What is Role Based Administration?
What are Console Access Settings?
Console Access Settings implement the Desktop Authority's Role Based Administration (RBA) functionality which restricts access to profiles and the configuration elements contained within them. Access to profiles is limited to users and groups that have been granted specific permissions to them. Console Access settings can also limit Global System functionality to specific users.
Console Access Settings is comprised of maintaining System Roles, Super Users and Profile Roles.
A System Role is a container that defines permissions to specific parts of the Desktop Authority console.
A Profile Role is a container that defines the Permissions that are granted to any Member of that Role. A Role may be Global or Local. Global Roles are defined by the Super User and can be applied on any Profile in the system. Local Roles are defined per Profile and can be used to grant Permissions on a specific Profile and, optionally, its child Profiles. A Member is any user or group assigned to a Role. Members are assigned to Roles, Global and Local, at the Profile level. Even when a user or group is assigned to a Global Role, the membership applies at that Profile only. Resources are Profiles and Configuration Elements to which Permissions can be granted via Membership in a Role.
Figure 14: Example System roles
Permissions define the actions a member has to a specific resource. They are setup as part of the role creation process. Parent profiles define the base permissions and all child profiles inherit these permissions. Allowing for greater granularity, a child's inherited permissions may be altered at the child profile level.
Branch Admin
The ACME.Domain.Admins group is configured as a member of the Branch Admin role. This group is given permission to the ACME parent profile. The ACME.Domain.Admins group is also defined as a Super User/Group. This means the group will have unlimited access to all profiles and configuration elements, as well as global options, within the system. It is important to note that since this group is assigned permissions to the Branch Admin role at the parent profile level, these permissions are inherited on all child profiles within ACME Corporation. ACME.Domain.Admins also have unrestricted system access due to their Super User/Group status.
Profile Admin
The Profile Admin role is configured to have View, Change, Add/Delete permissions to all objects within a single branch of the profile tree. Child profiles are not included in the Profile Admin's permissions. The CHI.Site.Admins group are members of the Profile Admin role within the Chicago child profile only. The NYC.Site.Admins group are members of the Profile Admin role within the NYC child profile only. Note that user Ajones is assigned to the Profile Admin role within the CANADA profile.
Security Admin
The Security Admin role is assigned View, Change, Add/Delete permissions to several configuration objects within a profile. For instance, let's say the Security Admin is responsible for pushing out newly released service packs. The Security Admin role will be given permissions to the Registry, Application Launcher and Service Pack Deployment objects. They will be given Deny access to all other configuration objects. Note in the illustrations above that the USA.Security.Admin group is assigned membership at the USA profile level. These permissions are inherited down to both the Chicago and NYC child profiles. The CAN.Security.Admin group is assigned membership to the Canada profile.
Read-Only Admin
The Read-Only Admin role is assigned View permissions only to all configuration objects within a profile. The Read-Only Admin role can be used for Users or Groups that will not have any ability to change elements within objects of a profile. In the illustration above, The NYC and CHI Helpdesk technicians are given the read-only permissions of the Read-Only Admin role. This way they can troubleshoot user issues and have an approved Administrator make the necessary changes to their profile. Note that the Canada profile does not have any User or Group assigned under the Read-Only Admin role. In this case, either the Branch Admin or Profile Admin have the necessary permissions to accomplish the same goal.