7.16 Policy Rights

The Policy Rights dialog box lets you control the operations that the selected administrator can perform on policies.

7.16.1 Contexts

Specify the Policy folders (contexts) that you want the administrator’s Policy rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

7.16.2 Privileges

The Privileges section lets you grant the selected administrator rights to work with policies, including policy groups and folders listed in the Contexts section.

The following rights are available:

RIGHT

OPERATIONS CONTROLLED BY THE RIGHT

NOTES

View Leaf

  • View the contents in the specified context (folder and subfolders)

Setting the View Leaf right to Deny forces all other Policy rights to Deny. The View Leaf right must be set to Allow to perform any other policy operations.

Also, if you want to provide an administrator the rights to only view the policies, then besides the View Leaf rights, enable either the Manage Configuration Policies right or the Manage Security Policies right, based on the policy type.

Modify Groups

  • Rename a policy group

  • Change a policy group’s description

 

Create/Delete Groups

  • Create a policy group

  • Delete a policy group

  • Move a policy group

Setting the Create/Delete Groups right to Allow forces the Modify Groups right to Allow. This means that an administrator who creates a group also receives rights to modify it.

Modify Group Membership

  • Add policies to a group

  • Remove policies from a group

  • Reorder policies within a group

In addition to this right, an administrator must also have the Manage Configuration Policies right or the Management Security policies right.

For example, to add a Configuration policy to a group, an administrator must have the following two rights:

  • Modify Group Membership (this right)

  • Manage Configuration Policies

Modify Folders

  • Rename a policy folder

  • Change a policy folder’s description

 

Create/Delete Folders

  • Create a policy folder

  • Delete a policy folder

  • Move a policy folder

Setting the Create/Delete Folders right to Allow forces the Modify Folders right to Allow. This means that an administrator who creates a folder also receives rights to modify it.

Author

  • Create a policy (Sandbox version)

  • For Sandbox policies:

    • Edit settings on a policy’s Summary tab

    • Edit settings on a policy’s Requirements tab

    • Edit settings on a policy’s Details tab

    • Rename a policy

    • Move a policy

    • Copy system requirements from one policy to another

    • Delete a policy

    • Enable and disable a policy

    • Publish (copy) a policy as a new policy (Sandbox version)

In addition to this right, an administrator must also have the Manage Configuration Policies right or the Management Security policies.

For example, to create a Configuration policy, an administrator must have the following two rights:

  • Author (this right)

  • Manage Configuration Policies

Publish

  • Publish a policy as a new version

  • Edit settings on a policy’s Summary tab

  • Edit settings on a policy’s Requirements tab

  • Edit settings on a policy’s Details tab

  • Rename a policy

  • Move a policy

  • Copy system requirements from one policy to another

  • Delete a policy

  • Enable and disable a policy

  • Publish (copy) a policy as a new policy (Sandbox version)

Setting the Publish right to Allow forces the Author right to Allow. This means that an administrator who has rights to publish policies also has rights to author policies.

In addition to this right, an administrator must also have the Manage Configuration Policies right or the Management Security policies.

For example, to publish a Security policy, an administrator must have the following two rights:

  • Publish (this right)

  • Manage Security Policies

Assign Policies

  • Assign policies to devices, device groups, and device folders

  • Assign policy groups to devices, device groups, and device folders

  • Assign policies to users, user groups, and user folders

  • Assign policy groups to users, user groups, and user folders

  • Remove policy assignments from the objects listed above

  • Remove policy group assignments from the objects listed above

In addition to this right, an administrator must also have the Manage Configuration Policies right or the Management Security policies right and the Device Rights - Assign Policies right or User Rights - Assign Policies right.

For example, to assign a Security policy to a device, an administrator must have the following two rights:

  • Assign Policies (this right)

  • Manage Security Policies

  • Device Rights - Assign Policies (for the target device)

Modify Settings

  • Modify policy settings

 

Manage Configuration Policies

  • Access to Windows, Mobile and Linux Configuration policies

This right enables the Author, Publish, Modify Group Membership, and Assign Policies rights to apply to Windows and Linux Configuration policies.

Configuration policies are provided by ZENworks Configuration Management and include the Windows Configuration policies (Browser Bookmarks policy, Dynamic Local User policy, Local File Rights policy, Printer policy, Remote Management policy, Roaming Profile policy, SNMP policy, Windows Group policy, and ZENworks Explorer Configuration policy), Linux Configuration policies (External Services policy and Puppet policy) and all Mobile policies (Mobile Compliance Policy, Mobile Device Control policy, Mobile Enrollment policy and so on).

Manage Security Policies

  • Access to Windows Security policies (including the Full Disk Encryption policy)

This right enables the Author, Publish, Modify Group Membership, and Assign Policies rights to apply to Windows Security policies.

View Audit Log

  • View a policy’s Audit tab and the events logged to that tab

  • View a policy group’s Audit tab and the events logged to that tab

  • View a policy folder’s Audit tab and the events logged to that tab

This right does not allow the administrator to view event details. To view event details, the administrator must have the View Audit Event right.

View Audit Events

  • View a policy’s Audit tab, the events logged to that tab, and the details for the events

  • View a policy group’s Audit tab, the events logged to that tab, and the details for the events

  • View a policy folder’s Audit tab, the events logged to that tab, and the details for the events

Setting the View Audit Events right to Allow forces the View Audit Log right to Allow.