Administrative roles

The ability to view and manage objects within a Citrix Provisioning server implementation is determined by the administrative role assigned to a group of users. Citrix Provisioning uses groups that exist within the network, Windows, or Active Directory Groups. All members within a group share the same administrative privileges within a farm. An administrator has multiple roles if they belong to more than one group.

The following administrative roles can be assigned to a group:

  • Farm administrator
  • Site administrator
  • Device administrator
  • Device operator

After a group is assigned an administrator role through the Citrix Provisioning console, if a member of that group attempts to connect to a different farm, a dialog displays requesting that a provisioning server within that farm be identified (the name and port number). You are also required to either use the Windows credentials you are currently logged in with (default setting), or enter your Active Directory credentials. Citrix Provisioning does not support using both domain and workgroups simultaneously.

When the information is sent to and received by the appropriate server farm, the role that was associated with the group that you are a member of, determines your administrative privileges within this farm. Group role assignments can vary from farm to farm.

Managing farm administrators

Farm administrators can view and manage all objects within a farm. Farm administrators can also create sites and manage role memberships throughout the entire farm. In the Citrix Provisioning console, farm-level tasks are performed by farm administrators. For example, only a farm administrator can create a site within the farm.

Image of the farm architecture

When the farm is first configured using the Configuration Wizard, the administrator that creates the farm is automatically assigned the Farm Administrator role. While configuring the farm, that administrator selects the option to use either Windows or Active Directory credentials for user authorization within the farm. After an administratror runs the Configuration Wizard, more groups can be assigned the farm administrator role in the console.

To assign more farm administrators

  1. In the console, right-click on the farm to which the administrator role is assigned, then select Properties. The Farm Properties dialog appears.
  2. On the Groups tab, highlight all the groups assigned administrative roles in this farm, then click Add.
  3. On the Security tab, highlight all groups to which the farm administrator role is assigned, then click Add.
  4. Click OK to close the dialog box.

Note:

The authorization method displays to indicate if Windows or Active Directory credentials are used for user authorization in this farm.

Managing site administrators

Site administrators have full management access to all the objects within a site. For example, the site administrator can manage provisioning servers, site properties, target devices, device collections, vDisk assignments, and vDisk Pools.

Image of the site and collections

If a farm administrator assigns a site as the owner of a particular store, the site administrator can also manage that store. Managing a store includes tasks such as adding and removing vDisks from shared storage or assigning provisioning servers to the store. The site administrator can also manage device administrator and device operator memberships.

To assign the site administrator role to one or more groups and its members

  1. In the console, right-click on the site for which the administrator role is assigned, then select Properties. The Site Properties dialog appears.
  2. Click the Security tab, then click the Add button. The Add Security Group dialog appears.
  3. From the drop-down menu, select each group to associate with the site administrator role, then click OK.
  4. Optionally, repeat steps 2 and 3 to continue assigning more site administrators.
  5. Click OK to close the dialog.

Managing device administrators

Device administrators manage device collections to which they have privileges. Management tasks include assigning and removing vDisks from a device, editing device properties and viewing read-only vDisk Properties. Device collections consist of a logical grouping of devices. For example, a device collection could represent a physical location, a subnet range, or a logical grouping of target devices. A target device can only be a member of one device collection.

To assign the device administrator role to one or more groups and its members

  1. In the console, expand the site where the device collection exists, then expand the Device Collections folder.
  2. Right-click on the device collection that you want to add device administrators to, then select Properties. The Device Collection Properties dialog appears.
  3. On the Security tab, under the Groups with Device Administrator access list, click Add. The Add Security Group dialog appears.
  4. To assign a group with the device administrator role, select each system group that should have device administrator privileges, then click OK.
  5. Click OK to close the dialog box.

Managing device operators

A device operator has administrator privileges to perform the following tasks within a device collection for which they have privileges:

  • Boot and reboot a target device
  • Shut down a target device

To assign the device Operator role to one or more groups

  1. In the console, expand the site where the device collection exists, then expand the Device Collections folder.
  2. Right-click on the device collection that you want to add device operators to, then select Properties. The Device Collection Properties dialog appears.
  3. On the Security tab, under the Groups with Device Operator access list, click Add. The Add Security Group dialog appears.
  4. To assign a group the Device Operator role, select each system group that should have device operator privileges, then click OK.
  5. Click OK to close the dialog box.