Defining User Access
The Management Console can only be accessed by authorized network administrators.
To control user access to the Management Console, you can define two types of Ivanti Device and Application Control administrators:
- An Ivanti Device and Application Control Enterprise Administrator has full access to all management functions.
Initially, any member of the Windows Administrators group for an Application Server has the privileges of an Enterprise Administrator. After an Enterprise Administrator is designated, administrative privileges are automatically restricted for the members of the local Administrator group.
- An Ivanti Device and Application Control Administrator has restricted access to Management Console functions as defined by the Enterprise Administrator.
An Ivanti Device and Application ControlEnterprise Administrator can delegate administrative rights to other administrators using Active Directory Organizational Units. These rights are described in the following table.
| Administrative Rights | Administrator Type | Limitations | Ivanti Device and Application Control Application |
|---|---|---|---|
| View all device permissions and file authorizations | All Ivanti Device and Application Control Administrators | NA | Application Control; Device Control |
| Modify file authorizations | Enterprise Administrators | NA | Application Control |
| Modify global-level device permissions | Enterprise Administrators | NA | Device Control |
| Members of the Settings (Device Control) role | Only users the administrator is allowed to manage | ||
| Modify computer-level device permissions | Enterprise Administrators | NA | Device Control |
| Members of the Settings (Device Control) role | Only for the computers that the administrator is allowed to manage | ||
| Modify computer-group device permissions | Enterprise Administrators | NA | Device Control |
| Members of the Settings (Device Control) role | Only for an administrator allowed to manage all the computers in the computer group for all accounts | ||
| Manage built-in accounts (Everyone, LocalSystem, and so forth) | Enterprise Administrators | NA | Application Control; Device Control |
| Application Control= Application Control, Device Control= Device Control | |||
Initially, any administrator with password access to an Application Server and the Management Console can use the Management Console.
Before using Ivanti Device and Application Control, Ivanti recommends setting up Ivanti Device and Application Control administrators who have access to the Management Console. You can assign different roles to administrators, but you must define at least one Enterprise Administrator.
The following rules apply to administrative user roles:
-
You must always designate one Enterprise Administrator before you modify the list of administrators.
-
All Application Servers share the same database, so some administrative rights set for an Ivanti Device and Application Control administrator can be used for other Application Servers.
-
Local computer users cannot manage the Management Console even if assigned as an Enterprise Administrator, because they cannot connect to an Application Server.
- Assigning Administrators
You assign administrator access rights using the User Access tool. - Defining Administrator Roles
An Administrator has restricted access to the Management Console and can be assigned various administrative roles by an Enterprise Administrator. - Assigning Administrator Roles
After defining Administrator roles, you use the User Access tool to assign the defined roles to Administrators.
Related Information:
- Synchronizing Domains
- Database Clean Up
- Defining Default Options
- Managing Path Rules
- Defining Spread Check
- Sending File Authorization Updates to Computers
- Working with Standard File Definitions
- Exporting File Authorization Settings
- Working with Endpoint Maintenance
- CPA Compliance Mode Configuration Window