Roles page
The Roles page lets you view system roles and currently defined custom roles. From here you can edit Role permissions and go into each role to set its users and group assignments and any associated management groups.
Tachyon roles
There are two types of roles that can be applied to the Tachyon users, system roles, and custom roles.
Tip
On the Roles page, you can see at a glance which Tachyon roles are system or custom roles, by using the icon in the Name column:
System roles are indicated by an icon with a padlock
Custom roles are indicated by an icon with a cog wheel
System roles
On the Roles page, a system role is indicated by an icon with a padlock 
System roles are built-in and are not configurable, however, they can be assigned to users the same as any other role. The following table lists the built-in system roles.
Tachyon system role | Permissions | Allows delegation | Description | Notes |
|---|---|---|---|---|
| Yes | Use Tachyon Explorer, execute any Instruction (Action and Question), and view any Instruction response | Renamed in 8.0 - was Global Actioners. | |
| Yes | Use Tachyon Explorer, approve any Instruction for anyone other than self | Renamed in 8.0 - was Global Approvers. If email is enabled, this role will receive an approval request email for each requested action instruction. | |
| Yes | Use Tachyon Explorer, ask any Question and view any Instruction response | Renamed in 8.0 - was Global Questioners. | |
| Yes | Use Tachyon Explorer, view any Instruction response | Renamed in 8.0 - was Global Viewers. | |
| No | Has all the permissions available in the Platform and its Applications | Renamed in 8.0 - was Global Administrators. | |
| Yes | Add Users and Management Groups, and manage their roles and assignments, below this Group Administrator's assigned Management Group(s) | New role in 8.0 This role is similar to previous Management Group Administrators role, with permissions extended to support using Management Groups for RBAC, however the role is only allowed to manage Management Groups below the Management Groups they have been assigned to. | |
| No | Use Guaranteed State, manage Rules and Polices, and assign and deploy Policies | Renamed in 8.0 - was Guaranteed State Administrators. | |
| Yes | Assign Policies to Management Groups (does not allow use of Guaranteed State) | New role in 8.0 | |
| No | Use Guaranteed State, view dashboards | Renamed in 8.0 - was Guaranteed State Viewers. | |
| No | Install and upgrade the Platform and Applications, register Consumers, upload Product Packs, manage Instruction Sets, and configure Roles and Permissions | New role in 8.0 | |
| No | Manage Inventory repositories - populate and archive them - export data - manage Inventory associations | Renamed in 8.0 - was Inventory Administrators. | |
| No | View Inventory repositories, data and Inventory associations | Renamed in 8.0 - was Inventory Viewers. | |
| No | For service and equivalent accounts to perform Tachyon system operations | New role in 8.0 |
Questions, responses, actions are examples of securables. Other Consumers may create their own system roles and securables.
Note
When upgrading from Tachyon Platform 5.2 or earlier, roles names are automatically renamed as listed above. Other roles are deleted during the upgrade, unless they have members.
Click here to expand and see details of changes made by upgrading to this latest version of Tachyon Platfrom...
The upgrade process makes the following changes:
New roles are created, if they do not exist already:
New system roles Group Administrator
Guaranteed State Policy Assigner
Installer
Tachyon System
New Custom roles Experience Administrator
Experience Engagement Assigner
Patch Success Administrator
The Tachyon user doing the upgrade is automatically assigned to the Installer role. The user is also unassigned from the following roles, if assigned before the upgrade:
Applications Administrators
Consumer Administrators
Event Subscription Administrators
Instruction Set Administrators
Permissions Administrators
Tachyon users associated with the NT AUTHORITY/NETWORK SERVICE and machine accounts, are assigned to the Tachyon System role. These users will also be unassigned from the following roles, if assigned before the upgrade:
Applications Administrators
Consumer Viewers
Engagement Administrator
Management Group Sync Initiators
Offloaders
Permissions Viewers
Survey Administrators
Several old roles are renamed
Some are renamed from plural to singular, for example if the Nomad Administratorsrole exists it is renamed toNomad Administrator
An exception is in the unlikely event that the Nomad Admins role exists, it is renamed to Nomad Administrator unless that role already exists, in which case it is renamed to Nomad Administrators instead
Global Questioner, Global Actioner, Global Viewer, and Global Approver roles have been renamed with Global... replaced by All instructions...
Inventory Viewers, Experience Viewers, Patch Success Viewers, have been renamed with ...Viewers changed to ...User
System roles renamed from Global Actioners
Global Administrators
Global Approvers
Global Questioners
Global Viewers
Guaranteed State Administrators
Guaranteed State Viewers
Inventory Administrators
Inventory Viewers
Survey Administrators
Survey Viewers
System roles renamed to All Instructions Actioner
Full Administrator
All Instructions Approver
All Instructions Questioner
All Instructions Viewer
Guaranteed State Administrator
Guaranteed State User
Inventory Administrator
Inventory User
Experience Engagement Administrator *
Experience Engagement Viewer *
Note
* These roles are retired, and will only be kept if a user or group is assigned to it.
Custom roles renamed from AppClarity Administrators
Application Migration Administrators
Compliance Administrators
Compliance Viewers
Entitlement Administrators
Experience Viewers
Nomad Administrators
Patch Success Viewers
Reclaim Administrators
Reclaim Viewers
Custom roles renamed to AppClarity Administrator
Application Migration Administrator
Compliance Administrator
Compliance Viewer
Entitlement Administrator
Experience Viewer
Nomad Administrator
Patch Success User
Reclaim Administrator
Reclaim Viewer
Other system and custom roles are deleted. A role is kept only if it is (a) on the list of roles to be kept, or (b) the role has a user or group assigned to it
System roles that are kept All Instructions Actioner
All Instructions Approver
All Instructions Questioner
All Instructions Viewer
Full Administrator
Group Administrator
Guaranteed State Administrator
Guaranteed State Policy Assigner
Guaranteed State User
Installer
Inventory Administrator
Inventory User
Tachyon System
Custom roles that are kept 1E ITSM Connect Actioner
AppClarity Administrator
Application Migration Administrator
Compliance Administrator
Compliance Viewer
Entitlement Administrator
Experience Administrator
Experience Engagement Assigner
Experience User
Nomad Administrator
Patch Success Administrator
Patch Success User
Reclaim Administrator
Reclaim Viewer
System roles that have been retired 1E Client Deployment Administrators
1E Client Installer Administrators
Applications Administrators
Component Administrators
Connector Administrators
Consumer Administrators
Consumer Viewers
Custom Properties Administrators
Event Subscription Administrators
Event Subscription Viewers
Infrastructure Administrators
Instruction Set Administrators
Log Viewers
Management Group Administrators
Management Group Sync Initiators
Offloaders
Permissions Administrators
Permissions Viewers
Policy Administrators
Provider Configuration Administrators
Schedule Administrators
Survey Administrators (Experience Engagement Administrator)
Survey Viewers (Experience Engagement Viewer)
VDI Administrators
Custom roles that have been retired Any custom role created by Tachyon administrators
Tip
A retired role is kept if it has a user or group assigned to it.
The following roles are retired (deleted) during an upgrade.
Retired Tachyon system role | Permissions | Notes |
|---|---|---|
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| Use Inventory Administrator role instead. | |
| Use Inventory Administrator role instead. | |
| Use Full Administrator role instead. | |
| Create a custom role if required. | |
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| If this role is retained during an upgrade, it will have been renamed from Survey Administrators. | |
| If this role is retained during an upgrade, it will have been renamed from Survey Viewers. | |
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| Create a custom role if required. | |
| Use Full Administrator or Group Administrator role instead. | |
| Not required for users. It is only needed for system accounts and replaced by the Tachyon System role. | |
| Not required for users. It is only needed for system accounts and replaced by the Tachyon System role. | |
| Use Full Administrator or Group Administrator role instead. | |
| Create a custom role if required. | |
| Use Guaranteed State Administrator roles instead. | |
| Use Full Administrator role instead. | |
| Use one or more of the following roles depending which repositories you need to use:
| |
| Use the Experience Administrator custom role instead. |
Custom roles
On the Roles page, a custom role is indicated by an icon with a cogwheel
The following table lists built-in custom roles used by Tachyon Applications.
Tachyon custom role | Permissions | Allows delegation | Description | Notes |
|---|---|---|---|---|
| Yes | The ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role | The ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role. | |
| No | Create, update, delete and view AppClarity Compliance, Entitlement, License Demand and Reclaim - view and export Inventory - view, edit, delete and export Associations | Renamed in 8.0 - was AppClarity Administrators. | |
| No | Create, update, delete and view Application Migration Rules and Role Based Application Sets to manage installations in your estate during operating system deployment | Renamed in 8.0 - was Application Migration Administrators. | |
| No | Create, update, delete and view AppClarity Compliance, Entitlement and License Demand - view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations | Renamed in 8.0 - was Compliance Administrators. | |
| No | View AppClarity Compliance, Entitlement and License Demand | Renamed in 8.0 - was Compliance Viewers. | |
| No | Create, update, delete and view AppClarity Entitlement - view and export Inventory - view, edit, delete and export Associations | Renamed in 8.0 - was Entitlement Administrators. | |
| No | Use Experience, manage, assign and deploy Engagements (Surveys and Announcements), and manage Metrics | New role in 8.0 Effectively a combination of previous Survey Administrators and VDI Administrators roles. | |
| Yes | Assign Engagements to Management Groups (does not allow use of Experience) | New role in 8.0 | |
| No | Use Experience, view Survey responses, and view Metrics | Renamed in 8.0 - was Experience Viewers. | |
| No | Use Content Distribution, manage Pre-cache jobs, view the results of related Instructions and Client health policies | Renamed in 8.0 - was Nomad Administrators. Instruction set assigned manually after installation. | |
| No | Use Patch Success, manage and populate its Repository, and deploy Policies, use Explorerto deploy patches | New role in 8.0 Instruction set assigned manually after installation. | |
| No | Use Patch Success, and use Explorer to ask about Patch status on devices | Renamed in 8.0 - was Patch Success Viewers. Instruction set assigned manually after installation. | |
| No | Create, update, delete and view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations | Renamed in 8.0 - was Reclaim Administrators. | |
| No | View AppClarity Reclaim | Renamed in 8.0 - was Reclaim Viewers. |
Recommendations for using the Full Administrator role
The Full Administrator role can be used to provide across-the-board permissions to a user. While this may be convenient in certain circumstances, you should be aware that this is a powerful role and should be used with appropriate caution.
Using Full Administrator in a lab environment
To get things up and running quickly in a lab environment, you may choose to make the Setup user account a Full Administrator during installation on the Identity Providers page in 1E Setup. This will help minimize the number of users required for an evaluation and reduce the initial configuration required.
If the Setup user account was not elevated during setup then it will only have limited access and as this is a system principal user the permissions are locked down by default. You can allow it to assume the Full Administrator role using the following steps:
Add an Azure Active Directory group to 1E permissions
Apply the 1E Full Administrator role to this group.
Add the Setup user account to the same Azure Active Directory group.
In the short term, it's fine to make use of full administrators in this way, but this practice is not really suitable for large-scale deployments and should be used with care for the following reasons:
The Full Administrator role has permission to do everything in 1E. It has across-the-board permissions to all Instruction Sets and therefore can be used to run actions that can have a major impact on your network.
The Full Administrator accounts receive emails for all the transactions that are performed by 1E.
Different approaches for defining permissions
1E provides a flexible system for defining permissions for the features. There are a number of different ways of approaching the task, here we outline the general choices that can be made for assigning 1E users to system and custom roles.
Managing access primarily using the Tachyon Permissions console
In this approach, Tachyon users are added individually using their Active Directory credentials. This approach is more secure than alternatives because all users, roles, and access rights are managed only through the Tachyon Permissions console.
Managing access using Active Directory
Using this approach, Tachyon users are added as Active Directory security groups. Tachyon roles are then associated with those groups, and management of the individual users who can access Tachyon is subsequently done only through Active Directory. There are broadly three options when using this approach:
A one-to-one approach where you create a Tachyon-specific role-based Active Directory group for each Tachyon role. For example, you could create a TCNGApprovers Active Directory security group, and add that group as a user in Tachyon, and then assign the All Instructions Approver role to the user.
A many-to-one approach, where you use one or more of your existing role-based Active Directory groups for each Tachyon role. For example, you could use the Active Directory groups for your desktop and help desk teams, create a Tachyon user for each group, and then assign the Tachyon role to all those Tachyon users.
A mixture of the above
Note
It is possible for an Active Directory user to be associated with roles for both running and approving actions. In practice, this is safe because Tachyon prevents users from being able to directly approve their own actions regardless of the roles they have been assigned.
Defining a custom Instruction set 1E role
If you want to base your 1E permissions around access to specific Instruction sets, you will need to create custom 1E roles. The Custom roles section lists built-in custom roles used by 1E Applications.
To create a custom role:
Navigate to the Settings→Permissions→Roles page.
Click the Add button to start the add role process.
In the New Role page subsequently displayed set the Name and Description.
With the Instruction Sets tab selected, select your required Instruction Sets from the list.
Set the Instruction set access rights by checking the required Actioner, Approver, Questioner and Viewer checkboxes.
When the associated rights have been set click Save to save your changes and automatically return to the Roles page.
You can now add assignments of users and groups and management groups to the new custom role by clicking the link in the Assignments column.
Click the + (plus icon) to add a new item and, from the Users and Groups drop-down menu either search for, or select the users or groups you want to associate the role with.
From the Management Group drop-down menu either search for, or select the management group you want to associate the role with. This can either be the built-in All Devices or a management group you have created in Settings→Permissions→Management groups.
Click the Save button to associate the selected options with the custom role.
The following rights can be set for an Instruction set, these relate to the primary operator roles of the 1E system:
Right | Description |
|---|---|
Actioner | Able to run actions defined in the Instruction Set. |
Approver | Able to approve actions defined in the Instruction Set for anyone other than self. If email is enabled, will receive an approval request email for each requested action in the Instruction Set. |
Questioner | Able to ask questions defined in the Instruction Set. |
Viewer | Able to view responses to questions run from the Instruction Set. |
Note
For details about how to load Instruction Definitions into 1E and then create, populate and delete Instruction sets, refer to the Instructions Menu page.