You can combine specific privileges to create your own custom role to manage global entitlements and global sessions in federation access groups in Horizon Console.

The role must contain at least one object-specific privilege that is applicable to federation access groups. Roles that contain only global privileges or access group-specific privileges cannot be applied to federation access groups.

Note: If a role includes privileges that have Global and Federation group scope, even though the permission can be created on federation access groups for the role, internally the privileges that have Global scope are granted for assigned administrators on the root access group.


  • Create a federation access group. See Add a Federation Access Group.
  • Become familiar with privileges, privilege scope, and roles in Horizon. For complete information, see "Configuring Role-Based Delegated Administration" in the Horizon Administration document.


  1. Log in to the Horizon Console user interface for any Connection Server instance in the pod federation.
  2. Select Settings > Administrators.
  3. On the Role Privileges tab, click Add Role.
  4. Enter a name and description for the role, select one or more privileges, and click OK.
    The new role appears in the left pane.