Contents

Roles page

Summary

The Roles page lets you view system roles and currently defined custom roles. From here you can, edit Role permissions and go into each role to set its users and group assignments and any associated management groups.

On this page:

Tachyon roles

There are two types of Tachyon roles that can be applied to the Tachyon users, system roles and custom roles.

On the Roles page, you can see at a glance which Tachyon roles are system or custom roles, by using the icon in the Name column:

  • System roles are indicated by an icon with a padlock System role icon
  • Custom roles are indicated by an icon with a cog wheel Custom role icon

System roles

System roles are built-in and are not configurable, however they can be assigned to users the same as any other role. The following table lists the built-in system roles.

Tachyon system rolePermissionsAllows delegationDescriptionNotes

All Instructions Actioner

YesUse Explorer, execute any Instruction (Action and Question), and view any Instruction response

Renamed in 8.0 - was Global Actioners.

All Instructions Approver

YesUse Explorer, approve any Instruction for anyone other than self

Renamed in 8.0 - was Global Approvers.

If email is enabled, this role will receive an approval request email for each requested action instruction.

All Instructions Questioner

YesUse Explorer, ask any Question and view any Instruction response

Renamed in 8.0 - was Global Questioners.

All Instructions Viewer

YesUse Explorer, view any Instruction response

Renamed in 8.0 - was Global Viewers.

Full Administrator

  • All
NoHas all the permissions available in the Platform and its ApplicationsRenamed in 8.0 - was Global Administrators.

Group Administrator

YesAdd Users and Management Groups, and manage their roles and assignments, below this Group Administrator's assigned Management Group(s)

New role in 8.0

This role is similar to previous Management Group Administrators role, with permissions extended to support using Management Groups for RBAC, however the role is only allowed to manage Management Groups below the Management Groups they have been assigned to. 

Guaranteed State Administrator

NoUse Guaranteed State, manage Rules and Polices, and assign and deploy PoliciesRenamed in 8.0 - was Guaranteed State Administrators.

Guaranteed State Policy Assigner

YesAssign Policies to Management Groups (does not allow use of Guaranteed State)New role in 8.0

Guaranteed State User

NoUse Guaranteed State, view dashboardsRenamed in 8.0 - was Guaranteed State Viewers.

Installer

NoInstall and upgrade the Platform and Applications, register Consumers, upload Product Packs, manage Instruction Sets, and configure Roles and PermissionsNew role in 8.0

Inventory Administrator

NoManage Inventory repositories - populate and archive them - export data - manage Inventory associationsRenamed in 8.0 - was Inventory Administrators.

Inventory User

NoView Inventory repositories, data and Inventory associationsRenamed in 8.0 - was Inventory Viewers.

Tachyon System

NoFor service and equivalent accounts to perform Tachyon system operationsNew role in 8.0

Questions, responses, actions are examples of securables. Other Consumers may create their own system roles and securables.

When upgrading from Tachyon Platform 5.2 or earlier, roles names are automatically renamed as listed above. Other roles are deleted during the upgrade, unless they have members.

 Click here to expand and see details of changes made by upgrading to this latest version of Tachyon Platfrom...

The upgrade process makes the following changes:

  1. New roles are created, if they do not exist already:

    New system roles

    • Group Administrator
    • Guaranteed State Policy Assigner
    • Installer
    • Tachyon System

    New Custom roles

    • Experience Administrator
    • Experience Engagement Assigner
    • Patch Success Administrator


  2. The Tachyon user doing the upgrade is automatically assigned to the Installer role. The user is also unassigned from the following roles, if assigned before the upgrade:

    • Applications Administrators
    • Consumer Administrators
    • Event Subscription Administrators
    • Instruction Set Administrators
    • Permissions Administrators


  3. Tachyon users associated with the NT AUTHORITY/NETWORK SERVICE and machine accounts, are assigned to the Tachyon System role. These users will also be unassigned from the following roles, if assigned before the upgrade:

    • Applications Administrators
    • Consumer Viewers
    • Engagement Administrator
    • Management Group Sync Initiators
    • Offloaders
    • Permissions Viewers
    • Survey Administrators


  4. Several old roles are renamed
    1. Some are renamed from plural to singular, for example if the  Nomad Administrators role exists it is renamed to Nomad Administrator 
    2. An exception is in the unlikely event that the Nomad Admins role exists, it is renamed to Nomad Administrator unless that role already exists, in which case it is renamed to Nomad Administrators instead
    3. Global Questioner, Global Actioner, Global Viewer, and Global Approver roles have been renamed with Global... replaced by All instructions...

    4. Inventory Viewers, Experience Viewers, Patch Success Viewers, have been renamed with ...Viewers changed to ...User

      System roles renamed from

      • Global Actioners
      • Global Administrators
      • Global Approvers
      • Global Questioners
      • Global Viewers
      • Guaranteed State Administrators
      • Guaranteed State Viewers
      • Inventory Administrators
      • Inventory Viewers
      • Survey Administrators
      • Survey Viewers

      System roles renamed to

      • All Instructions Actioner
      • Full Administrator
      • All Instructions Approver
      • All Instructions Questioner
      • All Instructions Viewer
      • Guaranteed State Administrator
      • Guaranteed State User
      • Inventory Administrator
      • Inventory User
      • Experience Engagement Administrator *
      • Experience Engagement Viewer *

      * These roles are retired, and will only be kept if a user or group is assigned to it.

      Custom roles renamed from

      • AppClarity Administrators
      • Application Migration Administrators
      • Compliance Administrators
      • Compliance Viewers
      • Entitlement Administrators
      • Experience Viewers
      • Nomad Administrators
      • Patch Success Viewers
      • Reclaim Administrators
      • Reclaim Viewers


      Custom roles renamed to

      • AppClarity Administrator
      • Application Migration Administrator
      • Compliance Administrator
      • Compliance Viewer
      • Entitlement Administrator
      • Experience Viewer
      • Nomad Administrator
      • Patch Success User
      • Reclaim Administrator
      • Reclaim Viewer


  5. Other system and custom roles are deleted. A role is kept only if it is (a) on the list of roles to be kept, or (b) the role has a user or group assigned to it

    System roles that are kept

    • All Instructions Actioner
    • All Instructions Approver
    • All Instructions Questioner
    • All Instructions Viewer
    • Full Administrator
    • Group Administrator
    • Guaranteed State Administrator
    • Guaranteed State Policy Assigner
    • Guaranteed State User
    • Installer
    • Inventory Administrator
    • Inventory User
    • Tachyon System

    Custom roles that are kept

    • 1E ITSM Connect Actioner
    • AppClarity Administrator
    • Application Migration Administrator
    • Compliance Administrator
    • Compliance Viewer
    • Entitlement Administrator
    • Experience Administrator
    • Experience Engagement Assigner
    • Experience User
    • Nomad Administrator
    • Patch Success Administrator
    • Patch Success User
    • Reclaim Administrator
    • Reclaim Viewer

    System roles that have been retired

    • 1E Client Deployment Administrators
    • 1E Client Installer Administrators
    • Applications Administrators
    • Component Administrators
    • Connector Administrators
    • Consumer Administrators
    • Consumer Viewers
    • Custom Properties Administrators
    • Event Subscription Administrators
    • Event Subscription Viewers
    • Infrastructure Administrators
    • Instruction Set Administrators
    • Log Viewers
    • Management Group Administrators
    • Management Group Sync Initiators
    • Offloaders
    • Permissions Administrators
    • Permissions Viewers
    • Policy Administrators
    • Provider Configuration Administrators
    • Schedule Administrators
    • Survey Administrators (Experience Engagement Administrator)
    • Survey Viewers (Experience Engagement Viewer)
    • VDI Administrators

    Custom roles that have been retired

    • Any custom role created by Tachyon administrators 

    A retired role is kept if it has a user or group assigned to it.

The following roles are retired (deleted) during an upgrade.

Retired Tachyon system rolePermissionsNotes

1E Client Deployment Administrators

Use Full Administrator role instead.

1E Client Installer Administrators

Use Full Administrator role instead.

Applications Administrators

Use Full Administrator role instead.

Component Administrators

Use Inventory Administrator role instead.

Connector Administrators

Use Inventory Administrator role instead.

Consumer Administrators

Use Full Administrator role instead.

Consumer Viewers

Create a custom role if required.

Custom Properties Administrators

Use Full Administrator role instead.

Event Subscription Administrators

Use Full Administrator role instead.

Event Subscription Viewers

Use Full Administrator role instead.

Experience Engagement Administrators

If this role is retained during an upgrade, it will have been renamed from Survey Administrators.

Experience Engagement Viewers

If this role is retained during an upgrade, it will have been renamed from Survey Viewers.

Infrastructure Administrators

Use Full Administrator role instead.

Instruction Set Administrators

Use Full Administrator role instead.

Log Viewers

Create a custom role if required.

Management Group Administrators

Use Full Administrator or Group Administrator role instead.

Management Group Sync Initiators

Not required for users. It is only needed for system accounts and replaced by the Tachyon System role.

Offloaders

Not required for users. It is only needed for system accounts and replaced by the Tachyon System role.

Permissions Administrators

Use Full Administrator or Group Administrator role instead.

Permissions Viewers

Create a custom role if required.

Policy Administrators

Use Guaranteed State Administrator roles instead.

Provider Configuration Administrators

Use Full Administrator role instead.

Schedule Administrators

Use one or more of the following roles depending which repositories you need to use:

VDI Administrators

Use the Experience Administrator custom role instead.

Custom roles

Custom roles can be edited, allowing you to add or remove permissions if you require. used to define who is able to use specific Instruction Sets to ask questions, run actions or approve actions. For more information please refer to the Defining custom Tachyon roles heading on this page.

The following table lists built-in custom roles used by Tachyon Applications.

Tachyon custom rolePermissionsAllows delegationDescriptionNotes

1E ITSM Connect Actioner

  • InstructionSet (Actioner) on the instruction sets you wish to allow ServiceNow to use 
YesThe ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this roleThe ServiceNow proxy user is added to this role instead of All Instructions Actioner so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role.

AppClarity Administrator

NoCreate, update, delete and view AppClarity Compliance, Entitlement, License Demand and Reclaim - view and export Inventory - view, edit, delete and export AssociationsRenamed in 8.0 - was AppClarity Administrators.

Application Migration Administrator

NoCreate, update, delete and view Application Migration Rules and Role Based Application Sets to manage installations in your estate during operating system deploymentRenamed in 8.0 - was Application Migration Administrators.

Compliance Administrator

NoCreate, update, delete and view AppClarity Compliance, Entitlement and License Demand - view AppClarity Reclaim - view and export Inventory - view, edit, delete and export AssociationsRenamed in 8.0 - was Compliance Administrators.

Compliance Viewer

NoView AppClarity Compliance, Entitlement and License DemandRenamed in 8.0 - was Compliance Viewers.

Entitlement Administrator

NoCreate, update, delete and view AppClarity Entitlement - view and export Inventory - view, edit, delete and export AssociationsRenamed in 8.0 - was Entitlement Administrators.

Experience Administrator

NoUse Experience, manage, assign and deploy Engagements (Surveys and Announcements), and manage Metrics

New role in 8.0

Effectively a combination of previous Survey Administrators and VDI Administrators roles.

Experience Engagement Assigner

YesAssign Engagements to Management Groups (does not allow use of Experience)New role in 8.0

Experience User

NoUse Experience, view Survey responses, and view MetricsRenamed in 8.0 - was Experience Viewers.

Nomad Administrator

NoUse Nomad, manage Pre-cache jobs, view the results of related Instructions and Client health policies

Renamed in 8.0 - was Nomad Administrators.

Instruction set assigned manually after installlation.

Patch Success Administrator

NoUse Patch Success, manage and populate its Repository, and deploy Policies, use Explorer to deploy patches

New role in 8.0

Instruction set assigned manually after installlation.

Patch Success User

NoUse Patch Success, and use Explorer to ask about Patch status on devices

Renamed in 8.0 - was Patch Success Viewers.

Instruction set assigned manually after installlation.

Reclaim Administrator

NoCreate, update, delete and view AppClarity Reclaim - view and export Inventory - view, edit, delete and export AssociationsRenamed in 8.0 - was Reclaim Administrators.

Reclaim Viewer

NoView AppClarity ReclaimRenamed in 8.0 - was Reclaim Viewers.

Considerations when using the Full Administrator role

The Full Administrator role can be used to provide across the board permissions to a user. While this may be convenient in certain circumstances, you should be aware that this is a powerful role and should be used with appropriate caution.

Using Full Administrator in a lab environment

To get things up and running quickly in a lab environment, you may want to make use of the full administrator role. This will help minimize the number of users required for an evaluation and reduce the initial configuration required.

To further minimize the number of users needed, you can also enable the Windows account used to install Tachyon to assume the Tachyon full administrator role. The installation account is added as the system principal user in Tachyon by the installer, and its Tachyon permissions are locked down by default. You can allow it to assume the full administrator role using the following steps:

  1. Create a Tachyon user from an existing AD security group.
  2. Apply the Tachyon full administrator role to the user.
  3. Add the installation account to the AD security group.

In the short term it's fine to make use of full administrators in this way, but this practice is not really suitable for large-scale deployments and should be used with care for the following reasons:

  • The full administrator role has permissions to do everything in Tachyon. It has across the board permissions to all Instruction Sets and therefore can be used to run actions that can have a major impact on your network.
  • The full administrator accounts receive emails for all the transactions that are performed by Tachyon.

Different approaches for defining permissions

Tachyon provides a flexible system for defining permissions for the Tachyon features. There are a number of different ways of approaching the task, here we outline the general choices that can be made for assigning Tachyon users to system and custom roles.

Managing access primarily using the Tachyon Permissions console

In this approach, Tachyon users are added individually using their Active Directory credentials. This approach is more secure than alternatives because all users, roles and access rights are managed only through the Tachyon Permissions console.

Managing access using Active Directory

Using this approach, Tachyon users are added as Active Directory security groups. Tachyon roles are then associated with those groups, and management of the individual users who can access Tachyon is subsequently done only through Active Directory. There are broadly three options when using this approach:

  1. A one-to-one approach where you create a Tachyon-specific role-based Active Directory group for each Tachyon role. For example, you could create a TCNGApprovers Active Directory security group, and add that group as a user in Tachyon, and then assign the Tachyon  All Instructions Approver  role to the user.
  2. A many-to-one approach, where you use one or more of your existing role-based Active Directory groups for each Tachyon role. For example, you could use the Active Directory groups for your desktop and help desk teams, create a Tachyon user for each group, and then assign the Tachyon role to all those Tachyon users.
  3. A mixture of the above

It is possible for an Active Directory user to be associated with Tachyon roles for both running and approving actions. In practice, this is safe because Tachyon prevents users from being able to directly approve their own actions regardless of the roles they have been assigned.

Defining a custom Instruction set Tachyon role

If you want to base your Tachyon permissions around access to specific Instruction sets, you will need to create custom Tachyon roles. The Custom Roles section lists built-in custom roles used by Tachyon Applications.

To create a custom role:

  1. Navigate to the Settings→Permissions→Roles page.
  2. Click the Add button to start the add role process.
  3. In the New Role page subsequently displayed set the Name and Description.
  4. With the Instruction Sets tab selected, select your required Instruction Sets from the list.
  5. Set the Instruction set access rights by checking the required Actioner, Approver, Questioner and Viewer checkboxes.
  6. When the associated rights have been set click Save to save your changes and automatically return to the Roles page.
  7. You can now add assignments of users and groups and management groups to the new custom role by clicking the link in the Assignments column.
  8. Click the + (plus icon) to add a new item and, from the Users and Groups drop-down menu either search for, or select the users or groups you want to associate the role with.
  9. From the Management Group drop-down menu either search for, or select the management group you want to associate the role with. This can either be the built-in All Devices or a management group you have created in Settings→Permissions→Management groups.
  10. Click the Save button to associate the selected options with the custom role.

The following rights can be set for an Instruction set, these relate to the primary operator roles of the Tachyon system:

RightDescription
ActionerAble to run actions defined in the Instruction Set.
Approver

Able to approve actions defined in the Instruction Set for anyone other than self.

If email is enabled, will receive an approval request email for each requested action in the Instruction Set.

QuestionerAble to ask questions defined in the Instruction Set.
ViewerAble to view responses to questions run from the Instruction Set.

For details about how to load Instruction Definitions into Tachyon and then create, populate and delete Instruction sets, refer to the Instruction Menu page.