Product Documentation

Configuring Roles with RBAC

May 20, 2015
The Role-Based Access Control (RBAC) feature in XenMobile lets you assign predefined roles, or sets of permissions, to users and groups. These permissions control the level of access users have to system functions.

XenMobile implements four default user roles to logically separate access to system functions:

  • Administrator. Grants full system access.
  • Support. Grants access to remote support.
  • User. Used by users who can enroll devices and access the Self Help Portal.

You can also create new user roles with permissions to access specific system functions beyond the functions defined by these default roles by using the default roles as templates that you customize.

Roles can be assigned to local users (at the user level) or to Active Directory groups (all users in that group have the same permissions). If a user belongs to several Active Directory groups, all the permissions are merged together to define the permissions for that user. For example, if ADGroupA users can locate manager devices, and ADGroupB users can wipe employee devices, then a user who belongs to both groups can locate and wipe devices of managers and employees.
Note: Local users may have only one role assigned to them.

You can use the RBAC feature in XenMobile to do the following:

  • Create a new role.
  • Add groups to a role.
  • Associate local users to roles.
  1. In the XenMobile console, click Configure > Settings > Role-Based Access Control.


    Select RBAC


    The Role page appears, which displays the four default user roles, plus any roles you have previously added.


    RBAC page


    Note: If you click the plus sign (+) next to a role, the role expands to show all the permissions for that role, as shown in the following figure.


    Expand user role


  2. Click Add to add a new user role, click the pen icon to the right of an existing role to edit the role, or click the trash can icon to the right of a role you previously defined to delete the role. You cannot delete the default user roles.
    • When you click Add or the pen icon, the Add Role or the Edit Role page appears.


      Add RBAC role


    • When you click the trash can icon, a confirmation dialog appears. Click Delete to remove the selected role.
  3. Enter the following information to create a new user role or to edit an existing user role:
    1. RBAC name: Enter a descriptive name for the new user role. You cannot change the name of an existing role.
    2. RBAC template: Click a template as the starting point for the new role or click a new template for an existing role.
      Note: RBAC templates are the default user roles, plus any roles that you have previously defined. They define the access users associated with that role have to system functions. After you select an RBAC template, you can see all of the permissions associated with that role in Authorized Access and Console Features fields. Using a template is optional; you can directly select the options you want to assign to a role in the Authorized Access and Console Features fields.


      Select RBAC template


      • Click Apply to populate the Authorized access and Console features check boxes with the pre-defined access and feature permissions for the selected template.
      • Select and clear the check boxes in Authorized access and Console features to customize the role.
        Note: If you click the triangle next to a Console feature, permissions specific to that feature appear that you can select and clear. Clicking the top-level check box allows read-only access to that console part; you must select individual options below the top level to enable write/update access for that option. For example, in the following figure, the user has read-only access to the Clear Restrictions option.


        RBAC console features


    3. Apply permissions: Select the groups to which you want to apply the selected permissions.


      Apply RBAC permissions


    If you click To specific user groups, a list of groups appears from which you can select one or more groups.
  4. Click Next. The Assignment page appears.



  5. Enter the following information to assign the role to user groups and then click Save.
    1. Select domain: In the list, click a domain.
    2. Include user groups: Click Search to see a list of all available groups, or type a full or partial group name to limit the list to only groups with that name.
    3. In the list that appears, select the user groups to which you want to assign the role. When you select a user group, the group appears in the Selected user groups list.


      RBAC group assignment


      To remove a user group from the Selected user groups list, do one of the following:
      • Click Search to see a list of all user groups in the selected domain.
      • Type a full or partial group name in the search box, and then click Search to limit the list of user groups.

      User groups in the list have check marks next to their name in the resulting list. Scroll through the list and clear the check box next to each group you want to remove.