Administrative roles
At Administration > Security, you can manage access to the functionality in the Console. Because any set of changes to the IT environment of your organization can be delivered from the Console, it is important to prevent unauthorized access, in order to prevent that these changes lead to unexpected and undesired results.
When you have configured one or more login accounts, you can configure administrative roles.
- Open the login account, select the Administrative Roles tab and click Add. The Select Administrative Roles window opens.
- Select one or more administrative roles and click OK.
- The access permissions of an administrative role define the level of access that a Console user has to the various parts of the Console.
- The permissions on Trusts of an administrative role define the level at which a Console user is allowed to manage Trusts.
Configuration
- Ivanti Automation contains a default administrative role: Full Access. This administrative role grants Modify access to all Console items and Modify permissions for Trusts on Team folders, Teams, Agents, Resource folders, Resources, Module folders and Modules. It is not possible to make changes to this default administrative role or to delete it. To avoid accidental lockout of the Console, the first login account that you create is automatically assigned to this Full Access administrative role.
- By assigning a particular administrative role to a login account, you can grant a user permissions to perform particular tasks with Ivanti Automation. You can assign multiple administrative roles to a login account: The overall permissions that a user has are determined by adding up the permissions of all assigned administrative roles.
Secure delegation
Administrative roles allow you to delegate control over the configuration and execution of Tasks, so that users with a specific administrative role can schedule a Job, but cannot change the configuration of the Task itself.
Example 1
You may have configured a Module that contains a Task Create Local User, which uses parameters for the logon name, full name and password of the user. If you then create an administrative role with Read access to the Topology nodes and the Library nodes, and Modify access to the Jobs nodes, any user with the administrative role will be able to schedule the Module in a Job and provide values for all parameters, but cannot edit the Module itself.
Example 2
You may have configured a Module that contains a Task Change Service Parameters that restarts a print spooler. If you then create an administrative role with Read access to this Module, and Modify access to the Jobs nodes, any user with the administrative role will only be able to schedule the Module in a Job, but no other Modules.