In a Cloud Pod Architecture environment, when a pod is part of a pod federation, permissions might be added or deleted automatically when a role is updated. Permissions are not created or deleted automatically when the Connection Server instance is not part of a pod federation.
The following table describes the actions that cause permissions to be added or deleted automatically.
For complete information about privileges, including privilege scopes, see "Predefined Roles and Privileges" in the Horizon Administration document.
| Role Privilege Scope Before Update | Action | Role Privilege Scope After Update | Affect on Permissions |
|---|---|---|---|
| Federation group, All, and any other scope. | Deselect privileges that have Federation group and All scope. | Another scope, such as Access Group or Global. | Administrator permissions for the updated role on all federation access groups are removed automatically. Only permissions on access groups remain for the updated role. |
| Federation group and any other scope. | Deselect privileges that have Federation group scope. | Another scope, such as Access Group or Global. | Administrator permissions for the updated role on all federation groups are removed automatically. Only permissions on access groups remain for the updated role. |
| All and any other scope. | Deselect privileges that have All scope. | Another scope, such as Access Group or Global. | Administrator permissions for the updated role on all federation access groups are removed automatically. Only permissions on access groups remain for the updated role. |
| Federation group and any other scope. | Deselect privileges that have Access group, All, or Global scope. | Federation group only. | Administrator permissions for the updated role on all access groups are removed automatically. Permissions remain only on federation access groups for the updated role. |
| Access group and Global. | Select privileges that have All scope. | Privilege scope set now includes All. | For the administrator users or groups that have permissions on the updated role, permissions are created on the root federation access group automatically. Permissions on the access groups are not affected for the updated role. |
| Access group and Global. | Select privileges that have Federation group scope. | Privilege scope set now includes even Federation group. | For the administrator users or groups that have permissions on the updated role, permissions are created on the root federation access group automatically. Permissions on the access groups are not affected for the updated role. |
| Access group and Global. | Select privileges that have All and Federation group scope. | Privilege scope set now includes All and Federation Group. | For the administrator users and groups that have permissions on the updated role, permissions are created on the root access group automatically. Permissions on the federation access groups are not affected for the updated role. |
| Federation group | Select privileges that have Global scope. | Privilege scope set now includes Global. | Permissions are not created on the access groups, but are internally granted to administrators that have permissions on the role. Permissions on the federation access groups are not affected for the updated role. |
| Federation group | Select privileges that have Access group scope. | Privilege scope set now includes Access group. | For the administrator users and groups that have permissions on the updated role, permissions are created on the root access group automatically. Permissions on the federation access group are not affected for the updated role. |
| Federation group | Select privileges that have All scope. | Privilege scope set now includes All. | For the administrator users and groups that have permissions on the updated role, permissions are created on the root access group automatically. Permissions on the federation access group are not affected for the updated role. |
