Configuring Access Rights - tutorial
A quick tutorial on configuring access rights for Tachyon. Using a scenario where access to Tachyon will be managed through Active Directory groups, the tutorial illustrates the general setup required and the particular steps needed to add users.
In this tutorial
In this tutorial we demonstrate a process for creating Active Directory (AD) managed permissions to the Tachyon portal. We use specifically created AD groups for each of the Tachyon system roles and create users for each one, we then define a custom role for a specific Instruction Set and create a user with an existing AD group that provides access to running actions in the Instruction Set.
Example AD group a Tachyon system role
As mentioned in Users and Groups page, we recommend that the AD security groups used for defining access to the Tachyon portal features are defined as Universal groups. The picture shows an example AD Finance_Group_Administrator security group intended for a Group administrator role. In our example, the Finance_Group_Administrator AD group is for workstation administrators of an AD OU called Finance.
1E roles
In this tutorial we will create an example 1E Azure Active Directory group user based on the possible roles given in the following 1E system and custom roles.
Tip
On the Roles page, you can see at a glance which 1E roles are system or custom roles, by using the icon in the Name column:
System roles are indicated by an icon with a padlock
Custom roles are indicated by an icon with a cog wheel
System roles
System roles
On the Roles page, a system role is indicated by an icon with a padlock 
System roles are built-in and are not configurable, however, they can be assigned to users the same as any other role. The following table lists the built-in system roles.
Tachyon system role | Permissions | Allows delegation | Description | Notes |
|---|---|---|---|---|
| Yes | Use Tachyon Explorer, execute any Instruction (Action and Question), and view any Instruction response | Renamed in 8.0 - was Global Actioners. | |
| Yes | Use Tachyon Explorer, approve any Instruction for anyone other than self | Renamed in 8.0 - was Global Approvers. If email is enabled, this role will receive an approval request email for each requested action instruction. | |
| Yes | Use Tachyon Explorer, ask any Question and view any Instruction response | Renamed in 8.0 - was Global Questioners. | |
| Yes | Use Tachyon Explorer, view any Instruction response | Renamed in 8.0 - was Global Viewers. | |
| No | Has all the permissions available in the Platform and its Applications | Renamed in 8.0 - was Global Administrators. | |
| Yes | Add Users and Management Groups, and manage their roles and assignments, below this Group Administrator's assigned Management Group(s) | New role in 8.0 This role is similar to previous Management Group Administrators role, with permissions extended to support using Management Groups for RBAC, however the role is only allowed to manage Management Groups below the Management Groups they have been assigned to. | |
| No | Use Guaranteed State, manage Rules and Polices, and assign and deploy Policies | Renamed in 8.0 - was Guaranteed State Administrators. | |
| Yes | Assign Policies to Management Groups (does not allow use of Guaranteed State) | New role in 8.0 | |
| No | Use Guaranteed State, view dashboards | Renamed in 8.0 - was Guaranteed State Viewers. | |
| No | Install and upgrade the Platform and Applications, register Consumers, upload Product Packs, manage Instruction Sets, and configure Roles and Permissions | New role in 8.0 | |
| No | Manage Inventory repositories - populate and archive them - export data - manage Inventory associations | Renamed in 8.0 - was Inventory Administrators. | |
| No | View Inventory repositories, data and Inventory associations | Renamed in 8.0 - was Inventory Viewers. | |
| No | For service and equivalent accounts to perform Tachyon system operations | New role in 8.0 |
Questions, responses, actions are examples of securables. Other Consumers may create their own system roles and securables.
Note
When upgrading from Tachyon Platform 5.2 or earlier, roles names are automatically renamed as listed above. Other roles are deleted during the upgrade, unless they have members.
Click here to expand and see details of changes made by upgrading to this latest version of Tachyon Platfrom...
The upgrade process makes the following changes:
New roles are created, if they do not exist already:
New system roles Group Administrator
Guaranteed State Policy Assigner
Installer
Tachyon System
New Custom roles Experience Administrator
Experience Engagement Assigner
Patch Success Administrator
The Tachyon user doing the upgrade is automatically assigned to the Installer role. The user is also unassigned from the following roles, if assigned before the upgrade:
Applications Administrators
Consumer Administrators
Event Subscription Administrators
Instruction Set Administrators
Permissions Administrators
Tachyon users associated with the NT AUTHORITY/NETWORK SERVICE and machine accounts, are assigned to the Tachyon System role. These users will also be unassigned from the following roles, if assigned before the upgrade:
Applications Administrators
Consumer Viewers
Engagement Administrator
Management Group Sync Initiators
Offloaders
Permissions Viewers
Survey Administrators
Several old roles are renamed
Some are renamed from plural to singular, for example if the Nomad Administratorsrole exists it is renamed toNomad Administrator
An exception is in the unlikely event that the Nomad Admins role exists, it is renamed to Nomad Administrator unless that role already exists, in which case it is renamed to Nomad Administrators instead
Global Questioner, Global Actioner, Global Viewer, and Global Approver roles have been renamed with Global... replaced by All instructions...
Inventory Viewers, Experience Viewers, Patch Success Viewers, have been renamed with ...Viewers changed to ...User
System roles renamed from Global Actioners
Global Administrators
Global Approvers
Global Questioners
Global Viewers
Guaranteed State Administrators
Guaranteed State Viewers
Inventory Administrators
Inventory Viewers
Survey Administrators
Survey Viewers
System roles renamed to All Instructions Actioner
Full Administrator
All Instructions Approver
All Instructions Questioner
All Instructions Viewer
Guaranteed State Administrator
Guaranteed State User
Inventory Administrator
Inventory User
Experience Engagement Administrator *
Experience Engagement Viewer *
Note
* These roles are retired, and will only be kept if a user or group is assigned to it.
Custom roles renamed from AppClarity Administrators
Application Migration Administrators
Compliance Administrators
Compliance Viewers
Entitlement Administrators
Experience Viewers
Nomad Administrators
Patch Success Viewers
Reclaim Administrators
Reclaim Viewers
Custom roles renamed to AppClarity Administrator
Application Migration Administrator
Compliance Administrator
Compliance Viewer
Entitlement Administrator
Experience Viewer
Nomad Administrator
Patch Success User
Reclaim Administrator
Reclaim Viewer
Other system and custom roles are deleted. A role is kept only if it is (a) on the list of roles to be kept, or (b) the role has a user or group assigned to it
System roles that are kept All Instructions Actioner
All Instructions Approver
All Instructions Questioner
All Instructions Viewer
Full Administrator
Group Administrator
Guaranteed State Administrator
Guaranteed State Policy Assigner
Guaranteed State User
Installer
Inventory Administrator
Inventory User
Tachyon System
Custom roles that are kept 1E ITSM Connect Actioner
AppClarity Administrator
Application Migration Administrator
Compliance Administrator
Compliance Viewer
Entitlement Administrator
Experience Administrator
Experience Engagement Assigner
Experience User
Nomad Administrator
Patch Success Administrator
Patch Success User
Reclaim Administrator
Reclaim Viewer
System roles that have been retired 1E Client Deployment Administrators
1E Client Installer Administrators
Applications Administrators
Component Administrators
Connector Administrators
Consumer Administrators
Consumer Viewers
Custom Properties Administrators
Event Subscription Administrators
Event Subscription Viewers
Infrastructure Administrators
Instruction Set Administrators
Log Viewers
Management Group Administrators
Management Group Sync Initiators
Offloaders
Permissions Administrators
Permissions Viewers
Policy Administrators
Provider Configuration Administrators
Schedule Administrators
Survey Administrators (Experience Engagement Administrator)
Survey Viewers (Experience Engagement Viewer)
VDI Administrators
Custom roles that have been retired Any custom role created by Tachyon administrators
Tip
A retired role is kept if it has a user or group assigned to it.
The following roles are retired (deleted) during an upgrade.
Retired Tachyon system role | Permissions | Notes |
|---|---|---|
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| Use Inventory Administrator role instead. | |
| Use Inventory Administrator role instead. | |
| Use Full Administrator role instead. | |
| Create a custom role if required. | |
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| If this role is retained during an upgrade, it will have been renamed from Survey Administrators. | |
| If this role is retained during an upgrade, it will have been renamed from Survey Viewers. | |
| Use Full Administrator role instead. | |
| Use Full Administrator role instead. | |
| Create a custom role if required. | |
| Use Full Administrator or Group Administrator role instead. | |
| Not required for users. It is only needed for system accounts and replaced by the Tachyon System role. | |
| Not required for users. It is only needed for system accounts and replaced by the Tachyon System role. | |
| Use Full Administrator or Group Administrator role instead. | |
| Create a custom role if required. | |
| Use Guaranteed State Administrator roles instead. | |
| Use Full Administrator role instead. | |
| Use one or more of the following roles depending which repositories you need to use:
| |
| Use the Experience Administrator custom role instead. |
Custom roles
On the Roles page, a custom role is indicated by an icon with a cogwheel
The following table lists built-in custom roles used by Tachyon Applications.
Tachyon custom role | Permissions | Allows delegation | Description | Notes |
|---|---|---|---|---|
| Yes | The ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role | The ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role. | |
| No | Create, update, delete and view AppClarity Compliance, Entitlement, License Demand and Reclaim - view and export Inventory - view, edit, delete and export Associations | Renamed in 8.0 - was AppClarity Administrators. | |
| No | Create, update, delete and view Application Migration Rules and Role Based Application Sets to manage installations in your estate during operating system deployment | Renamed in 8.0 - was Application Migration Administrators. | |
| No | Create, update, delete and view AppClarity Compliance, Entitlement and License Demand - view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations | Renamed in 8.0 - was Compliance Administrators. | |
| No | View AppClarity Compliance, Entitlement and License Demand | Renamed in 8.0 - was Compliance Viewers. | |
| No | Create, update, delete and view AppClarity Entitlement - view and export Inventory - view, edit, delete and export Associations | Renamed in 8.0 - was Entitlement Administrators. | |
| No | Use Experience, manage, assign and deploy Engagements (Surveys and Announcements), and manage Metrics | New role in 8.0 Effectively a combination of previous Survey Administrators and VDI Administrators roles. | |
| Yes | Assign Engagements to Management Groups (does not allow use of Experience) | New role in 8.0 | |
| No | Use Experience, view Survey responses, and view Metrics | Renamed in 8.0 - was Experience Viewers. | |
| No | Use Content Distribution, manage Pre-cache jobs, view the results of related Instructions and Client health policies | Renamed in 8.0 - was Nomad Administrators. Instruction set assigned manually after installation. | |
| No | Use Patch Success, manage and populate its Repository, and deploy Policies, use Explorerto deploy patches | New role in 8.0 Instruction set assigned manually after installation. | |
| No | Use Patch Success, and use Explorer to ask about Patch status on devices | Renamed in 8.0 - was Patch Success Viewers. Instruction set assigned manually after installation. | |
| No | Create, update, delete and view AppClarity Reclaim - view and export Inventory - view, edit, delete and export Associations | Renamed in 8.0 - was Reclaim Administrators. | |
| No | View AppClarity Reclaim | Renamed in 8.0 - was Reclaim Viewers. |
Creating 1E users or groups
The general steps for creating a new user or group are as follows:
Adding 1E users
Log on to the 1E portal using a 1E user account with the Full Administrator, or the Installer role if it is a new 1E installation.
Navigate to the Settings→Permissions→Users and Groups page.
Click on the Add button, doing this displays the Add user popup.
In the Select user or group field, type the name, or part of the name, for the user or group that you want to add, then click the search icon.
Select the user or group from the list of matching names displayed in the drop-down list and click Add.
On the Settings→Permissions→Users and Groups page, after clicking the Add button, the Add user popup is displayed.
In the Select user edit field we type FIN because it is the first few characters of our group in our environment.
We then select the Finance_Group_Administrator group from the list. Once the group has been selected we click Add to create the new 1E user.
We then click the new Finance_Group_Administrator account's Assignments link to display the details for that group on the Assignments page.
Tip
Clicking the name of the group displays any AD accounts you have added to the Universal group using Active Directory Users and Computers.
From here we can add assignments to our group account and the Management Group they will apply to.
In this case we choose the Group Administrator role for our Finance Management Group. We do not want our administrators for the Finance division to work on servers, or on devices belonging to other departments who have their own administrators, once we are satisfied with the changes, we click Save.
Note
Refer to the Roles page for details about creating custom roles and a list of all built-in custom roles used by Tachyon Applications.
After the new user or group has just been added, 1E will display notifications for a short while showing the actions that have just been successfully performed.
In the tutorial we then repeat the process of finding groups, adding 1E roles and saving for each of the 1E system roles. The purpose of this is that subsequently, specific user access to 1E can be managed through your Identity Provider using membership of selected groups and avoiding the necessity of managing the users through 1E.
The result of adding the groups can be seen in the picture.
