User Administration User & Role Management


Overview

As an administrator, many a time you would have felt mundane routines spill over crucial attention-seeking jobs of your network. Desktop Central answers this concern through its User & Role Management module; delegating routine activities to chosen users with well-defined permission levels. You can easily administer the users, and define their scope to manage a specific set of computers.

1. Role Management

Some of the most commonly used Roles are specified under Pre-defined Roles. However, you also have the flexibility to define roles that best suit your requirements under the User-defined Roles and grant appropriate permissions.  Here's a brief on the Pre-defined and User-defined roles respectively:

User-defined Role

You can tailor-make any number of roles, using Desktop Central and give them permissions of your choice based on your personalized needs. These customized roles fall under the User-defined category. For a better understanding let us quickly see how to create a User-defined Role in the following section.

Follow the steps mentioned below to create a new User-defined role:

1. Select the Admin tab and click  User Administration. This opens the User Administration page.
2. Select the Role tab and click the Add Role button.
3. Specify the Role Name and a small description about it.
4. You can define module-wise permission level for the Role in the Select Control Section.
    The permission levels are broadly classified into:
    Full Control - To perform all operations like an administrator, for the specific module
    
Write - To perform all the operations, except few restrictions as explained below in the table
    
Read - To only view the details in that module
    
No Access - To hide the module from the User  (For more details, refer to the table below)
5. Click  Add button.

       You have successfully created a new role.

Note: The role you have just created will now be available in the Roles list of the user creation module. Role deletion cannot be performed if that role is associated even with a single User. However you can modify the permission levels for all User-defined roles.

Pre-defined Roles

You will find the following roles in the Pre-defined category:

    1. Administrator
    2. Guest
    3. Technician
    4. Auditor
    5. Remote Desktop Viewer
    6. IT Asset Manager
    7. Patch Manager
    8. Mobile Device Manager

Administrator Role: The Administrator role signifies the Super Admin who exercises full control, on all modules. The operations that are listed under the Admin tab include:

    1.    Defining or modifying Scope of Management
    2.    Adding Inactive Users
    3.    Changing mail server settings
    4.    Changing proxy settings
    5.    Personalizing options like changing themes, setting session expiry, etc.
    6.    Scheduling vulnerability database update
    7.    Scheduling scan settings for Patch Management
    8.    Editing MSI or Script repository
    9.    Viewing Actions Logs of Desktop Central
    10.   Has write permission for the following,  Inventory, Reports, Profiles and Apps in Mobile Device Management.     

Guest Role: The Guest Role retains the Read Only permission to all modules. A user who is associated to the Guest Role, will have the privileges to scan and view various information about different modules, although making changes is strictly prohibited. Guest Role also has Read Only permission for viewing, MDM inventory details, reports, profiles and Apps of the mobile devices.

Technician Role: The Technician Role has a well defined set of permissions to do specific operations. Users under the Technician role are restricted from performing all the operations listed under the Admin tab. The operations that can be performed by users associated with the Technician Role include:

    1.    Can define and deploy all types of configurations and collections.
    2.    Can view all the configurations including those created by other users, reports, etc.
    3.    Can suspend, modify, or re-deploy the configurations defined by them.
    4.    Can update the Vulnerability Database.
    5.    Can perform Scan operations on all modules.
    6.    Has write permission for the following,  Inventory, Reports, Profiles and Apps in Mobile Device Management.  

Auditor: The Auditor role is specially crafted for Auditing Purposes. This role will help you grant permissions to auditors view the details of software inventory, check for license compliance, etc. Users with "Auditor Role" can also have read permission for MDM Reports.

Remote Desktop Viewer: The Remote Desktop Viewer Role will allow the users associated with it to Invoke a Remote desktop connection and view details of users who had connected to a particular system.

IT Asset Manager: The IT Asset Manager has complete access to the Asset Management module and all the other features are inaccessible. IT Asset Manager can also view the Inventory details of all the Mobile Devices.

Patch Manager: The Patch Manager role has complete access to the Patch Management module and all the other modules/features are inaccessible.

Mobile Device Manager: Mobile Device Manager role has write permission for the following,  Inventory, Reports, Profiles and Apps in Mobile Device Management.

User Roles and Permission Level

Action

Administrator

Full Control

Write Read
Configuration
Create Configurations

Create Configurations from templates 

Create Configurations  from Collections (computer)

Create Configurations  from Collections (User)

Install software (User) 

Install software (Computer)

Install Patches

View Configurations 

Edit Configurations Created by Others

Delete Configurations  Created by Others

'Save as New' from Configurations created by others excluding the target

Power Management Configuration

Power Management Report 

Patch Mgmt.
Install Patches

Automate Patch Deployment (APD)

APD Task List View 

Edit or Delete APD

View Configurations

View Deployment Templates & Add Templates

Edit or Delete Deployment Templates

Approve/Decline/Un Approve - Applicable Patches

Download / Re-download /Delete  Patches

Deploy Missing Patches to All Managed Systems

Scan/Scan All 

Patch Report 

Patch Settings (Except Proxy ) 

Update Vulnerability Database

Software Deployment
Create Software Package 

Install/uninstall Software (Computer)

Install/uninstall Software (User)

Create Package from Templates

View Configurations

Deployment Templates

Software Repository Settings

Sync Application Details

Inventory
Computers View (Bulk Update/ Import CSV)

Computers View - Import CSV

Add / Modify Computer Details

Hardware's View  

Software View 

Move Software To 

Alerts settings 

Inventory Reports

Scan/Scan all Systems

Software Metering (Add/Delete/Enable/Disable Rule)

Manage License

Group software

Configure Prohibited Software

Add Global Exclusions

Manage Software Category

Configure Alerts

Schedule Inventory Scan

Feed Custom Data for Computers

Tools
Remote Control Computer view 

Remote Control History view 

Settings

User Confirmation & Exclude Computers

Screen Recording 

Performance

Wake On LAN - Wake up & schedule wake up 

Remote Shutdown - Shutdown now & schedule shutdown

System Tools - Action & Functionality

Reports
Schedule Reports

Custom Reports

Active Directory Reports

Reports from Other Modules

SoM
Add/Remove  computers

Edit credential

Install/uninstall agent 

Remote Offices

IP Scope

SOM Policy 

Agent settings

Global Settings
User Administration

Help Desk Settings

ServiceDesk Plus Settings

Server Settings

Mail Server Settings

Custom Groups

Personalize

Re-branding

MySQL Remote DB Access

DC Server Migration

Configuration Settings

Report  Settings
AD Report Settings

 User Logon Settings

Admin Tools
Action Log Viewer

Alerts

Database Backup

2.Defining a Scope

Desktop Central provides you the privilege of defining a scope for the users, which means you can define the target computers, which can be mapped to every user. By limiting the user's permission to specific set of computers, you can feel assured that the user has enough permission to perform their roles and not excess permission to take unduly advantage.

The target that you define as the scope, can be one of the following:

All Computers

When the target is defined as 'All Computers', user will have permission to execute all the privileges defined in the role, to all the computers. Though the scope is all computers, the permission level is determined only by the role, to which the user is mapped.

Static Unique Groups

You can create specific custom groups for the management purposes and associate it to the users. The custom groups that you create should be Unique, so that no computers can belong to more than one custom group. These are computer based custom groups, which are created for the user management purpose, is defined as "scope" for the user. Refer to this to know more about Creating Custom Groups

Remote Office

You can create specific remote offices or use the existing remote offices to be defined as the scope for the users. More than one user can have manage the same remote offices. Similarly more than one remote office can be mapped to the same user, however you cannot have a combination of remote offices and unique groups as a part of the scope.

Sharing a Scope

More than one user can share the same scope. In such cases, configurations/tasks applied to the scope can be managed by more than one user.  To know more, refer to this: Points to be noted

Modifying a Scope

When a scope of the user is modified,  user will not be able to manage the configurations/tasks, which were created by him. He will have permission to clone the configurations without the target, so that he can re-use them for his current scope. Modifying the computers within the scope will not be considered as modifying the scope.

3.User Management

Creating a User and Associating a Role

You can associate a User with a Role while creating a New User. To create a user follow the steps mentioned below:

  1. Login to Desktop Central client as an Administrator
  2. Click User Management link available under the Global Settings category
  3. Specify the Authentication Type as Active Directory Authentication or Local Authentication
  4. Specify a User Name, Password and  Confirm the password
  5. Specify the Role,  from the drop down. You can see find all the pre-defined roles, and the  roles that you have created will be listed here
  6. Specify the Email address and the Phone number of the user, this is optional
  7. Define the Scope for the user, you can specify the computers, which needs to be managed by the user. You can choose to provide the user access to manage all computers, remote offices or specific unique custom groups. If you do not have a unique custom group, you can create one. If the custom group is not unique, it will not be listed here. Refer to this, to know more about : Unique Custom groups

You have successfully create a user and associated a role to the user with the scope of the computers that need to be managed.

Note

Note: When you opt to authenticate a user via Active Directory, the user should have privileges to login to the domain from the computer where Desktop Central Server is installed.

Modifying User details

Desktop Central offers the flexibility to modify the role of users, to best suit your changing requirements. You can do operations like Changing the User Role and Reset User Password at any point of time you feel you should.

Deleting a User

At times when you find a user's contribution obsolete, you can go ahead and delete the user from the User List. The user so removed will no more exercise Module Permissions.

Points to be Noted

  1. A Unique Custom group can be managed by more than one user.
  2. A same computer cannot be a part of more than one Unique Custom Group
  3. Only Administrators will have permission to modify the scope for users
  4. Scope defined for a user cannot be a combination of custom groups and remote offices, it can only be  all computers or specific unique group or remote office
  5. When the scope of the user is modified, the user will not be notified about the changes made to his scope
  6. Adding or removing computers from the unique custom groups would not affect the scope of the user
  7. Refer to the following scenarios and behaviors:
    User A's scope : Static Unique Group 1
    User B's scope : Static Unique Group 2
    User C's scope : Static Unique 2 and Static Unique Group 3
    User D's scope : Static Unique Group 1, Static Unique Group 2, Static Unique Group 3 and Static Unique Group 4
    1. User A creates and applies the configuration/task to Static Unique Group 1. This configuration will be visible to User A, and User D, since they share the same scope (Static Unique Group 1). This configuration can be modified by User A and User D. When user D modifies this configuration, the target of this configuration will list only the scope that is being shared by User A and User D.
    2. User D creates a configuration and applies it to Static Unique Group 2, then this configuration can be viewed by user User B, User C and User D. All the three users will be able to manage the configuration.
    3. User D creates a configuration and applies it to Static Unique Group 3, and Static Unique Group 4. In this case, User C and User D will be able to view this configuration. User C cannot make any changes to  this configuration.
    4. User A creates a configuration and applies it to Static Unique Group 1 and later, user A's scope is modified, then this configuration can only be viewed by him, or cloned as a new configuration without the target.

Copyright © 2005-2014, ZOHO Corp. All Rights Reserved.
ManageEngine