Managing roles

Use the Administration > User management > Roles tree to define and maintain administrative roles and their associated console rights. Console rights are based on Endpoint Manager features. For example, you can create a help desk role and give it the remote control right.

You can add as many additional roles as you need. New roles aren't automatically assigned to any users or groups. Once you create a role, you associate it with a user or group in the Group Permissions tree.

Since you can assign multiple roles to users or groups, decide how you want to assign rights. You can either assign rights based on a job description, such as "help desk," or you can assign rights based on console feature, like "remote control." Depending on the number and variety of console users your organization may have, one way may work better than the other.

You can assign multiple roles to a user or Active Directory group. If there are conflicting rights among the selected roles, the group permission consists of the sum of the combined roles and scopes. For example, if one included role allows remote control and another included role denies it, the resulting group permission will allow remote control. You can see the effective rights for a user or group by opening the properties for it and viewing the Effective rights page.

Generally, you should avoid assigning a role to the default local groups: LANDesk Management Suite and LANDesk Administrators. Assigning a role to a group affects everyone in the group. Since all console users must be a member of one of these three groups, you could unintentionally restrict everyone's access to console features. The LANDesk Administrators group already has a default role of Administrator, which you can't restrict further.

Changes to a logged-in user's rights won't take effect until the next time they log in.

For more information on what the individual RBA rights do and don't allow, see this article on the Ivanti Community.