A role is a container that defines the actions that are permissible by members of the role.
Most often, roles are established to represent a common job function that is performed by one or more users (members). A role defines the functions that a member of the role will be able to perform. For example, as shown in the following table, there may be a Super User/Group who is responsible for defining profiles and maintaining the system for all sites (Domain Administrator), one or more users may be in charge of client configurations within their own site (Site Administrator), another group of users may be responsible for basic configurations and troubleshooting in their own site (Help desk), and so on.
There is several default roles included in the default setup of Desktop Authority.
Table 64: System default roles
|
Sample Role |
Tasks |
Required rights |
|---|---|---|
|
Branch Admin |
Oversee and configure profiles and clients, |
Super User, All permissions |
|
Profile Admin |
Oversee and configure clients that belong to their own site. |
Add, Change, Delete permissions to all objects within site's profiles. Does not include child profiles. |
|
Security Admin
|
Responsible for keeping systems up to date and free of malware, secure desktops and run applications. |
Add, Change, Delete permissions to Firewall, Security Policy, Group Policy Templates, Registry, Application Launcher, and other objects. |
|
Read-Only Admin |
Responsible for general help desk troubleshooting issues. |
View only permission to all objects with a profile. Child profiles are not included. |
Roles configure actions for all profile objects including the profile itself. The configurable actions of a role consist of View, Change, Add/Delete, and Deny permissions for each of the objects. The first step in configuring Role Based Administration is to create the roles that will be used to permit or deny access.
The above Roles are examples administrative roles that could be used. Role Based Administration allows the creation of as many custom roles as is needed.
A global role is a defined role that is available to all profiles.
A local role is defined at the profile level and is available only to the profile to which it is defined in.
By default, a new installation of Desktop Authority will create a Global Role named Profile Admin. The Profile Admin role by default has full access to Add, Change and Delete elements in all Profile objects as well as the ability to add, change and delete profiles. The permissions assigned to the profile admin may be modified within the Global Roles dialog.
Global Roles are created from the Manager's Console Access Settings menu. Select the Global Profile Roles menu item.
To create a new Role, click Add role. Enter the name for the new role. Once the new role is created, permissions must be assigned to it. Manipulate the View, Change, Add/Delete and Deny permissions for each profile object, or click on the Grant all/Deny all buttons. The profile objects are selectable by choosing Computer Management Object or User Management Objects from the drop down menu.
Be sure to click Save to save the role and its settings. Click the Remove role button to delete the selected Role. Click the Edit button to modify a roles assigned permissions and/or the role name.
Global roles may also be created from within a profile. On the Profile Permissions tab, click Add global role. Only Super Users/Groups can create global roles.
Local Roles are created from within a profile. Once the Profile is selected in the Navigation Pane, select the Permissions tab. In order to Add, Edit or Delete any roles on this dialog, you must press the Edit button at the top of the page.
Once in Edit mode, the Profile Roles tables will be able to be modified. To create a new Local Role, click Add local role. Modify a role by selecting a role from the table and clicking the Edit button. Click Remove role to delete the selected role from the list. A global role may be created from here by clicking the Add global role button. If the profile selected is a Computer Management profile, the table will display only the Computer Management objects. The same is true for User Management; if the profile selected is a User Management profile, the table will display only the User Management objects.
Once it Add or Edit mode, name or rename the role as well as select the appropriate profile object permissions by checking the View, Change, Add/Delete and Deny checkboxes. You may also click the Grant All/Deny All buttons to select or unselect all of the permissions. Be sure to click the Confirm or Cancel button to save any changes made to the permissions.
Read permissions allow the object to be viewed only. No changes can be made to existing elements, nor can any elements be added or removed.
Modify permissions allow existing elements within the object to be updated only. Elements cannot be added or removed.
Elements can be added to or removed from profile objects. Child profiles can be added or removed.
No access is permitted to the object selected in the permissions list. The object will not be visible in the navigation pane for any member that is a part of the role.
Deny access overrules all other permissions on an object.
© 2025 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center
