings in the Global Data Layer.

When administrators have this role on an access group, they can only view the inventory objects in that access group.

Yes

Agent Registration Administrators

Register unmanaged machines such as physical systems, standalone virtual machines, and RDS hosts.

No

Global Configuration and Policy Administrators

View and modify global policies and configuration settings except for administrator roles and permissions, and ThinApp applications and settings.

No

Global Configuration and Policy Administrators (Read only)

View, but not modify, global policies and configuration settings except for administrator roles and permissions, and ThinApp applications and settings.

No

Help Desk Administrators

Perform desktop and application actions such as shutdown, reset, restart, and perform remote assistance actions such as end processes for a user's desktop or application.

  • Read-only access to Horizon Help Desk Tool.

  • Manage global sessions.

  • Can log in to Horizon Administrator.

  • Perform all machine and session-related commands.

  • Manage remote processes and applications.

  • Remote assistance to the virtual desktop or published desktop.

No

Help Desk Administrators (Read Only)

View user and session information, and drill down on session details.

  • Read-only access to Horizon Help Desk Tool.

  • Cannot log in to Horizon Administrator.

No

Inventory Administrators

  • Perform all machine, session, and pool-related operations.

  • Manage persistent disks.

  • Resync, Refresh, and Rebalance linked-clone pools and change the default pool image.

When administrators have this role on an access group, they can only perform these operations on the inventory objects in that access group.

Yes

Inventory Administrators (Read only)

View, but not modify, inventory objects.

When administrators have this role on an access group, they can only view the inventory objects in that access group.

Yes

Local Administrators

Perform all local administrator operations, except for creating additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role cannot perform operations on the Global Data Layer or manage sessions on remote pods.

Note:

An administrator with the Local Administrators role cannot access Horizon Help Desk Tool. Administrators in a non-CPA environment do not have the Manage Global Sessions privilege, which is required to perform tasks in Horizon Help Desk Tool.

Yes

Local Administrators (Read Only)

Same as the Administrators (Read Only) role, except for viewing inventory objects and settings in the Global Data Layer. Administrators that have this role have read-only rights only on the local pod.

Note:

An administrator with the Local Administrators (Read Only) role cannot access Horizon Help Desk Tool. Administrators in a non-CPA environment do not have the Manage Global Sessions privilege, which is required to perform tasks in Horizon Help Desk Tool.

Yes