Defining User Access

The Management Console can only be accessed by authorized network administrators.

To control user access to the Management Console, you can define two types of Ivanti Device and Application Control administrators:

  • An Ivanti Device and Application Control Enterprise Administrator has full access to all management functions.

Initially, any member of the Windows Administrators group for an Application Server has the privileges of an Enterprise Administrator. After an Enterprise Administrator is designated, administrative privileges are automatically restricted for the members of the local Administrator group.

  • An Ivanti Device and Application Control Administrator has restricted access to Management Console functions as defined by the Enterprise Administrator.

An Ivanti Device and Application ControlEnterprise Administrator can delegate administrative rights to other administrators using Active Directory Organizational Units. These rights are described in the following table.

Administrative Rights Administrator Type Limitations Ivanti Device and Application Control Application
View all device permissions and file authorizations All Ivanti Device and Application Control Administrators NA Application Control; Device Control
Modify file authorizations Enterprise Administrators NA Application Control
Modify global-level device permissions Enterprise Administrators NA Device Control
Members of the Settings (Device Control) role Only users the administrator is allowed to manage
Modify computer-level device permissions Enterprise Administrators NA Device Control
Members of the Settings (Device Control) role Only for the computers that the administrator is allowed to manage
Modify computer-group device permissions Enterprise Administrators NA Device Control
Members of the Settings (Device Control) role Only for an administrator allowed to manage all the computers in the computer group for all accounts
Manage built-in accounts (Everyone, LocalSystem, and so forth) Enterprise Administrators NA Application Control; Device Control
Application Control= Application Control, Device Control= Device Control

Initially, any administrator with password access to an Application Server and the Management Console can use the Management Console.

Before using Ivanti Device and Application Control, Ivanti recommends setting up Ivanti Device and Application Control administrators who have access to the Management Console. You can assign different roles to administrators, but you must define at least one Enterprise Administrator.

The following rules apply to administrative user roles:

  • You must always designate one Enterprise Administrator before you modify the list of administrators.

  • All Application Servers share the same database, so some administrative rights set for an Ivanti Device and Application Control administrator can be used for other Application Servers.

  • Local computer users cannot manage the Management Console even if assigned as an Enterprise Administrator, because they cannot connect to an Application Server.

  • Assigning Administrators
    You assign administrator access rights using the User Access tool.
  • Defining Administrator Roles
    An Administrator has restricted access to the Management Console and can be assigned various administrative roles by an Enterprise Administrator.
  • Assigning Administrator Roles
    After defining Administrator roles, you use the User Access tool to assign the defined roles to Administrators.

Related Information: