By default, global entitlements are created in the root federation access group, which appears as / or Root(/) in Horizon Console. You can create federation access groups under the root federation access group to delegate the administration of specific global entitlements to different administrators.
You configure administrator access to the global entitlements and global sessions in a federation access group by assigning a role to an administrator on that federation access group. Administrators can access the global entitlements and global sessions that reside only in federation access groups for which they have assigned roles. The role that an administrator has on a federation access group determines the level of access that the administrator has to the global entitlements and global sessions in that federation access group.
Because role privileges are inherited from the root federation access group, an administrator that has a role on the root federation access group has that role's privileges on all federation access groups. Administrators who have the Administrators role on the root federation access group are super administrators because they have full access to all the objects in the system.
To apply to a federation access group, a role must contain at least one object-specific privilege that is applicable to federation access groups. You cannot apply roles that contain only global privileges or access group-specific privileges to federation access groups. For complete information about privileges, privilege scope, and roles in Horizon, see "Configuring Role-Based Delegate Administration" in the Horizon Administration document.
You can use Horizon Console to configure and manage federation access groups. When you create a global entitlement, you can accept the default root federation access group or select a different federation access group.