Use the Administration Console's role-based access control to determine which administrative privileges are granted to which of your Active Directory user accounts.

These roles and their associated rights determine which management actions a user can perform using the Administration Console. The visibility of the Administration Console's features and elements is controlled by the role assigned to the person's Active Directory account. For example, a person in an Active Directory group that is assigned the Help Desk Read Only Administrator role can navigate to the user cards for end users and view the information, but not perform operations on the desktops. A person in an Active Directory group that is assigned the Help Desk Administrator role can navigate to the user cards and perform troubleshooting operations and view the information. You must assign a role to your organization's appropriate Active Directory groups before the users in that group can log in to the Administration Console's second login screen and access management actions.

Prerequisites

Caution: Before assigning roles to your existing Active Directory groups, review the user account membership in the Active Directory groups to ensure that a user account receives only one of these roles. Create specific Active Directory groups if needed. Because these roles are assigned at the level of the Active Directory group, some unexpected results can occur if a user's Active Directory account belongs to two Active Directory groups and each group is assigned a different role. The Administration Console features are visible according to this precedence order:
  1. Super Administrator
  2. Help Desk Administrator
  3. Demo Administrator
  4. Help Desk Read Only Administrator

As a result of this precedence order, if a user's Active Directory account belongs to both Active Directory groups ADGroup1 and ADGroup2, and you assign the Super Administrator role to ADGroup1 and assign the Help Desk Read Only Administrator role to ADGroup2, the Administration Console displays all the features according to the Super Administrator role, instead of the subset of features for the other role, because the Super Administrator role takes precedence.

Caution: If you only have one Active Directory group with the Super Administrator role assigned, do not remove that group from the Active Directory server. Doing so can cause issues with future logins.

Procedure

  1. Select Settings > Roles & Permissions.
    The Roles & Permissions page displays.
    There are four default roles, shown in the following table.
    Role Description
    Super Administrator A mandatory role that you must assign to at least one group in your Active Directory domain and optionally to others. This role grants all the permissions to perform management actions in the Administration Console.
    Important:
    • Ensure that the domain-join account that you specified when registering the Active Directory domain with the first node is in one of the groups given the Super Administrator role. For the end-to-end success of operations involving images and domain join operations, that domain-join account must be granted this Super Administrator role.
    • The domain bind account is always assigned the Super Administrator role, which grants all the permissions to perform management actions in the Administration Console. You should ensure that the domain bind account is not accessible to users that you do not want to have Super Administrator permissions.
    Help Desk Administrator A role that you can optionally assign to one or more groups. The purpose of this role is to provide access to the Administration Console so that your Active Directory groups with this role can work with the user card features to:
    • See the status of end user sessions.
    • Perform troubleshooting operations on the sessions.
    Help Desk Read Only Administrator A role that you can optionally assign to one or more groups. The purpose of this role is to provide access to the Administration Console so that your Active Directory groups with this role can work with the user card features to see the status of end user sessions.
    Demo Administrator A read-only role that you can optionally assign to one or more groups. Demo administrators can view the settings and select options to see additional choices in the console, but the selections do not change the configuration settings.
  2. Select a role from the Roles list and click Edit.
  3. In the edit dialog box, use the Active Directory search function to select a group for the role and click Save.
    Important: These roles can be assigned to groups only. The Administration Console does not provide a way to select individual Active Directory user accounts for each role.

    This point is critical for the domain-join account. If the domain-join account that you registered for your initial node is not already in one of your Active Directory groups, create an Active Directory group for that account so that you can ensure the Super Administrator role can be assigned to that domain-join account. That domain-join account must be given the Super Administrator role.

    Note: Do not add the same group to more than one role. Doing so can cause users in that group not to have full access to all expected functions.