The predefined administrator roles combine all of the individual privileges required to perform common administration tasks. You cannot modify the predefined roles.

Note: Assigning users a combination of predefined or custom roles can give users access to operations that are not possible within the individual predefined or custom roles.

The following table describes the predefined roles and indicates whether a role can be applied to access groups or federation access groups. Federation access groups are available only in Cloud Pod Architecture environments.

Table 1. Predefined Roles in Horizon Console
Role User Capabilities Applies to Access Group Applies to Federation Access Group
Administrators Perform all administrator operations, including creating additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role can configure and manage a pod federation and manage remote pod sessions.

Administrators that have the Administrators role on the root access group are super users because they have full access to all of the inventory objects in the system. Because the Administrators role contains all privileges, you should assign it to a limited set of users. Initially, members of the local Administrators group on your Connection Server host are given this role on the root access group.

When administrators have this role on an access group or federation access group, they can manage only the inventory objects in that access group or federation access group.

Important: An administrator must have the Administrators role on the root access group to perform the following tasks:
  • Use the vdmadmin , vdmimport, and lmvutil commands.
Yes Yes
Administrators (Read only)
  • View, but not modify, global settings and inventory objects.
  • Run all PowerShell commands and command line utilities, including vdmexport but excluding vdmadmin, vdmimport, and lmvutil.

In a Cloud Pod Architectureenvironment, administrators that have this role can view inventory objects and settings in the Global Data Layer.

When administrators have this role on an access group or federation access group, they can view only the inventory objects in that access group or federation access group.

Yes Yes
Agent Registration Administrators Register unmanaged machines such as physical systems, standalone virtual machines, and RDS hosts. No
Global Configuration and Policy Administrators View and modify global policies and configuration settings except for administrator roles and permissions. No
Global Configuration and Policy Administrators (Read only) View, but not modify, global policies and configuration settings except for administrator roles and permissions. No
Help Desk Administrators Perform desktop and application actions such as shutdown, reset, restart, and perform remote assistance actions such as end processes for a user's desktop or application. An administrator must have permissions on the root access group to access Horizon Help Desk Tool.
  • Read-only access to Horizon Help Desk Tool.
  • Manage global sessions.
  • Can log in to Horizon Console.
  • Perform all machine and session-related commands.
  • Manage remote processes and applications.
  • Remote assistance to the virtual desktop or published desktop.
No Yes
Help Desk Administrators (Read Only) View user and session information, and drill down on session details. An administrator must have permissions on the root access group to access Horizon Help Desk Tool.
  • Read-only access to Horizon Help Desk Tool.
  • Can log in to Horizon Console.
No Yes
Horizon Cloud Services Enables administrators to activate subscription licenses and monitor Horizon 8 components from Horizon Cloud Service. This predefined role can be edited to add more privileges as required by the cloud services. Yes No
Inventory Administrators

When administrators have this role on an access group, they can only perform these three operations on the inventory objects in that access group.

  • Perform all machine, session, and pool-related operations.
  • Perform maintenance operations on automated pools and farms.
  • Manage automated farms.
Administrators with this role cannot do the following:
  • Create a manual farm or an unmanaged manual pool.
  • Add or remove RDS hosts to the farm or unmanaged manual pool.
  • Add an application pool sourced from farms associated with app volumes manager.
  • Associate or unassociate farms with app volumes manager.
 Yes
Inventory Administrators (Read only) View, but not modify, inventory objects.

When administrators have this role on an access group, they can only view the inventory objects in that access group.

Yes
Local Administrators Perform all local administrator operations, except for creating additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role cannot perform operations on the Global Data Layer or manage sessions on remote pods.
Note: An administrator with the Local Administrators role cannot access Horizon Help Desk Tool.
Yes
Local Administrators (Read Only) Same as the Administrators (Read Only) role, except for viewing inventory objects and settings in the Global Data Layer. Administrators that have this role have read-only rights only on the local pod.
Note: An administrator with the Local Administrators (Read Only) role cannot access Horizon Help Desk Tool.
Yes