An administrator can use dynamic role-based access control (RBAC) to define which users can perform which operations in the system. You can grant a role to one or more Active Directory (AD) groups. The Mirage server identifies users by AD group membership and automatically assigns them roles in the Mirage system.

A user can have only one active role at a time. If the user’s group is assigned to more than one role, the user inherits the superset privileges of all assigned roles.

Each role is mapped to a set of actions the user can perform in the system, such as managing CVDs, base layers, users, groups, and events, as well as viewing the dashboard and other system information.

You can define additional custom roles to suit various company processes.

Role Definitions

You can define role-based access to specific users for several actions in the system.

Table 1. System Actions for which Role-Based Access can be Defined for a User



View dashboard

View the dashboard.

View server status

View the server status node. If not applicable, the server status appears as an empty list.

View tasks

View the tasks list in the Task Monitoring node.

Manage tasks

Delete running tasks.

View CVDs

View the CVD inventory.

Manage CVDs

Delete a CVD, assign a base layer to a CVD, enforce a base layer, assign a policy to a CVD, and revert to snapshot.

Support CVDs

Enforce base layer, set driver libraries, revert CVDs. confirm restore, and edit CVD comments.

Manage collections

Create and remove collections.

Manage collections CVDs

Add and remove CVDs from a collection.

View CVD policies

View CVD policies.

Manage CVD policies

Edit, create, and delete CVD policies. This role requires the view CVD policies role.

View devices

View the devices in the device inventory and the pending list.

Manage devices

Assign a device to a CVD, reject a device, restore a device, remove a device, suspend a device, and synchronize the device with the CVD.

Support devices

Suspend and resume devices, collect sysreports, restart a device, and run the Sync Now procedure on a device.

View layers

View the layers that are assigned to different devices.

Manage layers

Create layers, delete layers, cancel layer assignment , and update layer data (name, details).

View ref CVDs

View the reference CVD inventory.

Manage ref CVDs

Assign a reference device to a reference CVD, assign a base layer to a reference CVD, assign a policy to a reference CVD, and delete a reference CVD.

View base layer rules

View the image rules.

Manage base layer rules

Add new rules, remove rules, test base layer draft rules, and set new default base layer rules.

View driver library

See the driver profiles and driver folders and their details in the driver library

Manage driver library

Add drivers to the driver folders and create new driver profiles, and modify existing driver folders and libraries.

View reports

View the generated reports.

Manage reports

Create reports and delete reports.

View events

View the events under the Event log and Manager Journal.

Manage events

Delete, acknowledge, and reinstate events.

View transactions

View transactions.

View users and roles

View the Mirage users and their roles.

Manage security roles

Modify user access roles.

Manage security groups

Modify the security groups' settings.

View configuration

View system configuration settings, cluster configurations, server and volumes configurations.

Manage configuration

Modify system configuration settings.

Manage minimal restore set

Modify the minimal restore set.

Access CVDs via admin file portal

View CVDs in the file portal.

Predefined User Roles

Mirage includes predefined Administrator, Desktop Engineer, and Helpdesk user roles.

Table 2. Predefined User Roles

User Role

Access Permission

Desktop Engineer role

Perform all system operations except base layer management, user management, and role management. You can customize the default privilege set for the Desktop Engineer role.

Help Desk

Provides information about the Mirage client user device in order to respond to service queries. Access with the Help Desk role displays the Select User and Device page by default..

Image Manager

Captures and assigns base layers and app layers to CVDs. The Image Manager role provisions new devices with a specified image.

Protection Manager

Provides detailed information of the Mirage system. Users with the Protection Manager role can update the Mirage system to protect Mirage end-user devices.


A super-set of all Mirage operations.