Role-based administration overview

Ivanti® Endpoint Manager lets you manage console users with an extensive set of role-based administration features. You can:

  • Assign granular feature-based group permissions
  • Easily assign permissions to multiple users through local or LDAP user groups
  • Synchronize console user configurations across multiple core servers

You can create roles based on user responsibilities, the management tasks you want them to be able to perform, and the devices you want them to be able to see, access, and manage. Access to devices can be restricted to a geographic location like a country, region, state, city or even a single office or department. Or, access can be restricted to a particular device platform, processor type, or some other device hardware or software attribute. With role-based administration, it's completely up to you how many different roles you want to create, which users can act in those roles, and how large or small their device access scope should be. For example, you can have one or more users whose role is software distribution manager, another user who is responsible for remote control operations, a user who runs reports, and so on.

If you don't have many console users or you don't want to limit the console users that you do have, you can bypass role-based administration entirely and just add users to the core server's local LANDESK Administrators group. Members of this group have full access to the console and can manage all devices. By default, the account used to install Endpoint Manager is placed into the LANDESK Administrators group.

Role-based administration is flexible enough to let you create as many custom roles as you need. You can assign the same few permissions to different users but restrict their access to a limited set of devices with a narrow scope. Even an administrator can be restricted by scope, essentially making them an administrator over a specific geographic region or type of managed device. How you take advantage of role-based administration depends on your network and staffing resources, as well as your particular needs.

NOTE: If you've upgraded from Endpoint Manager 8, setup creates a log file called ..\LANDesk\Management Suite\RBAUpgradeReport.txt. This file has information to help you map 8.x roles to 9.x.

The following is the basic process for using role-based administration:

  1. Create roles for console users.
  2. Use the Windows Local Users and Groups tool to add console users to the appropriate Windows LANDESK groups.
  3. Create authentications for each Active Directory you will be using to designate console users.
  4. Optionally use scopes to limit the list of devices that console users can manage.
  5. Optionally use teams to further categorize console users.