Skip to main content

1E 23.11 (SaaS)

Configuring Access Rights - tutorial

A quick tutorial on configuring access rights for 1E. Using a scenario where access to 1E will be managed through Active Directory groups, the tutorial illustrates the general setup required and the particular steps needed to add users.

In this tutorial

In this tutorial we demonstrate a process for creating Active Directory (AD) managed permissions to the 1E portal. We use specifically created AD groups for each of the 1E system roles and create users for each one, we then define a custom role for a specific Instruction Set and create a user with an existing AD group that provides access to running actions in the Instruction Set.

1E roles

In this tutorial we will create an example 1E Azure Active Directory group user based on the possible roles given in the following 1E system and custom roles.

Tip

On the Roles page, you can see at a glance which 1E roles are system or custom roles, by using the icon in the Name column:

  • System roles are indicated by an icon with a padlock

    System role icon
  • Custom roles are indicated by an icon with a cog wheel

    Custom role icon
System roles
System roles

On the Roles page, a system role is indicated by an icon with a padlock System role icon

System roles are built-in and are not configurable, however, they can be assigned to users the same as any other role. The following table lists the built-in system roles.

1E system role

Permissions

Allows delegation

Description

Notes

All Instructions Actioner

Yes

Use 1E Endpoint Troubleshooting, execute any Instruction (Action and Question), and view any Instruction response

Renamed in 8.0 - was Global Actioners.

All Instructions Approver

Yes

Use 1E Endpoint Troubleshooting, approve any Instruction for anyone other than self

Renamed in 8.0 - was Global Approvers.

If email is enabled, this role will receive an approval request email for each requested action instruction.

All Instructions Questioner

Yes

Use 1E Endpoint Troubleshooting, ask any Question and view any Instruction response

Renamed in 8.0 - was Global Questioners.

All Instructions Viewer

Yes

Use 1E Endpoint Troubleshooting, view any Instruction response

Renamed in 8.0 - was Global Viewers.

Full Administrator
  • All

No

Has all the permissions available in the Platform and its Applications

Renamed in 8.0 - was Global Administrators.

Group Administrator

Yes

Add Users and Management Groups, and manage their roles and assignments, below this Group Administrator's assigned Management Group(s)

New role in 8.0

This role is similar to previous Management Group Administrators role, with permissions extended to support using Management Groups for RBAC, however the role is only allowed to manage Management Groups below the Management Groups they have been assigned to.

Guaranteed State Administrator

No

Use Endpoint Automation, manage Rules and Polices, and assign and deploy Policies

Renamed in 8.0 - was Guaranteed State Administrators.

Guaranteed State Policy Assigner

Yes

Assign Policies to Management Groups (does not allow use of Endpoint Automation)

New role in 8.0

Guaranteed State User

No

Use Endpoint Automation, view dashboards

Renamed in 8.0 - was Guaranteed State Viewers.

Installer

No

Install and upgrade the Platform and Applications, register Consumers, upload DEXPacks, manage Instruction Sets, and configure Roles and Permissions

New role in 8.0

Inventory Administrator

No

Manage Inventory repositories - populate and archive them - export data - manage Inventory associations

Renamed in 8.0 - was Inventory Administrators.

Inventory User

No

View Inventory repositories, data and Inventory associations

Renamed in 8.0 - was Inventory Viewers.

Tachyon System

No

For service and equivalent accounts to perform 1E system operations

New role in 8.0

Questions, responses, actions are examples of securables. Other Consumers may create their own system roles and securables.

Note

When upgrading from Tachyon Platform 5.2 or earlier, roles names are automatically renamed as listed above. Other roles are deleted during the upgrade, unless they have members.

Click here to expand and see details of changes made by upgrading to this latest version of Tachyon Platfrom...

The upgrade process makes the following changes:

  1. New roles are created, if they do not exist already:

    New system roles
    • Group Administrator

    • Guaranteed State Policy Assigner

    • Installer

    • Tachyon System

    New Custom roles
    • Experience Administrator

    • Experience Engagement Assigner

    • Patch Success Administrator

  2. The Tachyon user doing the upgrade is automatically assigned to the Installer role. The user is also unassigned from the following roles, if assigned before the upgrade:

    • Applications Administrators

    • Consumer Administrators

    • Event Subscription Administrators

    • Instruction Set Administrators

    • Permissions Administrators

  3. Tachyon users associated with the NT AUTHORITY/NETWORK SERVICE and machine accounts, are assigned to the Tachyon System role. These users will also be unassigned from the following roles, if assigned before the upgrade:

    • Applications Administrators

    • Consumer Viewers

    • Engagement Administrator

    • Management Group Sync Initiators

    • Offloaders

    • Permissions Viewers

    • Survey Administrators

  4. Several old roles are renamed

    1. Some are renamed from plural to singular, for example if the Nomad Administratorsrole exists it is renamed toNomad Administrator

    2. An exception is in the unlikely event that the Nomad Admins role exists, it is renamed to Nomad Administrator unless that role already exists, in which case it is renamed to Nomad Administrators instead

    3. Global Questioner, Global Actioner, Global Viewer, and Global Approver roles have been renamed with Global... replaced by All instructions...

    4. Inventory Viewers, Experience Viewers, Patch Success Viewers, have been renamed with ...Viewers changed to ...User

      System roles renamed from
      • Global Actioners

      • Global Administrators

      • Global Approvers

      • Global Questioners

      • Global Viewers

      • Guaranteed State Administrators

      • Guaranteed State Viewers

      • Inventory Administrators

      • Inventory Viewers

      • Survey Administrators

      • Survey Viewers

      System roles renamed to
      • All Instructions Actioner

      • Full Administrator

      • All Instructions Approver

      • All Instructions Questioner

      • All Instructions Viewer

      • Guaranteed State Administrator

      • Guaranteed State User

      • Inventory Administrator

      • Inventory User

      • Experience Engagement Administrator *

      • Experience Engagement Viewer *

      Note

      * These roles are retired, and will only be kept if a user or group is assigned to it.

      Custom roles renamed from
      • AppClarity Administrators

      • Application Migration Administrators

      • Compliance Administrators

      • Compliance Viewers

      • Entitlement Administrators

      • Experience Viewers

      • Nomad Administrators

      • Patch Success Viewers

      • Reclaim Administrators

      • Reclaim Viewers

      Custom roles renamed to
      • AppClarity Administrator

      • Application Migration Administrator

      • Compliance Administrator

      • Compliance Viewer

      • Entitlement Administrator

      • Experience Viewer

      • Nomad Administrator

      • Patch Success User

      • Reclaim Administrator

      • Reclaim Viewer

  5. Other system and custom roles are deleted. A role is kept only if it is (a) on the list of roles to be kept, or (b) the role has a user or group assigned to it

    System roles that are kept
    • All Instructions Actioner

    • All Instructions Approver

    • All Instructions Questioner

    • All Instructions Viewer

    • Full Administrator

    • Group Administrator

    • Guaranteed State Administrator

    • Guaranteed State Policy Assigner

    • Guaranteed State User

    • Installer

    • Inventory Administrator

    • Inventory User

    • Tachyon System

    Custom roles that are kept
    • 1E ITSM Connect Actioner

    • AppClarity Administrator

    • Application Migration Administrator

    • Compliance Administrator

    • Compliance Viewer

    • Entitlement Administrator

    • Experience Administrator

    • Experience Engagement Assigner

    • Experience User

    • Nomad Administrator

    • Patch Success Administrator

    • Patch Success User

    • Reclaim Administrator

    • Reclaim Viewer

    System roles that have been retired
    • 1E Client Deployment Administrators

    • 1E Client Installer Administrators

    • Applications Administrators

    • Component Administrators

    • Connector Administrators

    • Consumer Administrators

    • Consumer Viewers

    • Custom Properties Administrators

    • Event Subscription Administrators

    • Event Subscription Viewers

    • Infrastructure Administrators

    • Instruction Set Administrators

    • Log Viewers

    • Management Group Administrators

    • Management Group Sync Initiators

    • Offloaders

    • Permissions Administrators

    • Permissions Viewers

    • Policy Administrators

    • Provider Configuration Administrators

    • Schedule Administrators

    • Survey Administrators (Experience Engagement Administrator)

    • Survey Viewers (Experience Engagement Viewer)

    • VDI Administrators

    Custom roles that have been retired
    • Any custom role created by Tachyon administrators

    Tip

    A retired role is kept if it has a user or group assigned to it.

The following roles are retired (deleted) during an upgrade.

Retired Tachyon system role

Permissions

Notes

1E Client Deployment Administrators

Use Full Administrator role instead.

1E Client Installer Administrators

Use Full Administrator role instead.

Applications Administrators

Use Full Administrator role instead.

Component Administrators

Use Inventory Administrator role instead.

Connector Administrators

Use Inventory Administrator role instead.

Consumer Administrators

Use Full Administrator role instead.

Consumer Viewers

Create a custom role if required.

Custom Properties Administrators

Use Full Administrator role instead.

Event Subscription Administrators

Use Full Administrator role instead.

Event Subscription Viewers

Use Full Administrator role instead.

Experience Engagement Administrators

If this role is retained during an upgrade, it will have been renamed from Survey Administrators.

Experience Engagement Viewers

If this role is retained during an upgrade, it will have been renamed from Survey Viewers.

Infrastructure Administrators

Use Full Administrator role instead.

Instruction Set Administrators

Use Full Administrator role instead.

Log Viewers

Create a custom role if required.

Management Group Administrators

Use Full Administrator or Group Administrator role instead.

Management Group Sync Initiators

Not required for users. It is only needed for system accounts and replaced by the Tachyon System role.

Offloaders

Not required for users. It is only needed for system accounts and replaced by the Tachyon System role.

Permissions Administrators

Use Full Administrator or Group Administrator role instead.

Permissions Viewers

Create a custom role if required.

Policy Administrators

Use Guaranteed State Administrator roles instead.

Provider Configuration Administrators

Use Full Administrator role instead.

Schedule Administrators

Use one or more of the following roles depending which repositories you need to use:

VDI Administrators

Use the Experience Administrator custom role instead.

Custom roles

On the Roles page, a custom role is indicated by an icon with a cogwheelCustom role icon

The following table lists built-in custom roles used by 1E Applications.

1E custom role

Permissions

Allows delegation

Description

Notes

1E ITSM Connect Actioner
  • InstructionSet (Actioner) on the instruction sets you wish to allow ServiceNow to use

Yes

The ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role

The ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role.

AppClarity Administrator

No

Create, update, delete and view AppClarity Compliance, Entitlement, License Demand and Reclaim - view and export Inventory - view, edit, delete and export Associations

Renamed in 8.0 - was AppClarity Administrators.

Application Migration Administrator

No

Create, update, delete and view Application Migration Rules and Role Based Application Sets to manage installations in your estate during operating system deployment

Renamed in 8.0 - was Application Migration Administrators.

Compliance Administrator

No

Create, update, delete and view AppClarity Compliance, Entitlement and License Demand - view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations

Renamed in 8.0 - was Compliance Administrators.

Compliance Viewer

No

View AppClarity Compliance, Entitlement and License Demand

Renamed in 8.0 - was Compliance Viewers.

Entitlement Administrator

No

Create, update, delete and view AppClarity Entitlement - view and export Inventory - view, edit, delete and export Associations

Renamed in 8.0 - was Entitlement Administrators.

Experience Administrator

No

Use Experience Analytics, manage, assign and deploy Engagements (Surveys and Announcements), and manage Metrics

New role in 8.0

Effectively a combination of previous Survey Administrators and VDI Administrators roles.

Experience Engagement Assigner

Yes

Assign Engagements to Management Groups (does not allow use of Experience Analytics)

New role in 8.0

Experience User

No

Use Experience Analytics, view Survey responses, and view Metrics

Renamed in 8.0 - was Experience Viewers.

Nomad Administrator

No

Use Content Distribution, manage Pre-cache jobs, view the results of related Instructions and Client health policies

Renamed in 8.0 - was Nomad Administrators.

Instruction set assigned manually after installation.

Patch Success Administrator

No

Use Patch Success, manage and populate its Repository, and deploy Policies, use Endpoint Troubleshootingto deploy patches

New role in 8.0

Instruction set assigned manually after installation.

Patch Success User

No

Use Patch Success, and use Endpoint Troubleshooting to ask about Patch status on devices

Renamed in 8.0 - was Patch Success Viewers.

Instruction set assigned manually after installation.

Reclaim Administrator

No

Create, update, delete and view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations

Renamed in 8.0 - was Reclaim Administrators.

Reclaim Viewer

No

View AppClarity Reclaim

Renamed in 8.0 - was Reclaim Viewers.

Creating 1E users or groups

The general steps for creating a new user or group are as follows:

Adding 1E users
  1. Log on to the 1E portal using a 1E user account with the Full Administrator, or the Installer role if it is a new 1E installation.

  2. Navigate to the Settings→Permissions→Users and Groups page.

  3. Click on the Add button, doing this displays the Add user popup.

  4. In the Select user or group field, type the name, or part of the name, for the user or group that you want to add, then click the search icon.

  5. Select the user or group from the list of matching names displayed in the drop-down list and click Add.

On the Settings→Permissions→Users and Groups page, after clicking the Add button, the Add user popup is displayed.

In the Select user edit field we type FIN because it is the first few characters of our group in our environment.

We then select the Finance_Group_Administrator group from the list. Once the group has been selected we click Add to create the new 1E user.

Add user

We then click the new Finance_Group_Administrator account's Assignments link to display the details for that group on the Assignments page.

From here we can add assignments to our group account and the Management Group they will apply to.

In this case we choose the Group Administrator role for our Finance Management Group. We do not want our administrators for the Finance division to work on servers, or on devices belonging to other departments who have their own administrators, once we are satisfied with the changes, we click Save.

Note

Refer to the Roles page for details about creating custom roles and a list of all built-in custom roles used by Tachyon Applications.

After the new user or group has just been added, 1E will display notifications for a short while showing the actions that have just been successfully performed.

Add assignments

In the tutorial we then repeat the process of finding groups, adding 1E roles and saving for each of the 1E system roles. The purpose of this is that subsequently, specific user access to 1E can be managed through your Identity Provider using membership of selected groups and avoiding the necessity of managing the users through 1E.

The result of adding the groups can be seen in the picture.

232785984.png