Delegated administration and Director
Delegated administration uses three concepts: administrators, roles, and scopes. Permissions are based on an administrator’s role and the scope of this role. For example, an administrator might be assigned a Help Desk administrator role where the scope involves responsibility for end-users at one site only.
For information about creating delegated administrators, see the main delegated administration article.
Administrative permissions determine the Director interface presented to administrators and the tasks they can perform. Permissions determine:
- The views the administrator can access, collectively referred to as a view.
- The desktops, machines, and sessions that the administrator can view and interact with.
- The commands the administrator can perform, such as shadowing a user’s session or enabling maintenance mode.
The built-in roles and permissions also determine how administrators use Director:
Administrator Role | Permissions in Director |
---|---|
Full Administrator | Full access to all views and can perform all commands, including shadowing a user’s session, enabling maintenance mode, and exporting trends data. |
Delivery group Administrator | Full access to all views and can perform all commands, including shadowing a user’s session, enabling maintenance mode, and exporting trends data. |
Read Only Administrator | Can access all views and see all objects in specified scopes and global information. Can download reports from HDX channels and can export Trends data using the Export option in the Trends view. Cannot perform any other commands or change anything in the views. |
Help Desk Administrator | Can access only the Help Desk and User Details views and can view only objects that the administrator is delegated to manage. Can shadow a user’s session and perform commands for that user. Can perform maintenance mode operations. Can use power control options for Single-session OS Machines. Cannot access the Dashboard, Trends, Alerts, or Filters views. Cannot use power control options for Multi-session OS machines. |
Machine catalog administrator | Can access only the Machine Details page (Machine-based search). |
Host Administrator | No access. This administrator is not supported for Director and cannot view data. |
Configure custom roles for Director administrators
In Studio, you can also configure Director-specific, custom roles to more closely match the requirements of your organization and delegate permissions more flexibly. For example, you can restrict the built-in Help Desk administrator role so that this administrator cannot log off sessions.
If you create a custom role with Director permissions, you must also give that role other generic permissions:
- Delivery Controller permission to log on to Director - at least read only access in Administrator node
- Permissions to delivery groups to view the data related to those delivery groups in Director - at least read only access
Alternatively, you can create a custom role by copying an existing role and include extra permissions for different views. For example, you can copy the Help Desk role and include permissions to view the Dashboard or Filters pages.
Select the Director permissions for the custom role, which include:
- Perform Kill Application running on a machine
- Perform Kill Process running on a machine
- Perform Remote Assistance on a machine
- Reset user profiles
- View Client Details page
- View Dashboard page
- View Filters page
- View Machine Details page
- View Trends page
- View User Details page
In this example, Shadowing (Perform Remote Assistance on a machine) is turned off.
A permission can have dependencies on other permissions to become applicable on the UI. For example, selecting the Perform Kill Application running on a machine permission enables the End Application functionality only in those panels to which the role has permission. You can select the following panel permissions:
- View Filters page
- View User Details page
- View Machine Details page
- View Client Details page
In addition, from the list of permissions for other components, consider these permissions from delivery groups:
- Enable/disable maintenance mode of a machine using delivery group membership.
- Perform power operations on Windows Desktop machines using delivery group membership.
- Perform session management on machines using delivery group membership.