Summary Server-User Administration

Overview

With the addition of the Endpoint Central summary server, the scope of the network's endpoints expand significantly. As a result, the IT administrator's major concern is to define and manage the scope of each endpoint in the network. Endpoint Central addresses this concern with its user and role management module.

After the installation of the Endpoint Central Summary Server, the Summary Server Administrator must define the users and their roles in the network.

Role Management

Some of the most often used Roles are listed under Pre-defined Roles. However, under User-defined Roles, you can also create roles that best suit your needs and provide appropriate access. Here's a brief on the Pre-defined and User-defined roles respectively

Pre-defined roles :

Summary Server Administrator: Administrator role signifies the Super Admin who exercises full control over all probes and modules. The administrative tasks performed by the administrator affect all the probes of the network. The operations that can be performed are :

  1. Defining or modifying Scope of Management.
  2. Adding active Users.
  3. Changing mail server settings.
  4. Changing proxy settings.
  5. Personalizing options like changing themes, setting session expiry, etc.
  6. Scheduling vulnerability database update.
  7. Viewing Actions Logs of Endpoint Central.
  8. Has write permission for : Inventory, Reports, Profiles and Apps, MDM.

Administrator : The administrator role is similar to the Summary Server Administrator role but the scope of the role is reduced to specific probes by default. Although you can specify all the probes individually to a probe administrator, when a new probe is added to the network, the new probe will not be automatically mapped to the probe administrator. It has to be manually mapped by the summary server administrator.

Guest: The Guest Role retains the Read Only permission for all modules. A user who is associated to the Guest Role, will have the privilege to scan and view various information about different modules, although making changes is strictly prohibited. Guest Role also has Read Only permission for viewing MDM inventory details, reports, profiles and Apps of the mobile devices.

Technician: The Technician role has a well-defined set of permissions to do specific operations. Users under the Technician role are restricted from performing all the operations listed under the Admin tab. The operations that can be performed by users associated with the Technician Role include:

  • Can define and deploy all types of configurations and collections.
  • Can view all the configurations including those created by other users,reports, etc.
  • Can suspend, modify, or re-deploy the configurations defined by them.
  • Can update the Vulnerability Database.
  • Can perform Scan operations on all modules.
  • Has write permission for the following, Inventory, Reports, Profiles and Apps in Mobile Device Management.

Auditor: The Auditor role is specially crafted for auditing purposes. This role will help you grant permissions to auditors view the details of software inventory, check for license compliance and have read-only permission for MDM Reports.

Remote Desktop Viewer: The Remote Desktop Viewer Role will allow the users associated with it to Invoke a Remote desktop connection and view details of users who had connected to a particular system.

IT Asset Manager: The IT Asset Manager has complete access to the Asset Management module and all the other features are inaccessible. IT Asset Manager can also view the Inventory details of all the Mobile Devices.

Patch Manager: The Patch Manager role has complete access to the Patch Management. Patch Manager will also have privilege to access to use "Tools", like Wake On LAN, Remote Shutdown, System Manager and the ability to schedule Patch Reports. All the other modules/features are inaccessible.

Mobile Device Manager: The Mobile Device Manager role has write permission for the Inventory, Reports, Profiles and Apps in Mobile Device Management module.;

OS Deployer: The OS deployer role provides the associated user the privilege to capture images of Windows OS and deploy it across the network computers.

User Defined Roles :

Using Endpoint Central Summary Server, you can create any number of roles and assign them the permissions you want based on your specific needs. These customized roles are classified as User-defined. In the following section, we will briefly explore how to construct a User-defined Role for a better understanding.

Note: Roles can be created only by administrators.

Follow the steps mentioned below to create a new User-defined role:

  1. Login to Endpoint Central as summary server administrator.
  2. Select the admin tab, click user administration under Global Settings. This opens the global administration page.
  3. Select the Role tab and click the Add Role button.
  4. Specify the Role Name and a small description about it.
  5. You can define the module-wise permission level for the Role in the Select Control section. The permission levels are broadly classified into:
    • Full control : To perform all operations like an administrator, for the specific module.
    • Write - To perform all the operations, except few restrictions as explained below in the table.
    • Read - To only view the details in that module.
    • No Access - To hide the module from the User (For more details, refer the user role and permission table)

7. Click Add button.

You have successfully created a user-defined role.

Scope Management

Endpoint Central allows you to set a scope for users, which means you can define the target PCs that can be mapped to each user. By restricting the user's authorization to a specified set of computers, you can be confident that the user has enough permission to do their tasks but not too many permissions to take advantage of. The addition of the summary server allows an additional layer of scope definition

  • Probe Scope

    • All probes - Any user created with the all probes scope will be able to access all modules of all the probes of the network.
    • Specific probes - Any user created with specific probes scope will be able to access all modules of specified scopes of the network.

The target that you define as the scope, can be one of the following:

  • All computers
  • Unique Custom Groups
  • Remote Offices

All computers

When the target is set to 'All Computers,' the user will be able to execute all the privileges defined in the role on all computers. Although the scope includes all computers, the authorization level is defined solely by the role to which the user is assigned.

Unique Custom Groups

You can establish custom groups for administration purposes and assign them to users. The custom groups you create should be distinct, such that no machine can be a member of more than one custom group. These are computer-based custom groups that are built for user administration.

Remote Offices

You can define the scope for the users by creating specialized remote offices or by using existing remote offices. Multiple users can handle the same remote offices. Similarly, several remote offices can be mapped to the same user; however, a combination of remote offices and unique groups cannot be included in the scope.

User Management

How to create a new user?

A new user can only be created in the all probes scope by the summary server administrator. A probe administrator cannot create new users but can view the user information in read-only mode.

Follow the steps below to create a user:

  • Login to Endpoint Central as summary server administrator.
  • Select the Admin tab, click user administration under global settings. This opens the user administration page.
  • Click on the add user button under the user tab.
  • Specify the Authentication Type as Active Directory Authentication or Local Authentication.
  • Specify a user name, email address of the user.
  • Specify the Role, from the drop down. You can see a list of all the pre-defined roles, and the roles that you have created.
  • Specify the email address and the phone number of the user.
  • Define the scope of the user. Specify the probes to be managed and also the computers that are to be managed in the specified probes. You can choose to provide the user access to manage all computers, remote offices or specific unique custom groups. If you do not have a unique custom group, you can create a unique custom group in the required probe. If the custom group is not unique, it will not be listed here.
  • Specify the devices to be managed for enabling modern management capabilities for the user.

  • You have successfully created a user and associated a role to an user along with the scope of the probes that need to be managed.

How to modify user?

A user can only be modified in the all probes view by the administrator. Follow the steps below to modify a user:

  1. Login to Endpoint Central Summary Server as summary server administrator.

  2. Select the all probes scope in the drop down. Navigate to Admin tab > under Global Settings > User Administration.

  3. The list of users will be displayed. Against one particular user, under the Action column, choose Modify User.

How to delete User?

At times when you find a user's contribution obsolete, you can go ahead and delete the user from the User List. The deleted user will not be able to login to the Endpoint Central Summary Server.

Secure Authentication:

Endpoint Central's Secure Authentication feature allows users to ensure security by enabling two factor authentication and incorporating password policy. Secure authentication modules can be configured only by the summary server's all probe view and the configured settings apply to all probes in the network. The applied configurations will be visible in read-only mode for the probe administrator.

How to enable two factor authentication:

  1. Login to Endpoint Central as summary server administrator.

  2. Select the admin tab, click user administration under global settings. This opens the global administration page.

  3. Navigate to the secure authentication tab and navigate to the Two Factor Authentication tab.

  4. Click on enable under the authentication field and choose the preferred mode of authentication. There are two modes of authentication:

    • Email
    • Authenticator Application
  5. Click Save.

How to create a password policy :

  1. Login to Endpoint Central as summary server administrator.
  2. Select the admin tab, click User Administration under global settings. This opens the global administration page.
  3. Navigate to the secure authentication tab and navigate to the password policy tab.
  4. You may impose the following restrictions on the user's passwords:
    • Minimum password length
    • Using previous passwords
    • Password Complexity
    • Number of invalid login attempts
    • Enable User Account Lockout

Note: The configured password policy is applicable only when the user changes his/her password after configuring password policy. The existing password need not be inline with the configured password policy.