Super User Management
What is a Super User?
A Super User is an attribute of a user or group that provides specialized system access. The Super User attribute is designed for privileged users who will have unrestricted access to the system. Regardless of the roles the users belong to, they will be able to view and update all objects in the system.
Default Super Users are added during the installation of Desktop Authority. Others may be added to the Super User list by an existing Super User.
To access the Super User Management dialog, select Control Access Settings from the menu bar and then Super User Management from the submenu.
Besides having full access to all profiles and objects, Super Users have other special system permissions.
Super Users can:
- create and manage Global Roles
- modify the Super Users list and attributes
- access all Global Options objects
- create, generate and schedule reports for delivery to other users/groups
Managing Super Users
To add a new user or group to the Super User list, click Edit to put the list in Edit mode. Then click Add user or select an existing user and click Remove user.
Configuring Roles
What is a role?
A role is a container that defines the actions that are permissible by members of the role.
Most often, roles are established to represent a common job function that is performed by one or more users (members). A role defines the functions that a member of the role will be able to perform. For example, as shown in the following table, there may be a Super User/Group who is responsible for defining profiles and maintaining the system for all sites (Domain Administrator), one or more users may be in charge of client configurations within their own site (Site Administrator), another group of users may be responsible for basic configurations and troubleshooting in their own site (Help desk), and so on.
There is several default roles included in the default setup of Desktop Authority.
Table 1: System default roles
|
Sample Role |
Tasks |
Required rights |
|---|---|---|
|
Branch Admin |
Oversee and configure profiles and clients, |
Super User, All permissions |
|
Profile Admin |
Oversee and configure clients that belong to their own site. |
Add, Change, Delete permissions to all objects within site's profiles. Does not include child profiles. |
|
Security Admin
|
Responsible for keeping systems up to date and free of malware, secure desktops and run applications. |
Add, Change, Delete permissions to Firewall, Security Policy, Group Policy Templates, Registry, Application Launcher, and other objects. |
|
Read-Only Admin |
Responsible for general help desk troubleshooting issues. |
View only permission to all objects with a profile. Child profiles are not included. |
Roles configure actions for all profile objects including the profile itself. The configurable actions of a role consist of View, Change, Add/Delete, and Deny permissions for each of the objects. The first step in configuring Role Based Administration is to create the roles that will be used to permit or deny access.
The above Roles are examples administrative roles that could be used. Role Based Administration allows the creation of as many custom roles as is needed.
Global role
A global role is a defined role that is available to all profiles.
Local role
A local role is defined at the profile level and is available only to the profile to which it is defined in.
By default, a new installation of Desktop Authority will create a Global Role named Profile Admin. The Profile Admin role by default has full access to Add, Change and Delete elements in all Profile objects as well as the ability to add, change and delete profiles. The permissions assigned to the profile admin may be modified within the Global Roles dialog.
Configuring global roles
Global Roles are created from the Manager's Console Access Settings menu. Select the Global Profile Roles menu item.
To create a new Role, click Add role. Enter the name for the new role. Once the new role is created, permissions must be assigned to it. Manipulate the View, Change, Add/Delete and Deny permissions for each profile object, or click on the Grant all/Deny all buttons. The profile objects are selectable by choosing Computer Management Object or User Management Objects from the drop down menu.
Be sure to click Save to save the role and its settings. Click the Remove role button to delete the selected Role. Click the Edit button to modify a roles assigned permissions and/or the role name.
Global roles may also be created from within a profile. On the Profile Permissions tab, click Add global role. Only Super Users/Groups can create global roles.
Configuring local roles
Local Roles are created from within a profile. Once the Profile is selected in the Navigation Pane, select the Permissions tab. In order to Add, Edit or Delete any roles on this dialog, you must press the Edit button at the top of the page.
Once in Edit mode, the Profile Roles tables will be able to be modified. To create a new Local Role, click Add local role. Modify a role by selecting a role from the table and clicking the Edit button. Click Remove role to delete the selected role from the list. A global role may be created from here by clicking the Add global role button. If the profile selected is a Computer Management profile, the table will display only the Computer Management objects. The same is true for User Management; if the profile selected is a User Management profile, the table will display only the User Management objects.
Once it Add or Edit mode, name or rename the role as well as select the appropriate profile object permissions by checking the View, Change, Add/Delete and Deny checkboxes. You may also click the Grant All/Deny All buttons to select or unselect all of the permissions. Be sure to click the Confirm or Cancel button to save any changes made to the permissions.
Object permissions
Read
Read permissions allow the object to be viewed only. No changes can be made to existing elements, nor can any elements be added or removed.
Modify
Modify permissions allow existing elements within the object to be updated only. Elements cannot be added or removed.
Add/Delete
Elements can be added to or removed from profile objects. Child profiles can be added or removed.
Deny
No access is permitted to the object selected in the permissions list. The object will not be visible in the navigation pane for any member that is a part of the role.
Deny access overrules all other permissions on an object.
Configuring Permissions
Configuring profile permissions
The profile's Permissions tab is used to assign a user (member) to a role. Permissions are applied on a per profile basis. All child profiles inherit their parent's permissions. See the inheritance topic below for more information on how permissions are inherited.
To assign a user permissions to a profile, first select the Profile. Next, select the Permissions tab on the View pane.
Add local role
A local role is defined at the profile level and is available only to the profile in which it is defined. Click Add/Edit Local Roles to create or edit a role. The Local Roles dialog will open. For more information on Local Role configuration see the Configuring Roles topic.
Add global role
A global role is a defined role that is available to all profiles. To create a global Role, click Add/Edit Global Roles. The Global Roles dialog will open. For more information on Global Role configuration see the Configuring Roles topic.
Add/Delete members to/from roles
To add a member to a role, select the role from the Roles list. Click Add Member.... Select a user or group from the resource browser and click OK. To remove a member from a role, select the Role and Member and then click Delete Member.
Permission inheritance
Profile permissions for all roles are inherited downward to all children profiles. Permissions do not inherit up the profile tree.
Figure 19: Permission inheritance
In the above illustration, Grandchild A and Grandchild B automatically inherit the permissions assigned to Child A. However, Grandchild C does not inherit any permissions from Child A. Grandchild C has the ability to inherit permissions from Child B which can inherit from the ACME Parent profile.
Figure 20: Explicitly deny permission inheritance
Permissions automatically are inherited by children profiles except in the case where the child profile explicitly denies the inheritance. In the above illustration, the role granted permission in profile Child B was explicitly given Deny permission in profile Grandchild C.
When creating a local role, the member cannot assign permissions to any object other than what they have access to. The permission level cannot be greater than the permissions that they have. For example, if a member of a role has View and Change permission to the printers object, they cannot assign another user Add/Delete permissions to the printer object.
Global Options
The Global Options object provides the ability to define several settings which affect how Desktop Authority initiates for each client. These settings apply to all users, computers and profiles and include several objects. Global Options are broken up into three sub-components: Common Management Options, Computer Management Options, and User Management Options.
Global Options objects are available only to Super Users/Groups with the exception of Assign Script.
Common Management Options consists of Exception and Network Location Awareness options.
- Exceptions
Exceptions are used to disable the ability to run Desktop Authority or allow an alternate logon script to run on any of the specified computers. - Network Location Awareness (NLA)
Network Location Awareness is used to configure NLA within the Desktop Authority Console. NLA. Desktop Authority uses Network Location Awareness to detect when a new network connection becomes available. Once the new connection is detected, Desktop Authority will be notified and can then determine whether it will execute for the user.
Computer Management Options consists of Definitions and Troubleshooting options.
- Definitions
The Definitions object is used to define custom dynamic variables. These variables may be used within any profile as well as in any custom script. - Troubleshooting
The Troubleshooting object is used to define several settings that can help to troubleshoot problem clients. The most common setting on this object is the setting to create a detailed trace file for one or more specified users and/or computers.
User Management Options consists of Definitions, Visual, Desktop Agent and Troubleshooting options.
- Definitions
The Definitions object is used to define custom dynamic variables. These variables may be used within any profile as well as in any custom script. - Troubleshooting
The Troubleshooting object is used to define several settings that can help to troubleshoot problem clients. The most common setting on this object is the setting to create a detailed trace file for one or more specified users and/or computers.
- Visual
The Visual object is used to set the default graphical startup mode of Desktop Authority as it executes on the client during the logon process. - Desktop Agent
The Desktop Agent will launch specified programs as the client logs off or shuts down the computer. This object provides several default options for the Agent.