Role-based administration overview
Ivanti® Endpoint Manager lets you manage console users with an extensive set of role-based administration features. You can:
- Assign granular feature-based group permissions
- Easily assign permissions to multiple users through local or LDAP user groups
- Synchronize console user configurations across multiple core servers
You can create roles based on user responsibilities, the management tasks you want them to be able to perform, and the devices you want them to be able to see, access, and manage. Access to devices can be restricted to a geographic location like a country, region, state, city or even a single office or department. Or, access can be restricted to a particular device platform, processor type, or some other device hardware or software attribute. With role-based administration, it's completely up to you how many different roles you want to create, which users can act in those roles, and how large or small their device access scope should be. For example, you can have one or more users whose role is software distribution manager, another user who is responsible for remote control operations, a user who runs reports, and so on.
If you don't have many console users or you don't want to limit the console users that you do have, you can bypass role-based administration entirely and just add users to the core server's local LANDESK Administrators group. Members of this group have full access to the console and can manage all devices. By default, the account used to install Endpoint Manager is placed into the LANDESK Administrators group.
Role-based administration is flexible enough to let you create as many custom roles as you need. You can assign the same few permissions to different users but restrict their access to a limited set of devices with a narrow scope. Even an administrator can be restricted by scope, essentially making them an administrator over a specific geographic region or type of managed device. How you take advantage of role-based administration depends on your network and staffing resources, as well as your particular needs.
NOTE: If you've upgraded from Endpoint Manager 8, setup creates a log file called ..\LANDesk\Management Suite\RBAUpgradeReport.txt. This file has information to help you map 8.x roles to 9.x.
The following is the basic process for using role-based administration:
- Create roles for console users.
- Use the Windows Local Users and Groups tool to add console users to the appropriate Windows LANDESK groups.
- Create authentications for each Active Directory you will be using to designate console users.
- Optionally use scopes to limit the list of devices that console users can manage.
- Optionally use teams to further categorize console users.
Endpoint Manager users can log in to the console and perform specific tasks for specific devices on the network. The user that is logged in to the server during Endpoint Manager installation is automatically placed into the Windows LANDesk Administrators user group, which gives them full administrator permissions. This individual is responsible for adding additional groups of users to the console and assigning permissions and scopes. Once other administrators have been created, they can perform the same administrative tasks.
Endpoint Manager setup creates several local Windows groups on the core server. These groups control file system permissions to the Endpoint Manager and Security program folders on the core server. You must manually add console users to one of these local Windows groups:
- LANDesk Management Suite: This group allows basic core access. The Endpoint Manager folders are read-only. Users in this group can't write to the scripts directory, so they won't be able to manage scripts. Patching vulnerabilities and OS provisioning won't work correctly for users in this group because both those features use scripts.
- LANDesk Administrators: This is the failsafe group for console access. Anyone in this group has full rights in the console, including script writing. By default, the user account that installed Endpoint Manager is added to this group. If you don't have many console users or you don't want to limit the console users that you do have, you can bypass role-based administration entirely and just add users to this group.
When adding full administrators to the console, you can either add them to the core server's local LANDesk Administrators group or you can add them to a different group that has the LANDesk "Administrator" right. The only difference is that users in the Windows LANDesk Administrators group can't be deleted from the console until they are removed from the LANDesk Administrators group.
The Users tool's Users and groups tree shows the list of authorized console users. You can see the last time a console user logged in, their group, role, scope, remote control time restriction status, and team. You can also use this tree to see if users are in the LANDesk local Windows groups. Users won't be able to log in until you've added them to one of the LANDesk groups described in this section.
Users are stored in the database by unique security IDs (SIDs). If a user's active directory account name changes, for example if they got married, their SID should remain the same and their Endpoint Manager permissions will still apply.
IMPORTANT: Additional consoles and the core server must be members of the same domain or workgroup. Console users won't be able to authenticate with a core server that is in a different domain or workgroup.
To add users to a LANDesk group from the Windows Computer Management dialog box
- Navigate to the server's Administrative Tools > Computer Management > Local Users and Groups > Groups utility.
- Right-click the LANDesk group you want, and then click Add to group.
- In the group's Properties dialog box, click Add.
- In the Select the users and groups dialog box, select the desired users (and groups) from the list and click Add.
- Click OK.
To add a Endpoint Manager console user or group
- Click Tools > Administration > User management.
- In the Users and groups tree, right-click the authentication source containing the user or group you want, and click New user or group.
- In the authentication source directory, select the user or group you want to add and click Add. If you want to select individual users within a group, right-click the group and click Select users to add. You can then select the users you want and click Add selected users.
- In the dialog box reminding you to manually add the user or group you selected to the appropriate local LANDesk Windows group, click OK.
- Click Close.
- If you haven't already, use the Windows Local Users and Groups tool to add the new user or group to the appropriate local LANDesk Windows group as described earlier in this section.
- Assign roles and scopes to the new user or group.
You can also use the Users management tree to delete console users or groups. When you delete a user or group, you'll be prompted to decide how you want to handle console items they are the owners of, such as queries, scheduled tasks, and so on. You can either have the console automatically delete any items they own or you can have the console reassign items they own to another user or group that you select. Note that deleting a user or group only deletes that user or group from the Endpoint Manager user database. You'll need to also manually remove the user or group from local LANDesk Windows groups they are members of. If you don't do this, the deleted user will still be able to log into the console.
To delete a console user
- Click Tools > Administration > User management.
- In the Users management tree, click Users and groups.
- Select the user or group you want to delete and press the Delete key.
- If you want to delete objects associated with the user, click OK.
- If you want to reassign objects associated with the console user, select Assign objects to the following user/group or team and click the user, group, or team you want to receive the objects and click OK.
- Remove the user from the local LANDesk Windows group or Active Directory group that gives them console access.
In the Administration > Users management tree, you can right-click a user or group in the right pane and click Properties. This properties dialog box shows all the properties and effective rights for that user. The properties dialog box has the following pages:
- Summary: Summarizes that user's/group's roles, scopes, teams, group membership, and effective rights.
- Effective rights: Shows a more detailed view of the user's/group's effective rights.
- Roles: Shows explicit and inherited roles. You can select which explicit roles apply to that user or group.
- Scopes: Shows explicit and inherited scopes. You can select which explicit scopes apply to that user or group.
- Teams: Shows explicit and inherited teams. You can select which explicit teams apply to that user or group.
- RC time restrictions: Allows you to apply and modify RC time restrictions. For more information, see Using remote control time restrictions.
- Group membership: Shows which groups that user is a member of.
- Group members: Shows the members of a group if a group is selected. Shows the group a user is a member of if a user is selected.
If you make changes to the editable pages, you need to click OK to apply them. You can then re-open the properties dialog box if necessary.