Use the Administration Console's role-based access control to determine which administrative privileges are granted to which of your Active Directory user accounts.
These roles and their associated rights determine which management actions a user can perform using the Administration Console. The visibility of the Administration Console's features and elements is controlled by the role assigned to the person's Active Directory account. For example, a person in an Active Directory group that is assigned the Help Desk Read Only Administrator role can navigate to the user cards for end users and view the information, but not perform operations on the desktops. A person in an Active Directory group that is assigned the Help Desk Administrator role can navigate to the user cards and perform troubleshooting operations as well as view the information. You must assign a role to your organization's appropriate Active Directory groups before the users in that group can log in to the Administration Console's second login screen and access management actions.
- Super Administrator
- Help Desk Administrator
- Demo Administrator
- Help Desk Read Only Administrator
As a result of this precedence order, if a user's Active Directory account belongs to both Active Directory groups ADGroup1 and ADGroup2, and you assign the Super Administrator role to ADGroup1 and assign the Help Desk Read Only Administrator role to ADGroup2, the Administration Console will display all of the features according to the Super Administrator role, instead of the subset of features for the other role, because the Super Administrator role takes precedence.
- Select Settings > Roles & Permissions.
The Roles & Permissions page displays.There are four default roles, shown below.
Role Description Super Administrator A mandatory role that you must assign to at least one group in your Active Directory domain and optionally to others. This role grants all the permissions to perform management actions in the Administration Console.Important: Ensure that the domain-join account that you specified when registering the Active Directory domain with the first node is in one of the groups given the Super Administrator role. For the end-to-end success of operations involving images and domain join operations, that domain-join account must be granted this Super Administrator role. Help Desk Administrator A role that you can optionally assign to one or more groups. The purpose of this role is to provide access to the Administration Console so that your Active Directory groups with this role can work with the user card features to:
- See the status of end user sessions.
- Perform troubleshooting operations on the sessions.
Help Desk Read Only Administrator A role that you can optionally assign to one of more groups. The purpose of this role is to provide access to the Administration Console so that your Active Directory groups with this role can work with the user card features to see the status of end user sessions. Demo Administrator A read-only role that you can optionally assign to one or more groups. Demo administrators can view the settings and select options to see additional choices in the console, but the selections do not change the configuration settings.
- Select a role from the Roles list and click Edit.
- In the edit dialog, use the Active Directory search function to select a group for the role and click Save.
Important: These roles can be assigned to groups only. The Administration Console does not provide a way to choose individual Active Directory user accounts for each role.
This point is critical for the domain-join account. If the domain-join account that you registered for your initial node is not already in one of your Active Directory groups, create an Active Directory group for that account so that you can ensure the Super Administrator role can be assigned to that domain-join account. That domain-join account must be given the Super Administrator role.Note: Do not add the same group to both the Super-Administrator role and the Demo-Administrator role. Doing so can cause users in that group not to have full access to all expected functions.