3.6 Managing Administrator Roles

3.6.1 Understanding Administrator Roles

The roles feature allows Super Administrator to specify rights that can be assigned as roles for ZENworks administrators. You can create a specialized role, then assign administrators to that role to allow or deny them the ZENworks Control Center rights that you specify for that role. For example, you could create a Help Desk role with the ZENworks Control Center rights that you want help desk operators to have. You must be logged-in as a Super Administrator to create and manage the roles.

The following sections explain the different locations in ZENworks Control Center where you can manage roles:

Roles Panel

The Roles panel displays the following information:

Figure 3-1 Roles Panel

Roles Panel
  • Name: You specified this when you created the role. You can rename the role here. You can also click a role name to edit its rights configuration.

  • Types: Lists each ZENworks Control Center rights type that is configured for the role.

  • Allow: For each type listed, abbreviations are displayed to indicate the rights that are allowed for that role.

  • Deny: For each type listed, abbreviations are displayed to indicate the rights that are denied for that role.

If a right is configured as Unset, its abbreviation is not listed in either the Allow or Deny column.

In the Roles panel, you can add, assign, edit, rename, and delete a role.

Role Settings Page

If you click a role in the Name column on the Roles panel, the Role Settings page is displayed with the following information:

Figure 3-2 Role Settings Page

Role Settings Page
  • General panel: Displays the ZENworks Control Center object type (Role), its GUID, and a description that you can edit here.

  • Rights panel: Displays the ZENworks Control Center rights configured for the role. You can add, edit, and delete the rights in this panel.

  • Assigned Administrators panel: Lists the administrators and administrator groups assigned to this role. You can add, edit, or delete the administrators in this panel.

Administrator or Administrator Groups Settings Page

If you click an administrator in the Administrator column on the Roles Settings page and then click the Rights tab, the Administrator Settings page is displayed with the following information:

Figure 3-3 Administrator Settings Page

Administrator Settings Page

If you click an administrator group in the Administrator column on the Roles Settings page and then click the Rights tab, the Administrator Settings page is displayed with the following information:

Figure 3-4 Administrator Groups Settings Page

Administrator Settings Page
  • General panel: This panel is not displayed for an administrator group. Displays the administrator’s full name and provides the option to specify the administrator as a Super Administrator, which grants all ZENworks Control Center rights to that administrator, regardless of what is configured for the role.

  • Assigned Rights panel: Lists the rights that are assigned to the administrator, independent of rights granted or denied by any roles assigned to the administrator. The rights listed in this panel override any rights assigned by a role. You can add, edit, and delete rights in this panel.

  • Assigned Roles panel: Lists the roles assigned to this administrator. You can add, edit, and delete roles in this panel.

3.6.2 Creating a Role

A role can include one or more rights types. You can configure as many roles as you need. To configure the role’s function:

  1. In ZENworks Control Center, click Configuration in the left pane.

  2. In the Roles panel, click New to open the Add New Role dialog box:

    Add New Role Dialog Box
  3. Specify a name and description for the role.

  4. To configure the rights for the role, click Add and select a rights type from the drop-down list:

    Add Menu Option Drop-Down List
  5. In the following dialog box, select whether each privilege should be allowed, denied, or left unset.

    Zone Rights Dialog Box

    The most restrictive right set in ZENworks prevails. If you select the Deny option, the right is denied for any administrator assigned to that role, even if the administrator is granted that right elsewhere in ZENworks.

    If you select the Allow option and the right has not been denied elsewhere in ZENworks, the administrator has that right for the role.

    If you select the Unset option, the administrator is not granted the right for the role unless it is granted elsewhere in ZENworks.

  6. Click OK to continue.

  7. To add another rights type to the role, repeat Step 4 through Step 6.

  8. Click OK to exit the Add New Role dialog box.

    The role is now displayed in the Roles panel. To assign it to administrators, see Section 3.6.3, Assigning Roles.

3.6.3 Assigning Roles

You can assign roles to administrators, or administrators to roles:

Assigning Roles to Administrators

Rights can be set in multiple locations in ZENworks Control Center, including for administrators. Administrators can be assigned to multiple roles.

If an administrator has rights conflicts because different conditions are set for a particular right in ZENworks Control Center, the Deny option is used if it is set anywhere for the administrator. In other words, Deny always supersedes Allow when there are rights conflicts.

To assign roles to an administrator:

  1. In ZENworks Control Center, click Configuration in the left pane, click the Configuration tab, then in the Administrators panel, click an administrator name or an administrator group name in the Name column and then click the Rights tab to open the administrator’s settings page:

    Administrator Settings Page
  2. In the Assigned Roles panel, click Add to display the Select Role dialog box.

    Select Role Dialog Box
  3. Browse for and select the roles for the administrator, then click OK to display the Add Role Assignment dialog box:

    Add Role Assignment Dialog Box

    The Add Role Assignment dialog box is displayed so that you can define the contexts for the role types included in the role. A context allows you to limit where granted rights can be used. For example, you can specify that the administrator’s Quick Task Rights role is limited to the Devices folder in ZENworks Control Center.

    Contexts are not required. However, if you do not specify a context, the right is not granted because it has no information about where it can be applied.

    Rights that are global automatically display Zone as the context.

  4. If necessary, assign contexts to role types where they are missing:

    1. In the Types column, click a role type.

      Role types that are designated with the Zone context are not clickable because they are generally available.

    2. In the subsequent Select Context dialog box, click Add and browse for a ZENworks Control Center context.

      While browsing, you can select multiple contexts in the Browse dialog box.

    3. When you are finished selecting the contexts for a particular role, click OK to close the Select Contexts dialog box.

    4. Repeat Step 4.a through Step 4.c as necessary to assign contexts to the roles.

    5. When you are finished, click OK to close the Add Role Assignment dialog box.

  5. To add another administrator, repeat Step 2 and Step 4.

  6. Click Apply to save the changes.

Assigning Administrators to Roles

Rights can be set in multiple locations in ZENworks Control Center. Administrators can be assigned to multiple roles.

If an administrator has rights conflicts because different conditions are set for a particular right in ZENworks Control Center, the Deny option is used if it is set anywhere for the administrator. In other words, Deny always supersedes Allow when there are rights conflicts.

  1. In ZENworks Control Center, click Configuration in the left pane, click the Configuration tab, then in the Roles panel, click a role name in the Name column to open the role’s settings page:

    Role Settings Page
  2. In the Assigned Administrators panel, click Add to display the Select Administrator dialog box:

    Select Administrator Dialog Box
  3. Browse for and select the administrators or administrator groups for the role, then click OK to display the Add Role Assignment dialog box:

    Add Role Assignment Dialog Box

    The Add Role Assignment dialog box is displayed so that you can define the contexts for the role types included in the role. A context allows you to limit where granted rights can be used. For example, you can specify that the administrator’s Quick Task Rights role is limited to the Devices folder in ZENworks Control Center.

    Contexts are not required. However, if you do not specify a context, the right is not granted because it has no information about where it can be applied.

    Rights that are global automatically display Zone as the context.

  4. If necessary, assign contexts to role types where they are missing:

    1. In the Types column, click a role type.

      Role types that are designated with the Zone context are not clickable because they are generally available.

    2. In the subsequent Select Context dialog box, click Add and browse for a ZENworks Control Center context.

      While browsing, you can select multiple contexts in the Browse dialog box.

    3. When you are finished selecting the contexts for a particular role, click OK to close the Select Contexts dialog box.

    4. Repeat Step 4.a through Step 4.c as necessary to assign contexts to the roles.

    5. When you are finished, click OK to close the Add Role Assignment dialog box.

  5. To add another role, repeat Step 2 and Step 4.

  6. Click Apply to save the changes.

3.6.4 Editing a Role

You can edit a role’s configuration at any time. After you apply the edited role, its changes are then effective for any assigned administrator.

  1. In ZENworks Control Center, click Configuration in the left pane.

  2. In the Roles panel, select the check box for the role to be edited and click Edit to open the Edit Role dialog box:

    Edit Role Dialog Box
  3. To edit the description, make the changes directly in the Description field.

  4. To edit existing rights, do the following:

    1. In the Rights panel, select the check box for a rights type, then click Edit to open the Rights dialog box.

      For example, select Zone Rights to display the following dialog box:

      Zone Rights Dialog Box
    2. For each privilege, select whether it should be allowed, denied, or left unset.

      The most restrictive right set in ZENworks prevails. If you select the Deny option, the right is denied for any administrator assigned to that role, even if the administrator is granted that right elsewhere in ZENworks.

      If you select the Allow option and the right has not been denied elsewhere in ZENworks, the administrator has that right for the role.

      If you select the Unset option, the administrator is not granted the right for the role unless it is granted elsewhere in ZENworks.

    3. Click OK to continue.

    4. To edit another existing role, repeat Step 4.a through Step 4.c.

  5. (Optional) To add new rights:

    1. In the Rights panel, click Add, then select one of the rights types from the drop-down list:

      Add Menu Option with Drop-Down List
    2. In the Rights dialog box, select whether each privilege should be allowed, denied, or left unset.

      Zone Rights Dialog Box

      The most restrictive right set in ZENworks prevails. If you select the Deny option, the right is denied for any administrator assigned to that role, even if the administrator is granted that right elsewhere in ZENworks.

      If you select the Allow option and the right has not been denied elsewhere in ZENworks, the administrator has that right for the role.

      If you select the Unset option, the administrator is not granted the right for the role unless it is granted elsewhere in ZENworks.

    3. Click OK to continue.

    4. To add another rights type to the role, repeat Step 5.a through Step 5.c.

  6. To exit the dialog box and save your changes to the role, click OK.

3.6.5 Renaming a Role

Role names can be changed at any time. The changed role name is automatically replicated wherever it is displayed in ZENworks Control Center.

  1. In ZENworks Control Center, click Configuration in the left pane.

    Roles Panel
  2. In the Roles panel, select the check box for the role to be renamed.

  3. Click Edit > Rename to open the Rename Role dialog box:

  4. Specify the new role name, then click OK.

3.6.6 Deleting a Role

When you delete a role, its rights configurations are no longer applicable to any administrator that was assigned to the role.

Deleted roles cannot be recovered. You must re-create them.

  1. In ZENworks Control Center, click Configuration in the left pane.

  2. In the Roles panel, select the check box for the role to be deleted.

    Roles Panel
  3. Click Delete, then confirm that you want to delete the role.