Administrative roles

The ability to view and manage objects within a Provisioning Server implementation is determined by the administrative role assigned to a group of users. Provisioning Services makes use of groups that already exist within the network (Windows or Active Directory Groups). All members within a group will share the same administrative privileges within a farm. An administrator may have multiple roles if they belong to more than one group.

The following administrative roles can be assigned to a group:

  • Farm Administrator
  • Site Administrator
  • Device Administrator
  • Device Operator

After a group is assigned an administrator role through the Console, if a member of that group attempts to connect to a different farm, a dialog displays requesting that a Provisioning Server within that farm be identified (the name and port number). You are also required to either use the Windows credentials you are currently logged in with (default setting), or enter your Active Directory credentials. Provisioning Services does not support using both domain and workgroups simultaneously.

When the information is sent to and received by the appropriate server farm, the role that was associated with the group that you are a member of, determines your administrative privileges within this farm. Group role assignments can vary from farm to farm.

Managing farm administrators

Farm administrators can view and manage all objects within a farm. Farm administrators can also create new sites and manage role memberships throughout the entire farm. In the Console, farm-level tasks can only be performed by farm administrators. For example, only a farm administrator can create a new site within the farm.

Image of the farm architecture

When the farm is first configured using the Configuration Wizard, the administrator that creates the farm is automatically assigned the Farm Administrator role. While configuring the farm, that administrator selects the option to use either Windows or Active Directory credentials for user authorization within the farm. After the Configuration Wizard is run, additional groups can be assigned the Farm Administrator role in the Console.

To assign additional Farm Administrators

  1. In the Console, right-click on the farm to which the administrator role will be assigned, then select Properties.The Farm Properties dialog appears.
  2. On the Groups tab, highlight all the groups that will be assigned administrative roles in this farm, then click Add.
  3. On the Security tab, highlight all groups to which the Farm Administrator role will be assigned, the click Add.
  4. Click OK to close the dialog box.

Note:

The authorization method displays to indicate if Windows or Active Directory credentials are used for user authorization in this farm.

Managing site administrators

Site administrators have full management access to all the objects within a site. For example, the site administrator can manage Provisioning Servers, site properties, target devices, device collections, vDisk assignments and vDisk Pools.

Image of the site and collections

If a farm administrator assigns a site as the owner of a particular store, the site administrator can also manage that store. Managing a store includes tasks such as adding and removing vDisks from shared storage or assigning Provisioning Servers to the store. The site administrator can also manage device administrator and device operator memberships

To assign the Site Administrator role to one or more groups and its members

  1. In the Console, right-click on the site for which the administrator role will be assigned, then select Properties. The Site Properties dialog appears.
  2. Click the Security tab, then click the Add button. The Add Security Group dialog appears.
  3. From the drop-down menu, select each group to associate with the site administrator role, then click OK.
  4. Optionally, repeat steps 2 and 3 to continue assigning additional site administrators.
  5. Click OK to close the dialog.

Managing device administrators

Device administrators manage device collections to which they have privileges. Management tasks include assigning and removing vDisks from a device, editing device properties and viewing vDisk Properties (read-only). Device collections consist of a logical grouping of devices. For example, a device collection could represent a physical location, a subnet range, or a logical grouping of target devices. A target device can only be a member of one device collection.

To assign the Device Administrator role to one or more groups and its members

  1. In the Console tree, expand the site where the device collection exists, then expand the Device Collections folder.
  2. Right-click on the device collection that you want to add device administrators to, then select Properties. The Device Collection Properties dialog appears.
  3. On the Security tab, under the Groups with ‘Device Administrator’ access list, click Add. The Add Security Group dialog appears.
  4. To assign a group with the device administrator role, select each system group that should have device administrator privileges, then click OK.
  5. Click OK to close the dialog box.

Managing device operators

A device operator has administrator privileges to perform the following tasks within a Device Collection for which they have privileges:

  • Boot and reboot a target device
  • Shut down a target device

To assign the Device Operator role to one or more groups

  1. In the Console tree, expand the site where the device collection exists, then expand the Device Collections folder.
  2. Right-click on the device collection that you want to add device operators to, then select Properties. The Device Collection Properties dialog appears.
  3. On the Security tab, under the Groups with ‘Device Operator’ access list, click Add. The Add Security Group dialog appears.
  4. To assign a group the Device Operator role, select each system group that should have device operator privileges, then click OK.
  5. Click OK to close the dialog box.