Version: 1
restore

Contents

Summary

The Roles page lets you view the system roles and currently defined custom roles. From here you can also go into each role to set its membership and any associated management groups.

On this page:

Tachyon roles

There are two types of Tachyon roles that can be applied to the Tachyon users: system roles and custom roles.

System roles

System roles are built-in and are not configurable. The following table lists the built-in roles:

Tachyon system rolePermissionsIntroduced
1E Client Deployment Administrators
  • Create, view and cancel 1E Client deployment jobs.
  • View all devices.

Renamed in 4.1

(previously Agent)

1E Client Installer Administrators
  • Upload, delete and view Agent installers.
  • View all devices.


Renamed in 4.1

(previously Agent)

Applications Administrators
  • Upload and delete Applications.
Tachyon 4.0
Component Viewers
  • View components.
SLA Platform 4.0
Connector Administrators
  • View, create, update, delete and test connectors.
SLA Platform 4.0
Consumer Administrators
  • Manage the Consumers that use the Tachyon platform and view all devices.
Tachyon 3.0
Custom Properties Administrators
  • Add, edit or delete custom properties and view all devices.
Tachyon 3.0
Global Actioners
  • Ask questions, view responses and send actions for all Instruction Sets.
  • View all devices.
Tachyon 3.0
Global Administrators
  • Combined rights of all the other system roles.
Tachyon 3.0
Global Approvers
  • Approve actions for all Instruction Sets for anyone other than themselves.
  • View all devices.

If email is enabled, this role will receive an approval request email for each requested action.

Tachyon 3.0
Global Questioners
  • Ask questions and view responses for all Instruction Sets
  • View all devices.
Tachyon 3.0
Global Viewers
  • View instructions and responses for all Instruction Sets
  • View all devices.
Tachyon 3.0
Guaranteed State Administrators
  • Full control over the Guaranteed State configuration.
Tachyon 4.0
Guaranteed State Viewers
  • View the Guaranteed State configuration and reports.
Tachyon 4.0
Infrastructure Administrators
  • View system status information and view all devices.
Tachyon 3.0
Instruction Set Administrators
  • Load Instructions from Product Packs and Instruction Definition files.
  • Add/delete Instruction Sets and move Instructions between them.
  • View all devices.

Tachyon 3.0

Inventory Administrators
  • Create, update, delete and view inventory repositories.
  • Populate and archive inventory repositories.
SLA Platform 4.0
Inventory Viewers
  • View inventory repositories.
SLA Platform 4.0
Log Viewers
  • View process, synchronization and infrastructure logs.
Tachyon 4.1
Management Group Administrators
  • Create, delete and update management groups.
SLA Platform 4.0
Management Group Sync Initiators
  • View management groups and initiate synchronization of management groups.
SLA Platform 4.0
Patch Success Viewers
  • View the Patch Success dashboards.
Tachyon 4.0
Permissions Administrators
  • Add or remove users.
  • View all roles.
  • Add, modify and delete custom roles.
  • Assign roles to any Instruction sets and define their permissions.
  • View the admin log.
  • View all devices.
Tachyon 3.0
Permissions Readers
  • View all roles.
Tachyon 3.0
Provider Configuration Administrators
  • Update, delete and view provider configurations.
SLA Platform 4.1
Schedule Administrators
  • Create, update, delete and view schedules; and can view schedule history.
SLA Platform 4.1

Questions, responses, actions are examples of securables. Other Consumers may create their own system roles and securables.

Custom roles

Custom roles can be used to define who is able to use specific Instruction Sets to ask questions, run actions or approve actions. For more information please refer to the Defining custom Tachyon roles heading on this page.

Recommendations for using global administrators

The global administrators role can be used to provide across the board permissions to a user. While this may be convenient in certain circumstances, you should be aware that this is a powerful role and should be used with appropriate caution.

Using global administrators in a lab environment

To get things up and running quickly in a lab environment you may want to make use of the global administrator role. This will help minimize the number of users required for an evaluation and reduce the initial configuration required.

To further minimize the number of users needed, you can also enable the Windows account used to install Tachyon to assume the Tachyon global administrator role. The installation account is added as the system principal user in Tachyon by the installer and it's Tachyon permissions are locked down by default. You can allow it to assume the global administrator role using the following steps:

  1. Create a Tachyon user from an existing AD security group
  2. Apply the Tachyon global administrator role to the user
  3. Add the installation account to the AD security group.

In the short term it's fine to make use of global administrators in this way, but this practice is not really suitable for large scale deployments and should be used with care for the following reasons:

  • The global administrator role has permissions to do everything in Tachyon. It has across the board permissions to all Instruction Sets and therefore can be used to run actions that can have a major impact on your network.
  • The global administrator accounts receive emails for all the transactions that are performed by Tachyon.

Different approaches for defining permissions

Tachyon provides a flexible system for defining permissions for the Tachyon features. There are a number of different ways of approaching the task, here we outline the general choices that can be made for assigning Tachyon users to system and custom roles.

Managing access primarily using the Tachyon Permissions console

In this approach the Tachyon users are added individually using their Active Directory credentials.

This approach is more secure than alternatives because all users, roles and access rights are managed only through the Tachyon Permissions console.

Managing access using Active Directory

Using this approach the Tachyon users are added as Active Directory security groups. The Tachyon roles are then associated with those groups and management of the individual users who can access Tachyon is subsequently done only through Active Directory. There are broadly three options when using this approach:

  1. A one-to-one approach where you create a Tachyon-specific role-based Active Directory group for each Tachyon role. For example you could create a TCNGApprovers Active Directory security group, and add that group as a user in Tachyon, and then assign the Tachyon Global Approvers role to the user.
  2. A many-to-one approach where you use one or more of your existing role-based Active Directory groups for each Tachyon role. For example you could use the Active Directory groups for your desktop and help desk teams, create a Tachyon user for each group, and then assign the Tachyon role to all those Tachyon users.
  3. A mixture of the above

It is possible for an Active Directory user to be associated with Tachyon roles for both running and approving actions. In practice this is safe because Tachyon prevents users from being able to directly approve their own actions regardless of the roles they have been assigned.

Defining a custom Instruction set Tachyon role

If you want to base your Tachyon permissions around access to specific Instruction sets you will need to create custom Tachyon roles.

To create a custom role:

  1. Navigate to the Settings→Permissions→Roles page.
  2. Click the Add button to start the add role process.
  3. In the Add role popup subsequently displayed set the Name and Description and click the Add button on the popup.
  4. The new role will be added to the Roles table. Locate its entry and click on the link in the Name column for that row to display the role's details page.
  5. With the Permissions tab selected click the Add button to display the Add permission popup.
  6. From the Type drop-down list select Instruction set - some new controls will be added to the popup.
  7. Select the required Instruction Set from the Name drop-down list.
  8. Set the Instruction set access rights by checking the required Actioner, Approver, Questioner and Viewer checkboxes.
  9. When the associated rights have been set click Add.
  10. The new custom role permission will then appear in the Permissions table.
  11. Before the new custom role can be used you must add a management group. 
  12. Click on the Management groups tab.
  13. Click the Add button to display the Add management group popup.
  14. From the Select management group drop-down menu select the management group you want to associate the role with. This can either be the built-in All Devices or a management group you have created in Settings→Permissions→Management groups.
  15. Click the Add button to associate the selected management group with the custom role.

The following rights can be set for a Instruction set, these relate to the primary operator roles of the Tachyon system:

RightDescription
ActionerAble to run actions defined in the Instruction Set
Approver

Able to approve actions defined in the Instruction Set for anyone other than self

If email is enabled, will receive an approval request email for each requested action in the Instruction Set

QuestionerAble to ask questions defined in the Instruction Set
ViewerAble to view responses to questions run from the Instruction Set