Defining User Access
The Management Console can only be accessed by authorized network administrators.
To control user access to the Management Console, you can define two types of administrators:
- An Enterprise Administrator has full access to all management functions.
Initially, any member of the Windows Administrators group for a Application Server has the privileges of a Enterprise Administrator. After an Enterprise Administrator is designated, administrative privileges are automatically restricted for the members of the local Administrators group.
- An Administrator has restricted access to Management Console functions as defined by the Enterprise Administrator.
An Enterprise Administrator can delegate administrative rights to other administrators using Active Directory Organizational Units. These rights are described in the following table.
|
Administrative Rights |
Administrator Type |
Limitations |
Ivanti Device and Application Control Application |
|---|---|---|---|
|
View all device permissions and file authorizations |
All Ivanti Device and Application Control administrators |
NA |
Application Control; Device Control |
|
Modify file authorizations |
Enterprise Administrators |
NA |
Application Control |
|
Modify global-level device permissions |
Enterprise Administrators |
NA |
Device Control |
|
Members of the Settings (Device Control) role |
Only users the administrator is allowed to manage |
||
|
Modify computer-level device permissions |
Enterprise Administrators |
NA |
Device Control |
|
Members of the Settings (Device Control) role |
Only for the computers that the administrator is allowed to manage |
||
|
Modify computer-group device permissions |
Enterprise Administrators |
NA |
Device Control |
|
Members of the Settings (Device Control) role |
Only if the administrator is allowed to manage all the computers in the computer group for all accounts |
||
|
Manage built-in accounts (Everyone, LocalSystem, and so forth) |
Enterprise Administrators |
NA |
Application Control; Device Control |
Initially, any administrator with password access to a Application Server and the Management Console can use the Management Console.
Before using Ivanti Device and Application Control, Ivanti recommends setting up administrators who have access to the Management Console. You can assign different roles to administrators, but you must define at least one Enterprise Administrator.
The following rules apply to administrative user roles:
-
You must always designate one Enterprise Administrator before you modify the list of administrators.
-
All Application Servers share the same database, so some administrative rights set for an administrator can be used for other Application Servers.
-
Local computer users cannot manage the Management Console, even if assigned as an Enterprise Administrator, because they cannot connect to an Application Server.
- Assigning Administrators
You assign administrator access rights using the User Access tool. - Defining Administrator Roles
An Administrator has restricted access to the Management Console and can be assigned various administrative roles by an Enterprise Administrator. - Assigning Administrator Roles
After defining Administrator roles, you use the User Access tool to assign the defined roles to Administrators.