Skip to main content

1E 23.11 (SaaS)

Roles page

The Roles page lets you view system roles and currently defined custom roles. From here you can edit Role permissions and go into each role to set its users and group assignments and any associated management groups.

232785978.png
1E roles

There are two types of roles that can be applied to the 1E users, system roles, and custom roles.

Tip

On the Roles page, you can see at a glance which Tachyon roles are system or custom roles, by using the icon in the Name column:

  • System roles are indicated by an icon with a padlock

    System role icon
  • Custom roles are indicated by an icon with a cog wheel

    Custom role icon
System roles

On the Roles page, a system role is indicated by an icon with a padlock System role icon

System roles are built-in and are not configurable, however, they can be assigned to users the same as any other role. The following table lists the built-in system roles.

1E system role

Permissions

Allows delegation

Description

All Instructions Actioner

Yes

Use 1E Endpoint Troubleshooting, execute any Instruction (Action and Question), and view any Instruction response

All Instructions Approver

Yes

Use 1E Endpoint Troubleshooting, approve any Instruction for anyone other than self

All Instructions Questioner

Yes

Use 1E Endpoint Troubleshooting, ask any Question and view any Instruction response

All Instructions Viewer

Yes

Use 1E Endpoint Troubleshooting, view any Instruction response

Full Administrator
  • All

No

Has all the permissions available in the Platform and its Applications

Group Administrator

Yes

Add Users and Management Groups, and manage their roles and assignments, below this Group Administrator's assigned Management Group(s)

1E Endpoint Automation Administrator

No

Use 1E Endpoint Automation, manage Rules and Polices, and assign and deploy Policies

1E Endpoint Automation Policy Assigner

Yes

Assign Policies to Management Groups (does not allow use of 1E Endpoint Automation)

1E Endpoint Automation User

No

Use 1E Endpoint Automation, view dashboards

Installer

No

Install and upgrade the Platform and Applications, register Consumers, upload Product Packs, manage Instruction Sets, and configure Roles and Permissions

Inventory Administrator

No

Manage Inventory repositories - populate and archive them - export data - manage Inventory associations

Inventory User

No

View Inventory repositories, data and Inventory associations

1E System

No

For service and equivalent accounts to perform 1E system operations

Questions, responses, actions are examples of securables. Other Consumers may create their own system roles and securables.

Custom roles

On the Roles page, a custom role is indicated by an icon with a cogwheelCustom role icon

The following table lists built-in custom roles used by 1E Applications.

1E custom role

Permissions

Allows delegation

Description

Notes

1E ITSM Connect Actioner
  • InstructionSet (Actioner) on the instruction sets you wish to allow ServiceNow to use

Yes

The ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role

The ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role.

AppClarity Administrator

No

Create, update, delete and view AppClarity Compliance, Entitlement, License Demand and Reclaim - view and export Inventory - view, edit, delete and export Associations

Renamed in 8.0 - was AppClarity Administrators.

Application Migration Administrator

No

Create, update, delete and view Application Migration Rules and Role Based Application Sets to manage installations in your estate during operating system deployment

Renamed in 8.0 - was Application Migration Administrators.

Compliance Administrator

No

Create, update, delete and view AppClarity Compliance, Entitlement and License Demand - view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations

Renamed in 8.0 - was Compliance Administrators.

Compliance Viewer

No

View AppClarity Compliance, Entitlement and License Demand

Renamed in 8.0 - was Compliance Viewers.

Entitlement Administrator

No

Create, update, delete and view AppClarity Entitlement - view and export Inventory - view, edit, delete and export Associations

Renamed in 8.0 - was Entitlement Administrators.

Experience Administrator

No

Use Experience Analytics, manage, assign and deploy Engagements (Surveys and Announcements), and manage Metrics

New role in 8.0

Effectively a combination of previous Survey Administrators and VDI Administrators roles.

Experience Engagement Assigner

Yes

Assign Engagements to Management Groups (does not allow use of Experience Analytics)

New role in 8.0

Experience User

No

Use Experience Analytics, view Survey responses, and view Metrics

Renamed in 8.0 - was Experience Viewers.

Nomad Administrator

No

Use Content Distribution, manage Pre-cache jobs, view the results of related Instructions and Client health policies

Renamed in 8.0 - was Nomad Administrators.

Instruction set assigned manually after installation.

Patch Success Administrator

No

Use Patch Success, manage and populate its Repository, and deploy Policies, use Endpoint Troubleshootingto deploy patches

New role in 8.0

Instruction set assigned manually after installation.

Patch Success User

No

Use Patch Success, and use Endpoint Troubleshooting to ask about Patch status on devices

Renamed in 8.0 - was Patch Success Viewers.

Instruction set assigned manually after installation.

Reclaim Administrator

No

Create, update, delete and view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations

Renamed in 8.0 - was Reclaim Administrators.

Reclaim Viewer

No

View AppClarity Reclaim

Renamed in 8.0 - was Reclaim Viewers.

Recommendations for using the Full Administrator role

The Full Administrator role can be used to provide across-the-board permissions to a user. While this may be convenient in certain circumstances, you should be aware that this is a powerful role and should be used with appropriate caution.

Using Full Administrator in a lab environment

To get things up and running quickly in a lab environment, you may choose to make the Setup user account a Full Administrator during installation on the Identity Providers page in 1E Setup. This will help minimize the number of users required for an evaluation and reduce the initial configuration required.

If the Setup user account was not elevated during setup then it will only have limited access and as this is a system principal user the permissions are locked down by default. You can allow it to assume the Full Administrator role using the following steps:

  1. Add an Azure Active Directory group to 1E permissions

  2. Apply the 1E Full Administrator role to this group.

  3. Add the Setup user account to the same Azure Active Directory group.

In the short term, it's fine to make use of full administrators in this way, but this practice is not really suitable for large-scale deployments and should be used with care for the following reasons:

  • The Full Administrator role has permission to do everything in 1E. It has across-the-board permissions to all Instruction Sets and therefore can be used to run actions that can have a major impact on your network.

  • The Full Administrator accounts receive emails for all the transactions that are performed by 1E.

Different approaches for defining permissions

1E provides a flexible system for defining permissions for the features. There are a number of different ways of approaching the task, here we outline the general choices that can be made for assigning 1E users to system and custom roles.

Managing access primarily using the 1E Permissions console

In this approach, 1E users are added individually using their Active Directory credentials. This approach is more secure than alternatives because all users, roles, and access rights are managed only through the 1E Permissions console.

Managing access using Active Directory

Using this approach, 1E users are added as Active Directory security groups. 1E roles are then associated with those groups, and management of the individual users who can access 1E is subsequently done only through Active Directory. There are broadly three options when using this approach:

  1. A one-to-one approach where you create a 1E-specific role-based Active Directory group for each 1E role. For example, you could create a TCNGApprovers Active Directory security group, and add that group as a user in 1E, and then assign the All Instructions Approver role to the user.

  2. A many-to-one approach, where you use one or more of your existing role-based Active Directory groups for each 1E role. For example, you could use the Active Directory groups for your desktop and help desk teams, create a 1E user for each group, and then assign the 1E role to all those 1E users.

  3. A mixture of the above

Note

It is possible for an Active Directory user to be associated with roles for both running and approving actions. In practice, this is safe because 1E prevents users from being able to directly approve their own actions regardless of the roles they have been assigned.

Defining a custom Instruction set 1E role

If you want to base your 1E permissions around access to specific Instruction sets, you will need to create custom 1E roles. The Custom roles section lists built-in custom roles used by 1E Applications.

To create a custom role:

  1. Navigate to the Settings→Permissions→Roles page.

  2. Click the Add button to start the add role process.

  3. In the New Role page subsequently displayed set the Name and Description.

  4. With the Instruction Sets tab selected, select your required Instruction Sets from the list.

  5. Set the Instruction set access rights by checking the required Actioner, Approver, Questioner and Viewer checkboxes.

  6. When the associated rights have been set click Save to save your changes and automatically return to the Roles page.

  7. You can now add assignments of users and groups and management groups to the new custom role by clicking the link in the Assignments column.

  8. Click the + (plus icon) to add a new item and, from the Users and Groups drop-down menu either search for, or select the users or groups you want to associate the role with.

  9. From the Management Group drop-down menu either search for, or select the management group you want to associate the role with. This can either be the built-in All Devices or a management group you have created in Settings→Permissions→Management groups.

  10. Click the Save button to associate the selected options with the custom role.

The following rights can be set for an Instruction set, these relate to the primary operator roles of the 1E system:

Right

Description

Actioner

Able to run actions defined in the Instruction Set.

Approver

Able to approve actions defined in the Instruction Set for anyone other than self.

If email is enabled, will receive an approval request email for each requested action in the Instruction Set.

Questioner

Able to ask questions defined in the Instruction Set.

Viewer

Able to view responses to questions run from the Instruction Set.

Note

For details about how to load Instruction Definitions into 1E and then create, populate and delete Instruction sets, refer to the Instructions Menu page.