# User and Role Administration | Device Control Plus **Last Updated On**: 14 May 2026 **14 minutes read** User administration refers to the process of managing user accounts within a system or application for better management. In the context of Device Control Plus, user administration involves tasks such as creating, modifying, and deleting user accounts. This includes defining user roles, assigning scopes (permissions), and ensuring that users have the appropriate access levels to perform their tasks. ## Users and Roles User accounts are individual accounts created under a scope that provides them the access to endpoints, custom groups, and remote offices. Roles, on the other hand, define a set of permissions that determine what actions a user can perform within the system. Each user is assigned a role, which governs and determines their level of access and authority. **Role Management** Some of the most commonly used roles are specified under Pre-defined Roles. However, you also have the flexibility to define roles that best suit your requirements under the User-defined Roles and grant appropriate permissions. Here's a brief on the Pre-defined and User-defined roles respectively: **User-defined Role** You can create roles and customize them based on your personalized needs. These customized roles fall under the User-defined category. Follow the steps mentioned below to create a new User-defined role: 1. Select the **Admin** tab, navigate to **User Administration**. 2. Select the **Role** tab and click the **Add Role** button. ![User and role administration](https://cdn.manageengine.com/sites/meweb/images/device-control/help/deployment/1774959555226.webp) 3. Specify the Role Name and a small description about it. 4. Define module-wise permission level for the Role in the Select Control Section. This includes options like Full Control, Write, Read, and No Access. 5. Click **Add**. This completes the process of creating a new role. ![User and role administration](https://cdn.manageengine.com/sites/meweb/images/device-control/help/deployment/1774959625865.webp) **Note:** Role deletion cannot be performed if that role is associated even with a single user. However, you can modify the permission levels for all User-defined roles. **Pre-defined roles:** You will find the following roles in the Pre-defined category: **How to associate users with roles?** 1. Open the **Web Console → Navigate to Admin tab → User Administration**. 2. Click **User → Add User**. ![User and role administration](https://cdn.manageengine.com/sites/meweb/images/device-control/help/deployment/1774959844846.webp) 3. Select the Authentication type as **Active Directory Authentication** or **Local Authentication**. For Active Directory Authentication, select a Domain in Domain name. **Note:** Active Directory Authentication is available for on-premises environments only. 4. Specify a **User Name**. 5. Specify the **Role** from the drop-down list. This list will contain both pre-defined and user-defined roles. 6. For Active Directory Authentication, the Email Address of the user will be fetched from Active Directory, if available. If not, specify the email address of the user manually. The Email Address should be manually entered for local authentication. 7. If required, enter the **phone number** of the user. 8. Define the Scope for the user. You can specify the computers which need to be managed by the user. You can choose to provide the user access to manage all computers, remote offices, or specific unique custom groups. If you do not have a unique custom group, you can create one. If the custom group is not unique, it will not be listed here. 9. You can also select the devices that need to be managed. You have the option to manage all devices or even selected groups. 10. Click on **Add User**. ![User and role administration](https://cdn.manageengine.com/sites/meweb/images/device-control/help/deployment/1774959735260.webp) ## Secure Authentication The Secure Authentication feature under User Administration ensures additional security of the application by implementing various security measures. This makes sure that users who have authorised privileges can perform operations in Device Control Plus. There are three sub-features under Secure Authentication and they include: - **Two-factor authentication**: The user will only be able to login after entering the username and password, followed by an OTP that they will receive via mail. - **User Account Policy**: The user account policy refers to the set of rules and requirements that govern user accounts within the system. This policy often includes the action that must be taken against invalid login attempts like the number of invalid login attempts allowed and lockout duration for invalid attempts. It also includes the domain settings during login like rules for hiding the domain list and the default domain for authentication. With this policy, you can also set actions against account inactivity and session expiration time for users. - **Password Policy**: The Password Policy allows admins to create a number of rules for users while they are setting up passwords. It allows setting a minimum password length, minimum number of special characters, the number of last passwords that the user can reuse, and when they should enforce users to change their password. ## Notifications The Notification feature allows admins to get notified when the user performs a varied set of operations. For the admin to receive notifications, their e-mail ID addresses should be mentioned so that they get notified when the following changes are made: - When a user resets the password - When the user account gets locked or disabled due to invalid login attempts - When the user account gets disabled due to inactivity - When the disabled account is reactivated by the admin - When the account is manually disabled by the admin - When a new user account is created or deleted ## SDP Users The SDP Users listed under this feature will not have access to the Device Control Plus console and therefore cannot carry out any endpoint management related activities. To provide access to SDP Users to use the functionalities of Device Control Plus, click the Add to Device Control Plus icon under the actions column corresponding to their names. This is only applicable when the Self Desk Portal is integrated with ServiceDesk Plus.