Ivanti Automation powered by RES

Home 

Multiple administrative roles

At Administration > Security, you can manage access to the functionality in the Console. Because any set of changes to the IT environment of your organization can be delivered from the Console, it is important to prevent unauthorized access, in order to prevent that these changes lead to unexpected and undesired results.

You can assign a login account to multiple administrative roles. If so, the permissions of all assigned administrative roles are added up, in which Modify takes precedence over Read, and Read takes precedence over Deny.

Example 1

Suppose 3 administrative roles have been assigned to a login account:

Administrative role 1

Topology node

Read

Library node

Modify

Jobs node

Deny

Administrative role 2

Topology node

Deny

Library node

Read

Jobs node

Read

Administrative role 3

Topology node

Deny

Library node

Modify

Jobs node

Modify

Result

Topology node

Read

Library node

Modify

Jobs node

Modify

Example 2

You may have configured a Module that contains a Task Create Local User, which uses parameters for the logon name, full name and password of the user. If you then create an administrative role with Read access to the Topology nodes and the Library nodes, and Modify access to the Jobs nodes, any user with the administrative role will be able to schedule the Module in a Job and provide values for all parameters, but cannot edit the Module itself.

Example 3

You may have configured a Module that contains a Task Change Service Parameters that restarts a print spooler. If you then create an administrative role with Read access to this Module, and Modify access to the Jobs nodes, any user with the administrative role will only be able to schedule the Module in a Job, but no other Modules.


Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other