The ability to perform tasks in Horizon Console is governed by an access control system that consists of administrator roles and privileges. This system is similar to the vCenter Server access control system.
An administrator role is a collection of privileges. Privileges grant the ability to perform specific actions, such as entitling a user to a desktop pool. Privileges also control what an administrator can see in Horizon Console. For example, if an administrator does not have privileges to view or modify global policies, the Global Policies setting is not visible in the navigation panel when the administrator logs in to Horizon Console. If an administrator does not have privileges to modify global policies, the buttons on the Global Policies page are disabled and global policies cannot be modified when the administrator logs in to Horizon Console.
Administrator privileges are either global or object-specific. Global privileges control system-wide operations, such as viewing and changing global settings. Object-specific privileges control operations on specific types of objects.
Administrator roles typically combine all of the individual privileges required to perform a higher-level administration task. Horizon Console includes predefined roles that contain the privileges required to perform common administration tasks. You can assign these predefined roles to your administrator users and groups, or you can create your own custom roles by combining selected privileges. You cannot modify the predefined roles.
To create administrators, you select users and groups from your Active Directory users and groups and assign administrator roles. If the role contains object-specific privileges, you might need to apply the role to an access group, a federation access group (Cloud Pod Architecture environments only), or to both. Administrators obtain privileges through their role assignments. You cannot assign privileges directly to administrators. An administrator that has multiple role assignments acquires the sum of all the privileges contained in those roles.
For information about configuring federation access groups to delegate the administration of global entitlements, see the Cloud Pod Architecture in Horizon document.