Defining User Access

The Management Console can only be accessed by authorized network administrators.

To control user access to the Management Console, you can define two types of administrators:

  • An Enterprise Administrator has full access to all management functions.

    Initially, any member of the Windows Administrators group for a Application Server has the privileges of a Enterprise Administrator. After an Enterprise Administrator is designated, administrative privileges are automatically restricted for the members of the local Administrators group.

  • An Administrator has restricted access to Management Console functions as defined by the Enterprise Administrator.

An Enterprise Administrator can delegate administrative rights to other administrators using Active Directory Organizational Units. These rights are described in the following table.

Administrative Rights

Administrator Type

Limitations

Ivanti Device and Application Control Application

View all device permissions and file authorizations

All Ivanti Device and Application Control administrators

NA

Application Control; Device Control

Modify file authorizations

Enterprise Administrators

NA

Application Control

Modify global-level device permissions

Enterprise Administrators

NA

Device Control

Members of the Settings (Device Control) role

Only users the administrator is allowed to manage

Modify computer-level device permissions

Enterprise Administrators

NA

Device Control

Members of the Settings (Device Control) role

Only for the computers that the administrator is allowed to manage

Modify computer-group device permissions

Enterprise Administrators

NA

Device Control

Members of the Settings (Device Control) role

Only if the administrator is allowed to manage all the computers in the computer group for all accounts

Manage built-in accounts (Everyone, LocalSystem, and so forth)

Enterprise Administrators

NA

Application Control; Device Control

Initially, any administrator with password access to a Application Server and the Management Console can use the Management Console.

Before using Ivanti Device and Application Control, Ivanti recommends setting up administrators who have access to the Management Console. You can assign different roles to administrators, but you must define at least one Enterprise Administrator.

The following rules apply to administrative user roles:

  • You must always designate one Enterprise Administrator before you modify the list of administrators.

  • All Application Servers share the same database, so some administrative rights set for an administrator can be used for other Application Servers.

  • Local computer users cannot manage the Management Console, even if assigned as an Enterprise Administrator, because they cannot connect to an Application Server.

  • Assigning Administrators
    You assign administrator access rights using the User Access tool.
  • Defining Administrator Roles
    An Administrator has restricted access to the Management Console and can be assigned various administrative roles by an Enterprise Administrator.
  • Assigning Administrator Roles
    After defining Administrator roles, you use the User Access tool to assign the defined roles to Administrators.

Related Information