# User and Role Management

## Table of contents

1. [What is User Administration?](#definition)
2. [Users and Roles](#users-and-roles)
3. [Secure Authentication](#secure-authentication)
4. [Notifications](#notifications)
5. [SDP Users](#sdp-users)

## What is User Administration?

User administration refers to the process of managing user accounts within a system or application for better management. In the context of Endpoint Central, user administration involves tasks such as creating, modifying, and deleting user accounts. This includes defining user roles, assigning scopes (permissions), and ensuring that users have the appropriate access levels to perform their tasks.

Take a look at the features listed down under User Administration:

![ ](https://www.manageengine.com/products/desktop-central/help/images/user_role_management.jpg)

## Users and Roles

User accounts are individual accounts created within Endpoint Central under a scope that provides them access to endpoints, custom groups, and remote offices. Roles, on the other hand, define a set of permissions that determine what actions a user can perform within the system. Each user is assigned a role, which governs and determines their level of access and authority.

**Role Management**

Some of the most commonly used roles are specified under Pre-defined Roles. However, you also have the flexibility to define roles that best suit your requirements under the User-defined Roles and grant appropriate permissions. Here's a brief on the Pre-defined and User-defined roles respectively:

- **User-defined Role**

You can create roles and customize them based on your personalized needs. These customized roles fall under the User-defined category. Follow the steps mentioned below to create a new User-defined role:

1. Select the **Admin** tab, navigate to **User Administration** → Choose **Role**. This opens the User Administration page.
2. Select the Role tab and click the Add Role button.
3. Specify the Role Name and a small description about it.
4. Define module-wise permission level for the Role in the Select Control Section. This includes options like Full Control, Write, Read, and No Access.
5. Click Add button. This completes the process of creating a new role.

**Note:** Role deletion cannot be performed if that role is associated even with a single user. However, you can modify the permission levels for all User-defined roles.

- **Pre-defined roles:**

You will find the following roles in the Pre-defined category:

- **Administrator Role**: The Administrator role signifies the Super Admin who exercises full control on all modules. The operations that are listed under the Admin tab include:
  1. Full control over all modules.
  2. Defining or modifying Scope of Management.
  3. Adding Inactive Users.
  4. Changing mail server settings.
  5. Scheduling vulnerability database update, and more.

- **Guest Role**: The Guest Role retains Read Only permission to all modules. A user who is associated with the Guest Role will have the privileges to scan and view various information about different modules, although making changes is strictly prohibited. Guest Role also has Read Only permission for viewing MDM inventory details, reports, profiles, and apps of mobile devices.
  1. Read-only access to all modules.
  2. Privileges limited to viewing information without the ability to make changes.
  3. Viewing configurations, reports, etc.

- **Auditor Role**: The Auditor role helps you grant permissions to auditors to view details of software inventory and check for license compliance. Users with the Auditor Role can also have read permission for MDM Reports.
  1. Permissions tailored for auditing purposes.
  2. Viewing software inventory details and license compliance checks.
  3. Mobile Device Manager Role: Write permission for Inventory, Reports, Profiles, and Apps in Mobile Device Management.

- **Technician Role**: The Technician Role has a well-defined set of permissions to perform specific operations. Users under the Technician role are restricted from performing all the operations listed under the Admin tab. The operations that can be performed include:
  1. Defining and deploying all types of configurations and collections.
  2. Viewing all configurations including those created by other users, reports, etc.
  3. Suspending, modifying, or re-deploying the configurations defined by them.
  4. Updating the Vulnerability Database.
  5. Performing scan operations on all modules.
  6. Write permission for Inventory, Reports, Profiles, and Apps in Mobile Device Management.

- **Remote Desktop Viewer**: Allows users to invoke a Remote Desktop connection and view details of users who had connected to a particular system.

- **IT Asset Manager**: Has complete access to the Asset Management module, while all other features are inaccessible. IT Asset Manager can also view the inventory details of all mobile devices.

- **Patch Manager**: Has complete access to Patch Management. Patch Manager also has the privilege to access and use tools like Wake On LAN, Remote Shutdown, System Manager, and the ability to schedule Patch Reports. All other modules and features are inaccessible.

- **Mobile Device Manager**: Has write permission for Inventory, Reports, Profiles, and Apps in Mobile Device Management.

- **OS Deployer**: Provides the associated user the privilege to capture Windows OS images and deploy them across network computers.

**How to associate users with roles?**

1. Open the Endpoint Central web console → Navigate to **Admin** tab → **User Administration**.
2. Click **User** → **Add User**.
3. Select the Authentication type as Active Directory Authentication or Local Authentication. For Active Directory Authentication, select a Domain in Domain name.

Kindly note that Active Directory Authentication is available for on-premises environments only.

4. Specify a User Name.
5. Specify the Role from the drop-down list. This list will contain both pre-defined and user-defined roles.
6. For Active Directory Authentication, the Email Address of the user will be fetched from Active Directory, if available. If not, specify the email address of the user manually. The Email Address should be manually entered for local authentication.
7. If required, enter the phone number of the user.
8. Define the Scope for the user. You can specify the computers that need to be managed by the user. You can choose to provide the user access to manage all computers, remote offices, or specific unique custom groups. If you do not have a unique custom group, you can create one. If the custom group is not unique, it will not be listed here.
9. You can also select the devices that need to be managed. You have the option to manage all devices or selected groups.
10. Click on Add User.

## Secure Authentication

The Secure Authentication feature under User Administration ensures additional security of the application by implementing various security measures. This ensures that only users with authorized privileges can perform operations in Endpoint Central. There are three sub-features under Secure Authentication:

- **Two-factor authentication**: The user will only be able to log in after entering the username and password, followed by an OTP received via email.
- **User Account Policy**: Refers to the set of rules and requirements that govern user accounts within the system. This policy includes actions against invalid login attempts, such as the number of invalid login attempts allowed and lockout duration. It also includes domain settings during login, such as rules for hiding the domain list and setting a default domain for authentication. You can also define actions against account inactivity and set session expiration time.
- **Password Policy**: Allows admins to create rules for password setup, including minimum password length, minimum number of special characters, restrictions on reusing previous passwords, and enforcing periodic password changes.

## Notifications

The Notification feature allows admins to get notified when users perform various operations. For the admin to receive notifications, their email address must be configured. Notifications are triggered when:

- A user resets the password.
- A user account gets locked or disabled due to invalid login attempts.
- A user account gets disabled due to inactivity.
- A disabled account is reactivated by the admin.
- An account is manually disabled by the admin.
- A new user account is created or deleted.

## SDP Users

The SDP Users listed under this feature do not have access to the Endpoint Central console and therefore cannot carry out any endpoint management activities. To provide access to SDP Users to use Endpoint Central functionalities, click the Add to Endpoint Central icon under the actions column corresponding to their names.

This is applicable only when the Self Desk Portal is integrated with Endpoint Central.

To know more about other important features under Global Settings, visit the following links:

1. [What are custom groups and how do you create them?](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/creating_custom_groups.html)
2. [How to add a domain in Endpoint Central?](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/adding_domain_workgroup.html)
3. [How to create remote offices in Endpoint Central?](https://www.manageengine.com/products/desktop-central/demo/general/remote-office.html)
4. [How to add computers under the scope of management of Endpoint Central?](https://www.manageengine.com/products/desktop-central/scope-of-management-how-to.html)