A scope defines the devices that can be viewed and managed by a Endpoint Manager and Security user.
A scope can be as large or small as you want, encompassing all of the managed devices scanned into a core database, or possibly just a single device. This flexibility, combined with modularized tool access, is what makes role-based administration such a versatile management feature.
Endpoint Manager and Security role-based administration includes one default scope: "All machines." This scope includes all managed devices in the database. You can't edit or remove the default scope.
- Click Tools > Administration > User Management.
- Right-click Scopes and click New Scope.
- In the Scope Properties dialog box, enter a name for the new scope.
- Specify the type of scope you want to create (LDMS query, LDAP or custom directory, or device group) by clicking a scope type from the drop-down list, and then clicking New.
- If you're creating an LDMS query-based scope, define the query in the New scope query dialog box, and then click OK.
- If you're creating a directory-based scope, select locations (LDAP directory and/or custom directory) from the Select visible devices list (you can browse the directory by clicking Browse directories), and then click OK.
Click on the plus (+) and minus (-) signs to expand and collapse nodes in the directory tree. All nodes under a selected parent node will be included in the scope.
LDAP directory locations are determined by a device's directory service location. Custom directory locations are determined by a device's computer location attribute in the inventory database. This attribute is defined during device agent configuration.
- If you're creating a device group-based scope, select a group from the available device group list, and then click OK.
- Click OK again to save the scope and close the dialog box.
- Right-click Scopes and click New scope from query.
- Select the query you want and click OK.
- A copy of the query will be made and a new scope appears in the tree with a name based on the source query name.
NOTE: You can quickly create a scope from an existing query by dragging a query from the Network view and dropping it onto the scopes tree.
NOTE: Scopes use a copy of the query they are based on. Changes to the source query in the Network view won't affect existing scopes.
There are three types of custom scopes you can create and assign to users:
- LDMS query: Controls access to only those devices that match a custom query search. You can select an existing query or create new queries from the Scope properties dialog box to define a scope. Note that you can also copy queries from the Queries groups in the network view directly into the Scopes group. For more information on creating queries, see Database queries.
- LDAP: Controls access to only those devices gathered by the inventory scanner that are located in an LDAP-compliant directory structure. Select directory locations from the Select visible devices dialog box to define a scope. This directory-based scope type also supports custom directory locations (if you've entered custom directory paths as part of an agent configuration). Available custom directory paths appear in the Select visible devices dialog box. Use custom directories to define a scope if you don't have an LDAP-compliant structure, or if you want to be able to restrict access to devices by a specific organizational detail such as geographic location or department.
- Device group: Controls access to only those devices that belong to a specific device group in the network view.
A Endpoint Manager user can be assigned one or more scopes at a time. Additionally, a scope can be associated with multiple users.
More than one scope can be assigned to any of the Endpoint Manager users. When multiple scopes are assigned to a user, the user has rights to all computers in all assigned scopes. The cumulative list of computers in all assigned scopes is the user's effective scope.
A user’s effective scope can be customized by adding and removing scopes at any time. Multiple scopes and scope types can be used together.
A user’s rights and scopes can be modified at any time. If you modify a user’s rights or scopes, those changes take effect the next time that user logs into the console or when a console administrator clicks the Refresh scope toolbar button on the Console (top of window).