Configuring Roles with RBAC

Configuring Roles with RBAC

The Role-Based Access Control (RBAC) feature in XenMobile lets you assign predefined roles, or sets of permissions, to users and groups. These permissions control the level of access users have to system functions.

XenMobile implements four default user roles to logically separate access to system functions:

1. Administrator. Grants full system access.

2. Provisioning. Used by administrators to provision all Windows Mobile/CE devices as a group using the Device Provisioning Tool.

3. Support. Grants access to remote support.

4. User. Used by users who can enroll devices and access the Self Help Portal.

You can also create new user roles with permissions to access specific system functions beyond the functions defined by these default roles by using the default roles as templates that you customize.

Roles can be assigned to local users (at the user level) or to Active Directory groups (all users in that group have the same permissions). If a user belongs to several Active Directory groups, all the permissions are merged together to define the permissions for that user. For example, if ADGroupA users can locate manager devices, and ADGroupB users can wipe employee devices, then a user who belongs to both groups can locate and wipe devices of managers and employees.

You can use the RBAC feature in XenMobile to do the following:

1. Create a new role.

2. Add groups to a role.

3. Associate local users to roles.

1. In the XenMobile console, click Configure > Settings > Role-Based Access Control.

The Role page appears, which displays the four default user roles, plus any roles you have previously added.

2.Click Add to add a new user role, click the pen icon to the right of an existing role to edit the role, or click the trash can icon to the right of a role you previously defined to delete the role. You cannot delete the default user roles.

a. When you click Add or the pen icon, the Add Role or the Edit Role page appears.

b. When you click the trash can icon, a confirmation dialog appears. Click Delete to remove the selected role.

3. Enter the following information to create a new user role or to edit an existing user role:

a. RBAC name: Enter a descriptive name for the new user role. You cannot change the name of an existing role.

b. RBAC template: Click a template as the starting point for the new role or click a new template for an existing role.

Using a template is optional; you can directly select the options you want to assign to a role in the Authorized Access and Console Features fields.

a. Click Apply to populate the Authorized access and Console features check boxes with the0 predefined access and feature permissions for the selected template.

b. Select and clear the check boxes in Authorized access and Console features to customize the role.

c. Apply permissions: Select the groups to which you want to apply the selected permissions.

If you click To specific user groups, a list of groups appears from which you can select one or more groups.

4. Click Next. The Assignment page appears.

5. Enter the following information to assign the role to user groups and then click Save.

a. Select domain: In the list, click a domain.

b. Include user groups: Click Search to see a list of all available groups, or type a full or partial group name to limit the list to only groups with that name.

c. In the list that appears, select the user groups to which you want to assign the role. When you select a user group, the group appears in a list of selected groups to the right of the search box.

To remove a user group from the Selected user groups list, do one of the following:

a. Click Search to see a list of all user groups in the selected domain.

b. Type a full or partial group name in the search box, and then click Search to limit the list of user groups.

User groups in the list have check marks next to their name in the resulting list. Scroll through the list and clear the check box next to each group you want to remove.