Basic Tenets of Role Based Administration!
In this article I wanted to introduce the new format for Role Based Administration (RBA). At first glance, it may seem that RBA can be exasperatingly complex. There is basic information, when understood, that will make creating Roles and assigning responsibilities much easier.
1st Rule of Fight Club... I mean RBA!!
The first rule of RBA is to understand the structure. This structure is as follows:
Authentications contain Groups.
Groups are assigned permissions (Group Permissions).
Roles are applied to Group Permissions.
And Scopes are applied to Roles.
When you can grasp this rule, the rest of RBA should be a lot easier to manage.
But I Still Have More Questions!?!
The rest of this article is designed to do the following:
- Re-iterate basic RBA Structure.
- Answer some initial questions.
- Provide links to Additional RBA information and training
Lets go back over the #1 Rule. (with a tiny bit more)
Some Frequent Questions:
Question 1: In LDMS 8.8 I gave users access to LANDesk functions by adding them to the LANDesk Management Suite Group. When I do this with LDMS 9.0 my users cannot log in, why is that?
Answer 1: LDMS 9.0 gave Login rights to the LANDesk Administrators group only. In LDMS 9.0 there are three default groups created by the LANDesk installation. These groups are: s
These groups are:
BY DEFAULT: Only the LANDesk Administrators group has the right to login to the Console.
The "Management Suite" and "Script Writers group" provide different levels of NTFS access to the LDMAIN share required for other groups to login to the console. .
The following table to shows the 3 Local Groups and their DEFAULT Console login access and NTFS permissions for the 5 LANDesk shares.
|Group Name||Console Login||LDMain||ldlogon||ldlog||reports||scripts|
|LANDesk Management Suite||NO||Read Only||Full||Full||Full||Read Only|
|Landesk Script Writers||NO||Read Only||Read Only||Read Only||Full||Full|
Question 2: I've added groups to group permissions and assigned them roles but they can't they log in. Why?
Answer 2: When logging in to the 32bit Console, part of the Authentication process checks to see if the account has rights to mount the LDMAIN share on the core. If the user's group does not have this right, then the login will fail. Web Console login does not check this but many features will not work correctly. A quick way to fix this is to add the Group to the LANDesk Managment Suite Group on the Core server. DO NOT add them to the LANDesk Administrators Group because this will give them full administrative rights!!
Answer 2: When logging in to the 32bit Console, part of the Authentication process checks to see if the account has rights to mount the LDMAIN share on the core. If the user's group does not have this right, then the login will fail. Web Console login does not check this but many features will not work correctly.
A quick way to fix this is to add the Group to the LANDesk Managment Suite Group on the Core server.
DO NOT add them to the LANDesk Administrators Group because this will give them full administrative rights!!
Question 3: Why does the Users tool look so different in LDMS 9.0 compared to previous versions?
Answer 3: With the introduction of LDMS 9.0 there were three major changes to the Users tool and RBA. This necessitated changes to the interface.
The changes are:
- LANDesk changed how roles were assigned from an "Individual" to a "Group" based control over rights and scopes.
- The Users tool has been enhanced to allow LANDesk administrators the ability to give groups more granular rights.
- Integration with additional Directory Services as authentication sources allows for less duplication of groups and their applied rights.
Question 4: Why can't I modify user permissions in the All Users section?
Answer 4: In 8.8 all rights were assigned through the All Users area. In 9.0 the All Users area only shows what users have logged in and what their respective Permissions, Roles, and Scopes are. You cannot change the settings for individual users in LDMS 9.0, those changes can only be applied to groups.
Question 5: I've added groups to group permissions and assigned them roles but their users haven't shown up in the All Users section. Why?
Answer 5: With LDMS 9.0 most users will not show up in the All Users area until they have logged into the 32bit or Web Console for the first time.
Question 6: Are there any additional reference materials for Role Based Administration in LDMS 9.0?
Answer 6: Here are some great Documents and Training Videos by Rex Moffit, one of our RBA Engineers.
All These Articles came from the following Community Article by Rex Moffit:
AND Once More, this time with Feeling!!!
In LDMS 9.0, Role Based Administration follows a natural order of "Containment".