3.5 Rights Descriptions

When you create additional administrator accounts you can provide full access to your zone or you can create accounts with limited rights. For example, you could create an administrator account that enables the administrator to assign bundles to devices but doesn’t allow the administrator to create bundles, or you could create an administrator account that allows access to all management tasks except those pertaining to Management Zone configuration (user sources, registration, configuration settings, and so forth). For information about creating additional administrators, see Creating Administrators.

For Administrator roles only, a third column of rights options is added to each rights assignment dialog box: Unset, which allows rights set elsewhere in ZENworks to be used for the role.

The most restrictive right set in ZENworks prevails. Therefore, if you select the Deny option, the right is denied for any administrator assigned to that role, even if the administrator is granted that right elsewhere in ZENworks.

If you select the Allow option and the right has not been denied elsewhere in ZENworks, the administrator has that right for the role.

If you select the Unset option, the administrator is not granted the right for the role unless it is granted elsewhere in ZENworks.

You can also add, modify, or remove the assigned rights for an existing administrator. For more information, see Section 3.2.2, Assigning Additional Rights, Section 3.2.3, Modifying Assigned Rights, or Section 3.2.4, Removing Assigned Rights.

The following sections contain additional information about the various rights that you can assign:

3.5.1 Administrator Rights

The Administrator Rights dialog box lets you allow the selected administrator to grant rights to other administrators and to create or delete administrator accounts for your Management Zone.

The following rights are available:

  • Grant Rights: Allow or deny the administrator the rights necessary to grant rights to other administrators.

  • Create/Delete: Allow or deny the administrator the rights necessary to create or delete administrator accounts.

  • Create/Delete Groups: Allow or deny the administrator the rights necessary to create or delete administrator group accounts.

  • Modify Groups: Allow or deny the administrator the rights necessary to modify administrator group accounts.

To grant any object rights to other administrators, an administrator must have the Grant Rights and the rights for that object. For example, to grant bundle rights to other administrators, an administrator must have both the Grant Rights and the Bundle Rights.

3.5.2 Bundle Rights

The Bundle Rights dialog box lets you select folders containing bundles, then modify the rights associated with those folders.

Contexts

To select the folder that contains the bundles for which you want to assign rights, click Add to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.

Privileges

The Privileges section lets you grant the selected administrator rights to create or modify bundles, groups, and folders listed in the Contexts section.

The following rights are available:

  • Modify Groups: Allow or deny the administrator the rights necessary to modify the name or the description of the bundle groups.

  • Create/Delete Groups: Allow or deny the administrator the rights necessary to create or delete groups.

  • Modify Group Membership: Allow or deny the administrator the rights necessary to modify the list of bundles contained in bundle groups.

  • Modify Folders: Allow or deny the administrator the rights necessary to modify folders.

  • Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.

  • Author: Allow or deny the administrator the rights necessary to perform changes on bundles, which can be then tested in a testing environment.

  • Publish: Allow or deny the administrator the rights necessary to publish tested changes into the production environment. If you assign the publish rights, the author rights also gets assigned by default.

  • Modify Settings: Allow or deny the administrator the rights necessary to modify settings.

    NOTE:If you have the Publish rights, then you must also have the Modify Settings right to edit the bundle details such as the bundle’s description, ZENworks Explorer Folder Path, system requirements, and publish a bundle that has existing assignments to a new version. For more information on this, see the trouble shooting scenarios in the Troubleshooting chapter of the ZENworks 11 Software Distribution Reference

  • Assign Bundles: Allow or deny the administrator the rights necessary to assign bundles to the devices or users.

3.5.3 Contract Management Rights

The Contract Management Rights dialog box lets you select folders containing contracts, then modify the rights associated with contracts and folders.

Contexts

To select the folder that contains the contracts for which you want to assign rights, click Add to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.

Privileges

The Privileges section lets you grant the selected administrator rights to contracts and folders listed in the Contexts section.

  • Modify: Allow or deny the administrator the rights necessary to modify the contracts.

  • Create/Delete: Allow or deny the administrator the rights necessary to create or delete contracts.

  • Modify Folder: Allow or deny the administrator the rights necessary to modify folders.

  • Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.

3.5.4 Credential Rights

The Credential Rights dialog box lets you select folders containing credentials, then modify the rights associated with those folders.

Contexts

Click Add to select the folder that contains the credentials for which you want to assign rights.

Privileges

The Privileges section lets you grant the selected administrator rights to create or modify credentials, groups, and folders listed in the Contexts section.

The following rights are available:

  • Modify: Allow or deny the administrator the rights necessary to modify credentials.

  • Create/Delete: Allow or deny the administrator the rights necessary to create or delete credentials.

  • Modify Folders: Allow or deny the administrator the rights necessary to modify folders.

  • Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.

For more information about the tasks you can perform on credentials, see Section 7.0, Credential Vault.

3.5.5 Deployment Rights

The Deployment Rights dialog box lets you allow or deny the administrator the rights necessary to perform deployment operations.

Deployment lets you discover network devices and deploy the ZENworks Adaptive Agent to them so that they become managed devices in your Management Zone. For more information, see ZENworks Adaptive Agent Deployment in the ZENworks 11 Discovery, Deployment, and Retirement Reference.

3.5.6 Device Rights

The Device Rights dialog box lets you select folders containing devices, then modify the rights associated with those folders.

Contexts

To select the folder that contains the devices for which you want to assign rights, click Add to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.

Privileges

The Privileges section lets you grant the selected administrator rights to work with devices, including device groups and folders listed in the Contexts section.

The following rights are available:

  • Modify: Allow or deny the administrator the rights necessary to modify the device objects.

  • Create/Delete: Allow or deny the administrator the rights necessary to create or delete device objects.

  • Modify Groups: Allow or deny the administrator the rights necessary to modify groups.

  • Create/Delete Groups: Allow or deny the administrator the rights necessary to create or delete groups.

  • Modify Group Membership: Allow or deny the administrator the rights necessary to modify the list of devices contained in device groups.

  • Modify Folder: Allow or deny the administrator the rights necessary to modify folders.

  • Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.

  • Modify Settings: Allow or deny the administrator the rights necessary to modify device settings.

  • Assign Bundles: Allow or deny the administrator the rights necessary to assign bundles to devices.

  • Assign Policies: Allow or deny the administrator the rights necessary to assign policies to devices.

  • Manage ERI: Allow or deny the administrator the rights necessary to manage the Emergency Recovery Information (ERI) for device objects. This includes downloading ERI files to use with an Emergency Recovery Disk, viewing ERI file passwords, and deleting ERI files.

3.5.7 Discovery Rights

The Discovery Rights dialog box lets you allow or deny the administrator the rights necessary to perform discovery operations.

The following rights are available:

  • Discovery: Allow or deny the administrator the right necessary to perform discovery.

  • Edit Discovered Device: Allow or deny the administrator the rights necessary to edit a discovered device.

3.5.8 Document Rights

The Document Rights dialog box lets you select folders containing documents, then modify the rights associated with documents and folders.

Contexts

To select the folder that contains the documents for which you want to assign rights, click Add to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.

Privileges

The Privileges section lets you grant the selected administrator rights to create or modify documents and their folders listed in the Contexts section.

  • Modify: Allow or deny the administrator the rights necessary to reassign documents.

  • Create/Delete: Allow or deny the administrator the rights necessary to import or delete documents.

  • Modify Folder: Allow or deny the administrator the rights necessary to modify folders.

  • Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.

3.5.9 Inventoried Device Rights

The Inventoried Device Rights dialog box lets you select folders containing devices, then modify the rights associated with those folders.

Contexts

To select the folder that contains the inventoried devices for which you want to assign rights, click Add to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.

Privileges

The Privileges section lets you grant the selected administrator rights to work with inventoried devices, including device groups and folders listed in the Contexts section.

The following rights are available:

  • Modify: Allow or deny the administrator the rights necessary to modify inventoried device objects.

  • Create/Delete: Allow or deny the administrator the rights necessary to create or delete inventoried device objects.

  • Modify Groups: Allow or deny the administrator the rights necessary to modify device groups.

  • Create/Delete Groups: Allow or deny the administrator the rights necessary to create or delete device groups.

  • Modify Group Membership: Allow or deny the administrator the rights necessary to modify the list of devices contained in device groups.

  • Modify Folder: Allow or deny the administrator the rights necessary to modify folders.

  • Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.

  • Modify Settings: Allow or deny the administrator the rights necessary to modify inventoried device settings.

3.5.10 LDAP Import Rights

The LDAP Import Rights dialog box lets you allow or deny importing of LDAP information.

3.5.11 License Management Rights

The License Management Rights dialog box lets you select folders containing licenses, then modify the rights associated with licenses and folders.

Contexts

To select the folder that contains the licenses for which you want to assign rights, click Add to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.

Privileges

The Privileges section lets you grant the administrator rights to work with the software license components associated with the contexts (folders) you selected in the Contexts section

  • Modify: Allow or deny the administrator the rights necessary to modify the licenses.

  • Create/Delete: Allow or deny the administrator the rights necessary to create or delete licenses.

  • Modify Folder: Allow or deny the administrator the rights necessary to modify folders.

  • Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.

3.5.12 Location Rights

The Location Rights dialog box lets you modify rights associated with locations in your Management zone. The following rights are available:

  • Modify: Allow or deny the administrator the rights necessary to modify the locations

  • Create/Delete: Allow or deny the administrator the rights necessary to create or delete locations.

3.5.13 Patch Management Rights

The Patch Management Rights dialog box lets you determine which patch management functions an administrator can have.

The following rights are available:

  • Patch Deploy: Allow or deny the administrator the rights necessary to deploy patches.

  • Patch Enable: Allow or deny the administrator the rights necessary to enable a disabled patch.

  • Patch Disable: Allow or deny the administrator the rights necessary to disable a patch.

  • Patch Update Cache: Allow or deny the administrator the rights necessary to cache patches.

  • Assign to Baseline: Allow or deny the administrator the rights necessary to assign a patch to the baseline.

  • Remove from Baseline: Allow or deny the administrator the rights necessary to remove a patch that was assigned to the baseline.

  • View Patch Details: Allow or deny the administrator the rights necessary to view patch details.

  • Export Patch: Allow or deny the administrator the rights necessary to export patches.

  • Scan Now: Allow or deny the administrator the rights necessary to start a scan.

  • Remove Patch: Allow or deny the administrator the rights necessary to remove a patch.

  • Recalculate Baseline: Allow or deny the administrator the rights necessary to recalculate the baseline.

  • Configure: Allow or deny the administrator the rights necessary to configure the patch.

3.5.14 Policy Rights

The Policy Rights dialog box lets you select folders containing policies, then modify the rights associated with those folders.

Contexts

To select the folder that contains the policies for which you want to assign rights, click Add to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.

Privileges

The Privileges section lets you grant the selected administrator rights to work with policies, including policy groups and folders listed in the Contexts section

The following rights are available:

  • Modify Groups: Allow or deny the administrator the rights necessary to modify policy groups.

  • Create/Delete Groups: Allow or deny the administrator the rights necessary to create or delete policy groups.

  • Modify Group Membership: Allow or deny the administrator the rights necessary to modify the list of policies contained in policy groups.

  • Modify Folders: Allow or deny the administrator the rights necessary to modify folders.

  • Create/Delete Folders: Allow or deny the administrator the rights necessary to create or delete folders.

  • Author: Allow or deny the administrator the rights necessary to create, modify, and delete policies. If you enable this right, you must also specify the type of policies (Configuration policies, Security polices, or both) that the administrator can author by enabling the Manage Configuration Policies right and/or the Manage Security Policies right.

  • Publish: Allow or deny the administrator the rights necessary to publish policies. If you enable this right, you must also specify the type of policies (Configuration policies, Security polices, or both) that the administrator can publish by enabling the Manage Configuration Policies right and/or the Manage Security Policies right.

  • Assign Policies: Allow or deny the administrator the rights necessary to assign policies to the devices or users. If you enable this right, you must also specify the type of policies (Configuration policies, Security polices, or both) that the administrator can assign by enabling the Manage Configuration Policies right and/or the Manage Security Policies right.

  • Manage Configuration Policies: Apply the Author, Publish, and Assign Policies rights to Configuration policies. For example, to create, delete, and modify Configuration policies, both the Author right and this right must be enabled. To publish Configuration policies, both the Publish right and this right must be enabled. To assign Configuration policies, both the Assign Policies right and this right must be enabled.

    Configuration policies are provided by ZENworks Configuration Management and include the Windows Configuration policies (Browser Bookmarks policy, Dynamic Local User policy, Local File Rights policy, Printer policy, Remote Management policy, Roaming Profile policy, SNMP policy, Windows Group policy, and ZENworks Explorer Configuration policy) and the Linux Configuration policies (External Services policy and Puppet policy).

  • Manage Security Policies: Apply the Author, Publish, and Assign Policies rights to Security policies. For example, to create, delete, and modify Security policies, both the Author right and this right must be enabled. To publish Security policies, both the Publish right and this right must be enabled. To assign Security policies, both the Assign Policies right and this right must be enabled.

    Security policies are provided by ZENworks Endpoint Security Management (Application Control policy, Communication Hardware policy, Data Encryption policy, Firewall policy, Location Assignment policy, Scripting policy, Security Settings policy, Storage Device Control policy, USB Connectivity policy, VPN Enforcement policy, and Wi-Fi policy) and ZENworks Full Disk Encryption (Full Disk Encryption policy).

3.5.15 Quick Task Rights

The Quick Tasks Rights dialog box lets you select folders containing devices, then modify the Quick Task rights associated with those folders.

Quick Tasks are tasks that appear in ZENworks Control Center task lists (for example, Server Tasks, Workstation Tasks, Bundles Tasks, and so forth). When you click a task, either a wizard launches to step you through the task or a dialog box appears in which you enter information to complete the task.

You can use the Quick Tasks Rights dialog box to allow or deny the selected administrator the rights to perform certain tasks by using Quick Tasks.

Contexts

To select the folder that contains the device for which you want to assign rights, click Add to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.

Privileges

The Privileges section lets you grant the administrator rights to modify the Quick Task rights associated with the contexts (folders) you selected in the Contexts section.

The following rights are available:

  • Shutdown/Reboot/Wake Up Devices: Specify whether the administrator can shut down, reboot, or wake up the devices in the folders you selected in the list.

  • Execute Processes: Allow or deny the administrator the rights necessary to execute processes on the devices.

  • Refresh ZENworks Adaptive Agent: Allow or deny the administrator the rights necessary to refresh the ZENworks Adaptive Agent on devices.

  • Install/Launch Bundles: Allow or deny the administrator the rights necessary to install or launch bundles. The administrator must also have Assign Bundles rights for devices to install or launch bundles using Quick Task options.

  • Manage Endpoint Security Settings and Tasks: Allow or deny the administrator the rights necessary to use Quick Tasks to clear the user-defined encryption password, the local client self defense setting, and the local firewall registration setting. Clearing the local client self defense and firewall registration settings overrides any local changes and reinstates the policy settings.

  • Inventory: Allow or deny the administrator the rights necessary to inventory devices.

  • Apply Image: Allow or deny the administrator the rights necessary to apply an image to devices.

  • Take Image: Allow or deny the administrator the rights necessary to take an image of a device.

3.5.16 Remote Management Rights

The Remote Management Rights dialog box lets you select folders containing devices and users, then modify the Remote Management rights associated with those folders. Granting Remote Execute rights allows the administrator to execute processes in the system space.

Contexts

To select the folder that contains the devices and users for which you want to assign rights, click Add to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.

Privileges

The Privileges section lets you grant the administrator rights to modify the Remote Management rights associated with the contexts (folders) you selected in the Contexts section.

The following rights are available:

  • Remote Control: Allow or deny the administrator the rights necessary to remotely control devices.

  • Remote View: Allow or deny the administrator the rights necessary to remotely view devices.

  • Transfer files: Allow or deny the administrator the rights necessary to transfer files to or from devices.

  • Remote Execute: Allow or deny the administrator the rights necessary to remotely execute processes on devices.

  • Remote Diagnostics: Allow or deny the administrator the rights necessary to perform remote diagnostic procedures on devices.

  • Unblock Remote Management Service: Allow or deny the administrator the rights necessary to unblock the Remote Management Service.

3.5.17 Reporting Rights

The Reporting Rights dialog box lets you select folders containing reports, then allows or denies you the rights to create, delete, execute, or publish reports.

Contexts

To select the folder that contains the reports for which you want to assign rights, click Add to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.

Privileges

The Privileges section lets you grant the administrator rights to work with reports associated with the contexts (folders) you selected in the Contexts section.

  • Execute/Publish Report Right: Allows the administrator to schedule reports and manage historical report instances. This right does not allow administrators to create or delete reports or folders within the folder to which the right is assigned. However, the administrator can copy the reports from one folder to another if the destination folder is assigned the Create/Delete Reports right.

  • Create/Delete Report Right: Includes the Execute/Publish Report right. It allows the administrators to create, modify, or delete Web Intelligence documents and folders within the folder to which the right is conferred.

3.5.18 Subscription Rights

The Subscription Rights dialog box lets you allow or deny the administrator the rights to create and delete subscriptions.

3.5.19 User Rights

The User Rights dialog box lets you select folders containing users, then modify the rights associated with those folders.

Contexts

To select the folder that contains the users for which you want to assign rights, click Add to display the Contexts dialog box, then browse for and select the folders for which you want to assign rights.

Privileges

The Privileges section lets you grant the selected administrator rights to work with users and folders listed in the Contexts section.

The following rights are available:

  • Modify ZENworks Group Membership: Allow or deny the rights necessary to modify ZENworks group membership. If you select this option, you must also grant rights to Modify ZENworks Group Membership under ZENworks User Group Rights.

  • Assign Policies: Allow or deny the administrator the rights necessary to assign policies to users.

  • Assign Bundles: Allow or deny the administrator the rights necessary to assign bundles to users.

3.5.20 ZENworks User Group Rights

The ZENworks User Group Rights dialog box lets you allow or deny the administrator the rights to create, delete, or modify groups and to modify group membership.

The following rights are available:

  • Modify Groups: Allow or deny the administrator the rights necessary to modify existing user groups.

  • Create/Delete Groups: Allow or deny the administrator the rights necessary to create or delete user groups.

  • Modify ZENworks Group Membership: Allow or deny the administrator the rights necessary to modify the ZENworks group membership. If you select this option, you must also grant rights to Modify ZENworks Group Membership under User Rights.

  • Assign Policies: Allow or deny the administrator the rights necessary to modify the list of policies contained in policy groups.

  • Assign Bundles: Allow or deny the administrator the rights necessary to modify the list of bundles contained in policy groups.

3.5.21 Zone Rights

The Zone Rights dialog box lets you modify the administrator’s rights to administer settings in your ZENworks Management Zone.

The following rights are available:

  • Modify User Sources: Allow or deny the administrator the rights necessary to modify user sources.

    A user source is an LDAP directory that contains users that you want to reference in your ZENworks Management Zone. When you define a user source, you also define the source containers from which you want to read users and user groups.

    Modifying user sources includes adding, removing, or renaming user sources and assigning policies or bundles to user sources.

  • Create/Delete User Sources: Allow or deny the administrator the rights necessary to create or delete user sources.

  • Modify Settings: Allow or deny the administrator the rights necessary to modify your Management Zone settings.

    The Management Zone settings let you manage the global configuration settings for your Management Zone. These global configuration settings are inherited by other objects (devices, users, and folders) within your Management Zone and remain in effect unless they are overridden on those objects.

  • Modify Zone Infrastructure: Allow or deny the administrator the rights necessary to modify Zone infrastructure. This right includes the rights to perform the following actions in the Server Hierarchy section of the Configuration tab:

    • Specify content for a device

    • Move the device in the hierarchy

    • Configure a Satellite

    • Add a Satellite

    • Remove a Satellite

    Other actions can be taken in the Server Hierarchy section. However, rights for those actions must be specified individually. They are not automatically included in the Modify Zone Infrastructure right. These are:

  • Configure Registration: Allow or deny the administrator the rights necessary to configure device registration.

    Registration lets you manage the various configuration settings for registering devices as managed devices in the Management Zone. It also lets you create registration keys or registration rules to help you register devices. A registration key lets you apply group and folder assignments to devices as they register. A registration rule lets you apply group and folder assignments to folders if the device meets the rule criteria.

  • Create/Delete Local Products: Allow or deny the administrator the rights necessary to create or delete local software products in the ZENworks Knowledgebase used for asset inventory.

  • Manage FDE PBA Override: Allow or deny the administrator the rights necessary to use the Pre-Boot Authentication Override tool (Full Disk Encryption > Pre-Boot Authentication Override). The Pre-Boot Authentication Override tool generates challenge/response data that a user can enter during the PBA login to override the PBA and access the device’s encrypted drives (for example, in the case of a forgotten password).

  • Delete News Alerts: Allow or deny the administrator the rights necessary to delete the news alerts.

  • Update News Alerts: Allow or deny the administrator the rights necessary to update the news alerts.

3.5.22 Inventory Report Rights

The Inventory Report Rights panel allows you to manage each administrator’s rights for each folder and its reports.

Each report folder has rights associated with it, governing all the reports within that folder. For example, if you have full rights, you can edit a report; but with view/execute rights, you can only see the report and run it. With inventory report rights, you can limit who has access to certain reports and who can edit them. The report folder type, custom or standard, and the report name are listed along with the rights associated with the folder. The choices are Remove All Rights, Assign View/Execute Rights, and Assign Full Rights.

Available Tasks

You can perform the following tasks:

Task

Steps

Additional Details

Remove all rights

  1. Select the report folder.

  2. Click Edit > Remove All Rights.

This removes all rights to the folder, so the specified administrator cannot see it.

Assign view/execute rights

  1. Select the report folder.

  2. Click Edit > Assign View/Execute Rights.

This allows the specified administrator to view and execute a report in the specified folder, but not to edit, move, or delete a report in that folder.

Assign full rights

  1. Select the report folder.

  2. Click Edit > Assign Full Rights.

This gives the specified administrator full rights to create, edit, move, and delete reports. For standard reports, this setting is the same as View/Execute, because you cannot alter a standard report.

3.5.23 Asset Management Report Rights

The Asset Management Report Rights panel allows you to manage each administrator’s rights for each folder and its reports.

Each report folder has rights associated with it, governing all the reports within that folder. For example, if you have full rights, you can edit a report; but with view/execute rights, you can only see the report and run it. With asset management report rights, you can limit who has access to certain reports and who can edit them. The report folder type, custom or standard, and the report name are listed along with the rights associated with the folder. The choices are Remove All Rights, Assign View/Execute Rights, and Assign Full Rights.

Available Tasks

You can perform the following tasks:

Task

Steps

Additional Details

Remove all rights

  1. Select the report folder.

  2. Click Edit > Remove All Rights.

This removes all rights to the folder, so the specified administrator cannot see it.

Assign view/execute rights

  1. Select the report folder.

  2. Click Edit > Assign View/Execute Rights.

This allows the specified administrator to view and execute a report in the specified folder, but not to edit, move, or delete a report in that folder.

Assign full rights

  1. Select the report folder.

  2. Click Edit > Assign Full Rights.

This gives the specified administrator full rights to create, edit, move, and delete reports. For standard reports, this setting is the same as View/Execute, because you cannot alter a standard report.