Defining Administrator Roles

An Administrator has restricted access to the Management Console and can be assigned various administrative roles by an Enterprise Administrator.

Administrator access roles are described in the following table.

Functions Administrator Rights Ivanti Device and Application Control Application
Settings (Device Control) Change permissions and options for the user, user groups, computers, and devices that the Administrator has write privileges in the Active Directory. Can view the Media Authorizer module.

Without this role assignment, Administrator can only view the users access permissions.

Device Control
Time based settings (Device Control) Set temporary and scheduled device permissions. This function is a sub group of Settings (Device Control). Device Control
Devices (Device Control) Add new devices to the database using Manage Devices and organize devices into groups. Device Control
Media (Device Control) Encrypt and authorize media using the Media Authorizer module and generate the Media by User and Users by Medium reports.

This an optional function for subgroups of Settings (Device Control).

Device Control
Audit (Device Control) View and search Audit Logs and view Administrator actions, with the appropriate rights, using the Log Explorer module. Device Control
Logs (Device Control) View central logging and access shadow files using the Log Explorer module and generating Shadowing by Device and Shadowing by User reports. Device Control
Logs without File Access (Device Control) View central logging without access to shadow file content.

This option is a sub group of Logs (Device Control).

Device Control
Key Recovery (Device Control) Generate a passphrase for access to an encrypted device when the user has does not have a decentralized encryption password.

Can be accomplished with a lower security risk when the user is connected to the network.

Device Control
Temporary Permissions Offline (Device Control) Set only temporary permissions for users that are not connected to the Application Server and extend access permissions for a limited time. Device Control
Settings (App. Control) View and modify user, user group, and computer Default Options for which the administrator has write permissions in the Active Directory, and authorize applications using the Authorization Wizard. Application Control
Audit (App. Control) View and search audit logs of system activity using the Log Explorer. Application Control
Execution Logs (App. Control) View and search execution logs using the Log Explorer for users, user groups, and computers that the administrator has write permission in the Active Directory. Application Control
Machine Scans (App. Control) Use the Scan Explorer to scan target computers, build lists of authorized executable, script, and macro files, view scan results for computers that the administrator has write permission in the Active Directory, and create new scan templates. Application Control
Endpoint Maintenance

Create tickets to update, delete, and install clients.

Application Control; Device Control
Scheduled Reports Generate custom reports at pre-scheduled intervals between start and end dates. Application Control; Device Control
Synchronize Computer An Administrator can only synchronize computers, not domains.

Only an Enterprise Administrator can synchronize domains and computers.

Application Control; Device Control

Related Tasks: