LANDesk 9.0 Basics: Understanding the new Role Based Administration!

Version 26

    Verified Product Versions

    LANDESK Management Suite 2016.x

    Basic Tenets of Role Based Administration!

     

    In this article I wanted to introduce the new format for Role Based Administration (RBA).  At first glance, it may seem that RBA can be exasperatingly complex.  There is basic information, when understood, that will make creating Roles and assigning responsibilities much easier.

     

    1st Rule of Fight Club... I mean RBA!!

     

    The first rule of RBA is to understand the structure.  This structure is as follows:

    1. Authentications contain Groups.

    2. Groups are assigned permissions (Group Permissions).

    3. Roles are applied to Group Permissions.

    4. And Scopes are applied to Roles.

     

    When you can grasp this rule, the rest of RBA should be a lot easier to manage.

     

     

    But I Still Have More Questions!?!

    The rest of this article is designed to do the following:

    • Re-iterate basic RBA Structure.
    • Answer some initial questions.
    • Provide links to Additional RBA information and training

     

     

    Lets go back over the #1 Rule. (with a tiny bit more)

    In LDMS 9.0, Role Based Administration follows a natural order of "Containment".

    1. Authentications contain Groups.
    2. Groups are assigned permissions (Group Permissions).
    3. Roles are applied to Group Permissions.
    4. And Scopes are applied to Roles.

     

    You can configure Roles 3 different ways

     

    Role NameRightsScopes
    Role 1 - Permissions are set but has no Scope.YesNo
    Role 2 - Scopes are set but has no Permissions.NoYes
    Role 3 - Both Permissions and Scopes are set.YesYes

     

    Some Frequent Questions:

     

    Question 1: In LDMS 8.8 I gave users access to LANDesk functions by adding them to the LANDesk Management Suite Group.  When I do this with LDMS 9.0 my users cannot log in, why is that?

    Answer 1: LDMS 9.0 gave Login rights to the LANDesk Administrators group only.  In LDMS 9.0 there are three default groups created by the LANDesk installation.

     

    These groups are:

    • LANDesk Administrators
    • LANDesk Management Suite
    • LANDesk Script Writers

    s

     

    BY DEFAULT: Only the LANDesk Administrators group has the right to login to the Console. 

     

    The "Management Suite" and "Script Writers group" provide different levels of NTFS access to the LDMAIN share required for other groups to login to the console.  . 

     

    The following table to shows the 3 Local Groups and their DEFAULT Console login access and NTFS permissions for the 5 LANDesk shares.

     

    Group NameConsole LoginLDMainldlogonldlogreportsscripts
    LANDesk AdministratorsYES

    Full

    FullFullFullFull
    LANDesk Management SuiteNORead OnlyFullFullFullRead Only
    Landesk Script WritersNORead OnlyRead OnlyRead OnlyFullFull

     

     

    Question 2: I've added groups to group permissions and assigned them roles but they can't they log in.  Why?

    Answer 2: When logging in to the 32bit Console, part of the Authentication process checks to see if the account has rights to mount the LDMAIN share on the core.  If the user's group does not have this right, then the login will fail.  Web Console login does not check this but many features will not work correctly.

     

    A quick way to fix this is to add the Group to the LANDesk Managment Suite Group on the Core server. 

     

    DO NOT add them to the LANDesk Administrators Group because this will give them full administrative rights!!

     

     

    Question 3: Why does the Users tool look so different in LDMS 9.0 compared to previous versions?

    Answer 3: With the introduction of LDMS 9.0 there were three major changes to the Users tool and RBA.  This necessitated changes to the interface.

    The changes are:

    1. LANDesk changed how roles were assigned from an "Individual" to a "Group" based control over rights and scopes.
    2. The Users tool has been enhanced to allow LANDesk administrators the ability to give groups more granular rights.
    3. Integration with additional Directory Services as authentication sources allows for less duplication of groups and their applied rights.

     

     

    Question 4: Why can't I modify user permissions in the All Users section?

    Answer 4: In 8.8 all rights were assigned through the All Users area.  In 9.0 the All Users area only shows what users have logged in and what their respective Permissions, Roles, and Scopes are.  You cannot change the settings for individual users in LDMS 9.0, those changes can only be applied to groups.

     

     

    Question 5: I've added groups to group permissions and assigned them roles but their users haven't shown up in the All Users section.  Why?

    Answer 5: With LDMS 9.0 most users will not show up in the All Users area until they have logged into the 32bit or Web Console for the first time.

     

     

    Question 6: Are there any additional reference materials for Role Based Administration in LDMS 9.0?

    Answer 6: Here are some great Documents and Training Videos by Rex Moffit, one of our RBA Engineers.

        1. Getting Started with LDMS 9.0 RBA Document

     

    All These Articles came from the following Community Article by Rex Moffit:

    http://community.landesk.com/support/docs/DOC-7473

     

     

     

    AND Once More, this time with Feeling!!!

     

    In LDMS 9.0, Role Based Administration follows a natural order of "Containment".

    1. Authentications contain Groups.

    2. Groups are assigned permissions (Group Permissions).

    3. Roles are applied to Group Permissions.

    4. And Scopes are applied to Roles.

    BASICRBA.jpg