When you create additional administrator accounts you can provide full access to your zone or you can create accounts with limited rights. For example, you could create an administrator account that enables the administrator to assign bundles to devices but doesn’t allow the administrator to create bundles. Or you could create an administrator account that allows access to all management tasks except those pertaining to Management Zone configuration (user sources, registration, configuration settings, and so forth). For information about creating additional administrators, see Creating Administrators.
For Administrator roles only, a third column of rights options is added to each rights assignment dialog box: , which allows rights set elsewhere in ZENworks to be used for the role.
The most restrictive right set in ZENworks prevails. Therefore, if you select the option, the right is denied for any administrator assigned to that role, even if the administrator is granted that right elsewhere in ZENworks.
If you select the option and the right has not been denied elsewhere in ZENworks, the administrator has that right for the role.
If you select the option, the administrator is not granted the right for the role unless it is granted elsewhere in ZENworks.
You can also add, modify, or remove the assigned rights for an existing administrator. For more information, see Section 2.2.2, Assigning Additional Rights, Section 2.2.3, Modifying Assigned Rights, or Section 2.2.4, Removing Assigned Rights.
The following sections contain additional information about the various rights that you can assign:
The Administrator Rights dialog box lets you allow the selected administrator to grant rights to other administrators and to create or delete administrator accounts for your Management Zone.
The following rights are available:
Grant Rights: Allow or deny the administrator the rights necessary to grant rights to other administrators.
Create/Delete: Allow or deny the administrator the rights necessary to create or delete administrator accounts.
To grant any object rights to other administrators, an administrator must have the Grant Rights and the rights for that object. For example, to grant bundle rights to other administrators, an administrator must have both the Grant Rights and the Bundle Rights.
The Bundle Rights dialog box lets you select folders containing bundles, then modify the rights associated with those folders.
To select the folder that contains the bundles for which you want to assign rights, click to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.
The section lets you grant the selected administrator rights to create or modify bundles, groups, and folders listed in the Contexts section.
The following rights are available:
Modify: Allow or deny the administrator the rights necessary to modify bundles.
Create/Delete: Allow or deny the administrator the rights necessary to create or delete bundles.
Modify Groups: Allow or deny the administrator the rights necessary to modify the name or the description of the bundle groups.
Create/Delete Groups: Allow or deny the administrator the rights necessary to create or delete groups.
Modify Group Membership: Allow or deny the administrator the rights necessary to modify the list of bundles contained in bundle groups.
Modify Folder: Allow or deny the administrator the rights necessary to modify folders.
Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.
Modify Settings: Allow or deny the administrator the rights necessary to modify settings.
Assign Bundles: Allow or deny the administrator the rights necessary to assign bundles to the devices or users.
The Contract Management Rights dialog box lets you select folders containing contracts, then modify the rights associated with contracts and folders.
To select the folder that contains the contracts for which you want to assign rights, click to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.
The section lets you grant the selected administrator rights to contracts and folders listed in the Contexts section.
Modify: Allow or deny the administrator the rights necessary to modify the contracts.
Create/Delete: Allow or deny the administrator the rights necessary to create or delete contracts.
Modify Folder: Allow or deny the administrator the rights necessary to modify folders.
Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.
The Credential Rights dialog box lets you select folders containing credentials, then modify the rights associated with those folders.
Click to select the folder that contains the credentials for which you want to assign rights.
The Privileges section lets you grant the selected administrator rights to create or modify credentials, groups, and folders listed in the Contexts section.
The following rights are available:
Modify: Allow or deny the administrator the rights necessary to modify credentials.
Create/Delete: Allow or deny the administrator the rights necessary to create or delete credentials.
Modify Folders: Allow or deny the administrator the rights necessary to modify folders.
Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.
For more information about the tasks you can perform on credentials, see Section 5.0, Credential Vault.
The Deployment Rights dialog box lets you allow or deny the administrator the rights necessary to perform deployment operations.
Deployment lets you discover network devices and deploy the ZENworks Adaptive Agent to them so that they become managed devices in your Management Zone. For more information, see ZENworks Adaptive Agent Deployment
in the ZENworks 10 Configuration Management Discovery, Deployment, and Retirement ReferenceZENworks 10 Configuration Management Discovery, Deployment, and Retirement Reference.
The Device Rights dialog box lets you select folders containing devices, then modify the rights associated with those folders.
To select the folder that contains the devices for which you want to assign rights, click to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.
The section lets you grant the selected administrator rights to work with devices, including device groups and folders listed in the Contexts section.
The following rights are available:
Modify: Allow or deny the administrator the rights necessary to modify the device objects.
Create/Delete: Allow or deny the administrator the rights necessary to create or delete device objects.
Modify Groups: Allow or deny the administrator the rights necessary to modify groups.
Create/Delete Groups: Allow or deny the administrator the rights necessary to create or delete groups.
Modify Group Membership: Allow or deny the administrator the rights necessary to modify the list of devices contained in device groups.
Modify Folder: Allow or deny the administrator the rights necessary to modify folders.
Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.
Modify Settings: Allow or deny the administrator the rights necessary to modify device settings.
Assign Policies: Allow or deny the administrator the rights necessary to assign policies to devices.
Assign Bundles: Allow or deny the administrator the rights necessary to assign bundles to devices.
The Discovery Rights dialog box lets you allow or deny the administrator the rights necessary to perform discovery operations.
The following rights are available:
Discovery: Allow or deny the administrator the right necessary to perform discovery.
Edit Discovered Device: Allow or deny the administrator the rights necessary to edit a discovered device.
The Document Rights dialog box lets you select folders containing documents, then modify the rights associated with documents and folders.
To select the folder that contains the documents for which you want to assign rights, click to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.
The section lets you grant the selected administrator rights to create or modify documents and their folders listed in the Contexts section.
Modify: Allow or deny the administrator the rights necessary to reassign documents.
Create/Delete: Allow or deny the administrator the rights necessary to import or delete documents.
Modify Folder: Allow or deny the administrator the rights necessary to modify folders.
Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.
The Inventoried Device Rights dialog box lets you select folders containing devices, then modify the rights associated with those folders.
To select the folder that contains the inventoried devices for which you want to assign rights, click to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.
The section lets you grant the selected administrator rights to work with inventoried devices, including device groups and folders listed in the Contexts section.
The following rights are available:
Modify: Allow or deny the administrator the rights necessary to modify inventoried device objects.
Create/Delete: Allow or deny the administrator the rights necessary to create or delete inventoried device objects.
Modify Groups: Allow or deny the administrator the rights necessary to modify device groups.
Create/Delete Groups: Allow or deny the administrator the rights necessary to create or delete device groups.
Modify Group Membership: Allow or deny the administrator the rights necessary to modify the list of devices contained in device groups.
Modify Folder: Allow or deny the administrator the rights necessary to modify folders.
Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.
Modify Settings: Allow or deny the administrator the rights necessary to modify inventoried device settings.
The LDAP Import Rights dialog box lets you allow or deny importing of LDAP information.
The License Management Rights dialog box lets you select folders containing licenses, then modify the rights associated with licenses and folders.
To select the folder that contains the licenses for which you want to assign rights, click to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.
The Privileges section lets you grant the administrator rights to work with the software license components associated with the contexts (folders) you selected in the Contexts section
Modify: Allow or deny the administrator the rights necessary to modify the licenses.
Create/Delete: Allow or deny the administrator the rights necessary to create or delete licenses.
Modify Folder: Allow or deny the administrator the rights necessary to modify folders.
Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.
The Patch Management Rights dialog box lets you determine which patch management functions an administrator can have.
The following rights are available:
Patch Deploy: Allow or deny the administrator the rights necessary to deploy patches.
Patch Enable: Allow or deny the administrator the rights necessary to enable a disabled patch.
Patch Disable: Allow or deny the administrator the rights necessary to disable a patch.
Patch Update Cache: Allow or deny the administrator the rights necessary to cache patches.
Assign to Baseline: Allow or deny the administrator the rights necessary to assign a patch to the baseline.
Remove from Baseline: Allow or deny the administrator the rights necessary to remove a patch that was assigned to the baseline.
View Patch Details: Allow or deny the administrator the rights necessary to view patch details.
Export Patch: Allow or deny the administrator the rights necessary to export patches.
Scan Now: Allow or deny the administrator the rights necessary to start a scan.
Remove Patch: Allow or deny the administrator the rights necessary to remove a patch.
Recalculate Baseline: Allow or deny the administrator the rights necessary to recalculate the baseline.
Configure: Allow or deny the administrator the rights necessary to configure the patch.
The Policy Rights dialog box lets you select folders containing policies, then modify the rights associated with those folders.
To select the folder that contains the policies for which you want to assign rights, click to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.
The Privileges section lets you grant the selected administrator rights to work with policies, including policy groups and folders listed in the Contexts section
The following rights are available:
Modify: Allow or deny the administrator the rights necessary to modify the policies.
Create/Delete: Allow or deny the administrator the rights necessary to create or delete policies.
Modify Groups: Allow or deny the administrator the rights necessary to modify groups.
Create/Delete Groups: Allow or deny the administrator the rights necessary to create or delete policy groups.
Modify Group Membership: Allow or deny the administrator the rights necessary to modify the list of policies contained in policy groups.
Modify Folders: Allow or deny the administrator the rights necessary to modify folders.
Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.
Assign Policies: Allow or deny the administrator the rights necessary to assign policies to the devices or users.
The Quick Tasks Rights dialog box lets you select folders containing devices, then modify the Quick Task rights associated with those folders.
Quick Tasks are tasks that appear in ZENworks Control Center task lists (for example, Server Tasks, Workstation Tasks, Bundles Tasks, and so forth). When you click a task, either a wizard launches to step you through the task or a dialog box appears in which you enter information to complete the task.
You can use the Quick Tasks Rights dialog box to allow or deny the selected administrator the rights to perform certain tasks by using Quick Tasks.
To select the folder that contains the device for which you want to assign rights, click to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.
The section lets you grant the administrator rights to modify the Quick Task rights associated with the contexts (folders) you selected in the Contexts section.
The following rights are available:
Shutdown/Reboot/Wake Up Devices: Specify whether the administrator can shut down, reboot, or wake up the devices in the folders you selected in the list.
Execute Processes: Allow or deny the administrator the rights necessary to execute processes on the devices.
Refresh ZENworks Adaptive Agent: Allow or deny the administrator the rights necessary to refresh the ZENworks Adaptive Agent on devices.
Install/Launch Bundles: Allow or deny the administrator the rights necessary to install or launch bundles. The administrator must also have Assign Bundles rights for devices to install or launch bundles using Quick Task options.
Inventory: Allow or deny the administrator the rights necessary to inventory devices.
Apply Image: Allow or deny the administrator the rights necessary to apply an image to devices.
Take Image: Allow or deny the administrator the rights necessary to take an image of a device.
The Remote Management Rights dialog box lets you select folders containing devices and users, then modify the Remote Management rights associated with those folders. Granting Remote Execute rights allows the administrator to execute processes in the system space.
To select the folder that contains the devices and users for which you want to assign rights, click to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.
The Privileges section lets you grant the administrator rights to modify the Remote Management rights associated with the contexts (folders) you selected in the Contexts section.
The following rights are available:
Remote Control: Allow or deny the administrator the rights necessary to remotely control devices.
Remote View: Allow or deny the administrator the rights necessary to remotely view devices.
Transfer files: Allow or deny the administrator the rights necessary to transfer files to or from devices.
Remote Execute: Allow or deny the administrator the rights necessary to remotely execute processes on devices.
Remote Diagnostics: Allow or deny the administrator the rights necessary to perform remote diagnostic procedures on devices.
Unblock Remote Management Service: Allow or deny the administrator the rights necessary to unblock the Remote Management Service.
The Reporting Rights dialog box lets you allow or deny the administrator the rights to create, delete, execute, or publish reports.
The User Rights dialog box lets you select folders containing users, then modify the rights associated with those folders.
To select the folder that contains the users for which you want to assign rights, click to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.
The Privileges section lets you grant the selected administrator rights to work with users and folders listed in the Contexts section.
The following rights are available:
Modify ZENworks Group Membership: Allow or deny the rights necessary to modify ZENworks group membership. If you select this option, you must also grant rights to under .
Assign Policies: Allow or deny the administrator the rights necessary to assign policies to users.
Assign Bundles: Allow or deny the administrator the rights necessary to assign bundles to users.
The ZENworks User Group Rights dialog box lets you allow or deny the administrator the rights to create, delete, or modify groups and to modify group membership.
The following rights are available:
Modify Groups: Allow or deny the administrator the rights necessary to modify existing user groups.
Create/Delete Groups: Allow or deny the administrator the rights necessary to create or delete user groups.
Modify ZENworks Group Membership: Allow or deny the administrator the rights necessary to modify the ZENworks group membership. If you select this option, you must also grant rights to under .
Assign Policies: Allow or deny the administrator the rights necessary to modify the list of policies contained in policy groups.
Assign Bundles: Allow or deny the administrator the rights necessary to modify the list of bundles contained in policy groups.
The Zone Rights dialog box lets you modify the administrator’s rights to administer settings in your ZENworks Management Zone.
The following rights are available:
Modify User Sources: Allow or deny the administrator the rights necessary to modify user sources.
A user source is an LDAP directory that contains users that you want to reference in your ZENworks Management Zone. When you define a user source, you also define the source containers from which you want to read users and user groups.
Modifying user sources includes adding, removing, or renaming user sources and assigning policies or bundles to user sources.
Create/Delete User Sources: Allow or deny the administrator the rights necessary to create or delete user sources.
Modify Settings: Allow or deny the administrator the rights necessary to modify your Management Zone settings.
The Management Zone settings let you manage the global configuration settings for your Management Zone. These global configuration settings are inherited by other objects (devices, users, and folders) within your Management Zone and remain in effect unless they are overridden on those objects.
Modify Zone Infrastructure: Allow or deny the administrator the rights necessary to modify Zone infrastructure. This right includes the rights to perform the following actions in the Server Hierarchy section of the tab:
Specify content for a device
Move the device in the hierarchy
Configure a Satellite
Add a Satellite
Remove a Satellite
Other actions can be taken in the Server Hierarchy section. However, rights for those actions must be specified individually. They are not automatically included in the Modify Zone Infrastructure right. These are:
Configure Registration: Allow or deny the administrator the rights necessary to configure device registration.
Registration lets you manage the various configuration settings for registering devices as managed devices in the Management Zone. It also lets you create registration keys or registration rules to help you register devices. A registration key lets you apply group and folder assignments to devices as they register. A registration rule lets you apply group and folder assignments to folders if the device meets the rule criteria.
Delete News Alerts: Allow or deny the administrator the rights necessary to delete the news alerts.
Update News Alerts: Allow or deny the administrator the rights necessary to update the news alerts.