Managing roles

Use the Administration > User management > Roles tree to define and maintain administrative roles and their associated console rights. Console rights are based on Endpoint Manager features. For example, you can create a help desk role and give it the remote control right.

You can add as many additional roles as you need. New roles aren't automatically assigned to any users or groups. Once you create a role, you associate it with a user or group in the Group Permissions tree.

Since you can assign multiple roles to users or groups, decide how you want to assign rights. You can either assign rights based on a job description, such as "help desk," or you can assign rights based on console feature, like "remote control." Depending on the number and variety of console users your organization may have, one way may work better than the other.

You can assign multiple roles to a user or Active Directory group. If there are conflicting rights among the selected roles, the group permission consists of the sum of the combined roles and scopes. For example, if one included role allows remote control and another included role denies it, the resulting group permission will allow remote control. You can see the effective rights for a user or group by opening the properties for it and viewing the Effective rights page.

Generally, you should avoid assigning a role to the default local groups: LANDesk Management Suite and LANDesk Administrators. Assigning a role to a group affects everyone in the group. Since all console users must be a member of one of these three groups, you could unintentionally restrict everyone's access to console features. The LANDesk Administrators group already has a default role of Administrator, which you can't restrict further.

Changes to a logged-in user's rights won't take effect until the next time they log in.

For more information on what the individual RBA rights do and don't allow, see this article on the Ivanti Community.

There are a number of default roles under the Roles tree. You can edit or delete any of these default roles, except for Ivanti Administrator.

  • Agent Settings
  • Auditing Configuration
  • Auditor
  • Data Analytics Administrators
  • Diagnostics
  • Discovery
  • Environment Manager
  • Inspector Viewer
  • IT Help Desk
  • LANDesk Administrator
  • Mobile Device Management
  • Patch Management
  • Power Management
  • Provisioning
  • Security
  • Software Distribution
  • Software Licensing

IMPORTANT: LANDesk Administrators have full rights
LANDesk Administrators have full rights to all scopes and rights. They also have full access to the Users tool and can make any changes they want. Additionally, only users with the Administrator right can configure Ivanti services running on the core.

There are four types of rights a user can have:

  • View: Allows users to access a console tool.
  • Edit: Allows users to make changes in the associated console tool. Includes the view right.
  • Deploy: Allows users to create, modify, or delete any scheduled tasks associated with the associated console tool.
  • Edit public: Allows users to create, modify, or delete items in a console tool's Public folder.

Not all rights support all types. For example, the "Public query management" right can only have the "Edit public" type. It wouldn't make sense to also have the "View," "Edit," or "Deploy" types.

There are three states a right can have:

  • A checkmark:
  • An X:
  • A not applicable symbol:

Clicking on a checkmark or an X will toggle its state.

If users have no rights for a tool, they won't see the tool when they log into the console. The tool won't appear in the Toolbox or in the Tools menu.

The Scheduled tasks tool is only visible to users who have a "Deploy" right, and in that case, they can only work with tasks associated with the tool they have deploy rights for. All other tasks are read-only.

A tool's Public group is visible to all users. Items in the public group are read-only, unless you have the "Edit public" right. Users that have "Edit public" rights on a feature can only edit public items for that feature. Other public items will be read-only. Read-only items are still useful, since users can copy those items to the "My ..." tree group and edit them there.

The Scheduled tasks tool's Public group works slightly differently. All tasks in the Public group are visible to users with a "deploy" right, including tasks for features users may not have access to. However, only tasks that users have a "Deploy" right for are editable. The rest are read-only.

If you have "Edit Public" and "Deploy" right types, you can create new tasks in the Public group as well as add/remove tasks from it.

Use roles to define and maintain administrative roles and their associated console rights.

To create and assign a role
  1. In the User management tool, right-click Roles and click New role.
  2. In the Role properties dialog box, enter a role Name.
  3. Enable or disable the rights you want by clicking on the symbol in the appropriate column. Each click toggles the right's state.
  4. In the tree click Users and groups and select the users and groups that will have the new role.
To assign an existing role to users and groups
  1. In the User management tool, right-click Roles and click Properties. You can also double-click a role to edit its properties.
  2. On the Users and groups page, select the groups you want to have that role.
  3. Click OK.