2.0 Best Practices

The following sections provide a best practice approach to managing ZENworks administrator accounts and rights.

Practice 1: Create an account for each administrator

Each user who will perform administrative tasks for ZENworks should have his or her own ZENworks administrator account. This allows you to individually control the rights that each administrator has within the system. It also allows you to know which administrator has made changes to the system (see the ZENworks Audit Management Reference).

For information about creating ZENworks administrator accounts, see Section 3.0, Managing Administrator Accounts.

Practice 2: Use administrator groups to reduce rights assignments

Use administrator groups to reduce the number of rights assignments you need to manage. You can create ZENworks administrator groups that exist only in the ZENworks system. You can also import user groups from your user sources to use as administrator groups, in which case the administrator group membership is managed through the user source.

For information about using administrator groups, see Section 4.0, Managing Administrator Groups.

Practice 3: Use administrator roles to provide assignment flexibility

An administrator role is a collection of rights that enable a specific ZENworks administrative task or tasks to be performed. For example, a Help Desk role might include the rights to remotely manage users’ workstations.

Roles provide the following advantages when assigning rights:

  • Roles can be assigned to administrators and to administrator groups.

  • When you create roles, you do not assign a context to them. The context is set when you assign the role to an administrator or administrator group. This means that you can use the same role for administrators who require the role in different contexts.

  • When you assign rights directly to an administrator or administrator group, you must set the right’s privileges to either Allow or Deny. However, when adding rights to a role, you can configure any of the right’s privileges as Unset. An unset privilege is not applied unless it is set elsewhere, such as on the administrator account, on a group in which the administrator is a member, or on another role.

For information about using administrator groups, see Section 5.0, Managing Administrator Roles.