Configure roles with RBAC 编辑
The role-based access control (RBAC) feature in Endpoint Management lets you assign roles to users and groups. Roles are sets of permissions that control the level of access users have to system functions.
Endpoint Management comes with the following default user roles. You can use the default roles as templates that you customize to create your own user roles.
- Administrator: Grants full system access.
- User: Allows users to enroll devices and access the Self-Help Portal.
You can use the RBAC feature in Endpoint Management to:
- Create and edit user roles.
- Assign roles to local user groups and Active Directory (AD) groups.
- Assign roles to administrators in Citrix Cloud through Identity and Access Management > Administrators. See Add roles to Citrix Cloud administrators.
Use the RBAC feature
You can assign roles to local users, to cloud administrators (in Citrix Cloud), and to local user groups and Active Directory groups.
- Local users: Assign roles to local users using Manage > Users. You can assign only one role to local users. To change the roles, you can manually edit the user account. Or, you can create a group for local users and assign a role to that group.
- Cloud administrators: A cloud administrator is a special user account that Citrix Cloud creates when an administrator is added to your Citrix Cloud customer account. A cloud administrator account uses the same user name as the administrator account on Citrix Cloud. Create RBAC roles in the Endpoint Management console and assign roles to these users through Identity and Access Management > Administrators in Citrix Cloud.
- Active Directory groups: All users in an Active Directory group have the same permissions. If a user belongs to several Active Directory groups, all the permissions merge to define the permissions for that user. For example, suppose ADGroupA users can locate manager devices and ADGroupB users can wipe employee devices. A user who belongs to both groups can locate and wipe the devices of managers and employees. If a user belongs to groups with conflicting permissions, the allowed permissions prevail.
For more information, see About user accounts.
Create or edit roles
In the Endpoint Management console, to access the Settings page, click the gear icon in the upper-right corner.
Click Role-Based Access Control. The Role-Based Access Control page shows the default user roles and any roles that you added.
Click the plus sign (+) next to a role to see all the permissions for that role.
To add a role, click Add. Or, to edit a role, click the pen to the right of an existing role.
Note:
You can delete a role by clicking the trash can to the right of a role that you defined. You can’t delete the default user roles.
On the Add Role page, enter the following information:
- RBAC name: Enter a descriptive name for the new user role. You can’t change the name of an existing role.
- RBAC template: Optionally, select a template as the starting point for the new role. (When editing a role, you can’t select or change templates.) RBAC templates are the default user roles that define the access to system functions.
Click the Apply button to populate the Authorized access and Console features check boxes. Endpoint Management fills those fields with the predefined access and feature permissions for the selected template.
To customize the role, select or clear the check boxes in Authorized access and Console features.
Click the triangle next to a console feature to reveal and select permissions specific to that feature. Clicking the top-level check box does not select the individual permissions. Select individual options after expanding the top-level permission.
Apply permissions: Click To specific user groups to apply permissions to the groups you select.
For example, if an RBAC administrator has permissions to the ActiveDirectory user group:
- The administrator can access information only for users who are in the ActiveDirectory group.
- The administrator can’t view any other local or AD users. The administrator can view users who are members of child groups of either of those groups.
The administrator can send invitations to:
- The permission groups and their child groups
- The users who are members of permission groups and their child groups
Click Next and enter the following information to assign the role to user groups.
- Select domain: From the list, select a domain.
- Search for user groups: Click Search to see a list of all available groups. Type a full or partial group name to narrow the search.
- Include user groups: In the list that appears, select the user groups you want to assign the role to.
Click Save.
Add roles to Citrix Cloud administrators
Instead of assigning RBAC roles to Citrix Cloud administrators through the Endpoint Management console, assign roles from the Citrix Cloud console.
- In the Citrix Cloud console, navigate to Identity and Access Management > Administrators.
Selecting an identity provider, and then type an email address to add an administrator. Click Invite.
Click the … at the end of an existing administrator row to edit those permissions.
Click Custom access. When assigning permissions to the administrator, you can select the RBAC roles created in the Endpoint Management console.
- Click Send Invite to send an invitation to a new administrator or click Save to finish editing an administrator.
Predefined roles
Each predefined RBAC role has certain associated access and feature permissions. The tables that follow describe each of the permissions for the Admin role and for the User role. You can’t delete or edit the predefined roles.
For a full list of default permissions for each built-in role, download Role-Based Access Control Defaults
For information about the Endpoint Management user accounts, see About user accounts.
Important:
Under the Settings permission, the RBAC permission gives Admin users full access, including the ability to assign their own permissions. Give this access only to users who you intend to give the ability to manipulate everything in the Endpoint Management system.
Admin role
The predefined Admin role provides specific access in Endpoint Management. By default, Authorized access (except Self-Help Portal), Console features, and Apply permissions are enabled.
You can change the role for local users who are assigned the Admin role by using Manage > Users. For cloud users who have the Admin role, use the Citrix Cloud console to change the role. By default, cloud and local users with the Admin role have Full access.
Authorized access for administrators
| Admin console access | Administrators can access all features on the Endpoint Management console. |
| Self-Help Portal access | By default, administrators can’t access the Self-Help Portal. (Users with the User role can access only the Self-Help portal.) |
| Remote Support access | Administrators can access the Remote Support feature. |
| Public API access | Administrators can access the public API to perform actions programmatically that are available on the Endpoint Management console. The actions include administering certificates, apps, devices, delivery groups, and local users. |
Console features for administrators
Administrators have unrestricted access to the Endpoint Management console.
| Dashboard | The Dashboard is the first page that administrators see after logging on to the Endpoint Management console. The Dashboard shows basic information about notifications and devices. |
| Reporting | The Analyze > Reporting page provides pre-defined reports that let you analyze your app and device deployments. |
| Devices | The Manage > Devices page is where you manage user devices. You can add individual devices on the page or import a device provisioning file to add multiple devices at one time. |
| Local Users and Groups | The Manage > Users page is where you can add, edit, or delete local users and local user groups. |
| Enrollment | The Manage > Enrollment Invitations page is where you manage how users are invited to enroll their devices in Endpoint Management. |
| Policies | The Configure > Device Policies page is where you manage device policies, such as VPN and network. |
| App | The Configure > Apps page is where you manage the various apps that users can install on their devices. |
| Media | The Configure > Media page is where you manage the various media that users can install on their devices. |
| Action | The Configure > Actions page is where you manage responses to trigger events. |
| Delivery Group | The Configure > Delivery Groups page is where you manage delivery groups and the resources associated with them. |
| Enrollment Profile | The Configure > Enrollment Profiles page is where you specify how users can enroll their devices. |
| Alexa for Business | The Settings page is where you manage your Alexa for Business profiles. |
| Settings | The Settings page is where you manage system settings, such as client and server properties, certificates, and credential providers. Important: These settings include the RBAC permission. The RBAC permission gives admins full access, including the ability to assign their own permissions. Give this access only to users who you intend to give the ability to manipulate everything in the Endpoint Management system. |
| Support | The Troubleshooting and Support page is where you perform troubleshooting activities such as running diagnostics and generating logs. |
Device restrictions for administrators
Administrators access device features throughout the console by setting device restrictions, setting up and sending notifications to devices, administering apps on the devices, and so on.
| Full Wipe device | Erase all data and apps from a device, including memory cards if the device has one. |
| Clear Restriction | Remove one or more device restrictions. |
| Selective Wipe device | Erase all corporate data and apps from a device, leaving personal data and apps in place. |
| View locations | See the location of and set geographic restrictions on a device. Includes: Locate device, Track device. |
| Lock device | Remotely lock a device so that users can’t use the device. |
| Unlock device | Remotely unlock a device so that users can use the device. |
| Lock container | Remotely lock the corporate container on a device. |
| Unlock container | Remotely unlock the corporate container on a device. |
| Reset container password | Reset the corporate container password. |
| Enable ASM/Bypass activation lock | Store a bypass code on a supervised iOS device when Activation Lock is enabled. To erase the device, use this code to clear the Activation Lock automatically. |
| Get Resident Users | List the users that have active accounts on the current device. This action forces a sync between the device and the Endpoint Management console. |
| Logout Resident User | Force a log out of the current user. |
| Delete Resident User | Delete the current session for a specific user. The user can sign in again. |
| Rings the device | Remotely ring a Windows device at full volume for 5 minutes. |
| Reboot the device | Restart Windows devices from the Endpoint Management console. |
| Deploy to device | Send apps, notifications, restrictions, and other resources to a device. |
| Edit device | Change settings on the device. |
| Notification to device | Send a notification to a device. |
| Add/Delete device | Add or remove devices from Endpoint Management. |
| Devices import | Import a group of devices from a file into Endpoint Management. |
| Export device table | Collect device information from the Device page and export it to a .csv file. |
| Revoke device | Prohibit a device from connecting to Endpoint Management. |
| App lock | Deny access to all apps on a device. On Android, this restriction prevents users from signing in to Endpoint Management. On iOS, users can sign in, but they can’t access apps. |
| App wipe | On Android, this restriction deletes the user’s Endpoint Management account. On iOS, this restriction deletes the encryption key required for users to access Endpoint Management features. |
| View software inventory | See what software is installed on a device. |
| Request AirPlay mirroring | Request to start AirPlay streaming. |
| Stop AirPlay mirroring | Stop AirPlay streaming. |
| Enable lost mode | On the Manage > Devices page, you can put a supervised device in lost mode to block a supervised device on the lock screen. You can then locate the device when the device is lost or stolen. |
| Disable lost mode | On the Manage > Devices page, you can disable lost mode for a device that is set to lost mode. |
| OS Update device | You can deploy an OS Update device policy to devices. |
| Shut down device | Shut down iOS devices from the Endpoint Management console. |
| Restart device | Restart iOS devices from the Endpoint Management console. |
| Renew Device Enrollment Certificate | Renew a device CA certificate. |
Local Users and Groups
Administrators manage local users and local user groups on the Manage > Users page in Endpoint Management.
| Add Local Users |
| Delete Local Users |
| Edit Local Users |
| Import Local Users |
| Export Local Users |
| Local User Groups |
| Get Local User Lock ID |
| Delete Local User Lock |
Enrollment
Administrators can add and delete enrollment invitations, send notifications to users, and export the enrollment table to a .csv file.
| Add/Delete enrollment | Add or remove an enrollment invitation to a user or a group of users. |
| Notify user | Send and enrollment invitation to a user or group of users. |
| Export enrollment invitation table | Collect enrollment information from the Enrollment page and export it to a .csv file. |
Policies
| Add/Delete policy | Add or remove a device or app policy. |
| Edit policy | Change a device or app policy. |
| Upload Policy | Upload a device or app policy. |
| Clone Policy | Copy a device or app policy. |
| Disable Policy | Disable an existing app policy. |
| Export Policy | Collect device policy information from the Device Policies page and export it to a .csv file. |
| Assign Policy | Assign a device policy to one or more delivery groups. |
App
Administrators manage apps on the Configure > Apps page in Endpoint Management.
| Add/Delete app store or enterprise app | Add or remove a public app store app or an enterprise app (not MDX-enabled). |
| Edit app store or enterprise app | Change a public app store app or an enterprise app (not MDX-enabled). |
| Add/Delete MDX, Web, and SaaS app | Add or remove an MDX-enabled app, an app from your internal network (Web app), or an app from a public network (SaaS) to Endpoint Management. |
| Edit MDX, Web, and SaaS app | Change an MDX-enabled app, an app from your internal network (Web app), or an app from a public network (SaaS) to Endpoint Management. |
| Add/Delete category | Add or delete a category in which apps can appear in the app store. |
| Assign public/enterprise app to delivery group | Assign a public app store app or an MDX-enabled app to a delivery group for deployment. |
| Assign MDX/WebLink/SaaS app to delivery group | Assign to a delivery group an app that is MDX-enabled, doesn’t require single sign-on (WebLink), or that’s from a public network (SaaS). |
| Export app table | Collect app information from the App page and export it to a .csv file. |
Media
Manage media from a public app store or a volume purchase license.
| Add/Delete app store or enterprise books |
| Assign public/enterprise books to delivery group |
| Edit app store or enterprise books |
Action
| Add/delete action | Add or remove an action defined by a trigger and associated response. A trigger is an event, device or user property, or installed app name. |
| Edit action | Change an action defined by a trigger and associated response. A trigger is an event, device or user property, or installed app name. |
| Assign action to delivery group | Assign an action to a delivery group for deployment to user devices. |
| Export action | Collect action information from the Actions page and export it to a .csv file. |
Delivery group
Administrators manage delivery groups from the Configure > Delivery Groups page.
| Add/delete delivery group | Create or remove a delivery group, which adds specified users and optional policies, apps, and actions. |
| Edit delivery group | Change an existing delivery group, which modifies users and optional policies, apps, and actions. |
| Deploy delivery group | Make the delivery group available for use. |
| Export delivery group | Collect delivery group information from the Delivery group page and export it to a .csv file. |
Enrollment profile
Manage enrollment profiles.
| Add/delete enrollment profile |
| Edit enrollment profile |
| Assign enrollment profile to delivery group |
Alexa for Business
Manage Alexa for Business profiles.
| Add/delete/edit Rooms |
| Add/delete/edit Room profiles |
| Add/delete/edit Skill groups |
Settings for administrators
Administrators configure various settings on the Settings pages.
| RBAC | RBAC Assignment. Important: This permission gives admins full access, including the ability to assign their own permissions. Give this access only to users who you intend to give the ability to manipulate everything in the Endpoint Management system. |
| LDAP | Administer one or more LDAP-compliant directories, such as Active Directory, to import groups, user accounts, and related properties. |
| Enrollment | Enable enrollment security modes for users and the Self-Help Portal. |
| Release Management | View the current installed release. Includes: Release Management Update |
| Certificates | Edit APNS certificate |
| Notification Templates | Create notification templates to use in automated actions, enrollment, and standard notification message delivery to users. |
| Workflows | Manage the creation, approval, and removal of user accounts for use with app configurations. |
| Credential Providers | Add one or more credential providers authorized to issue device certificates. The credential providers control the certificate format and the conditions for renewing or revoking the certificate. |
| PKI Entities | Manage public key infrastructure entities (generic, Microsoft Certificate Services, or discretionary CA). |
| Test PKI Connection | Use the Test Connection button on the Settings > PKI Entities page to make sure that the server is accessible. |
| Client Properties | Manage various properties on user devices, such as passcode type, strength, and expiration. |
| Client Support | Set the ways in which users can contact your support services (email, phone, or support ticket email). |
| Client Branding | Create a custom store name and default store views for the app store. Add a custom logo that appears in the app store or Secure Hub. |
| Carrier SMS Gateway | Set up carrier SMS gateways to configure notifications that Endpoint Management sends through carrier SMS gateways. |
| Notification Server | Set up an SMTP gateway server to send email to users. |
| ActiveSync Gateway | Manage user access to users and devices through rules and properties. |
| Google Chrome | Configure Endpoint Management to communicate with your Google Workspace account. |
| Apple Deployment Program | Add an Apple Deployment Program account to Endpoint Management. |
| Apple Configurator Device Enrollment | Configure Apple Configurator settings in the Endpoint Management console. |
| iOS/volume purchase Settings | Add Apple volume purchase accounts. |
| NetScaler Gateway | Configure NetScaler Gateway (now renamed Citrix Gateway) settings in Endpoint Management. |
| Network Access Control | Set the conditions that determine a device is noncompliant so that it can’t access the network. |
| Server Properties | Add or modify server properties. Requires restarting Endpoint Management on all nodes. |
| Virtual Apps and Desktops | Allow users to add Citrix Virtual Apps and Desktops through Citrix Workspace. |
| Citrix Files | When using Endpoint Management with Enterprise accounts: Configure settings to connect to the Content Collaboration and administrator service accounts for user account management. Requires existing Citrix Files domain and administrator credentials. When using Endpoint Management with storage zone connectors: Configure Endpoint Management to point to network shares and SharePoint locations defined in storage zone connectors. |
| Android Enterprise | Configure Android Enterprise server settings. |
| Identity Provider (IdP) | Configure an identity provider. |
| Microsoft Store for Business | Configure Microsoft Store for Business settings in the Endpoint Management console. |
| Endpoint Management Tools | Access the Endpoint Management Tools page. |
| Windows Bulk Enrollment | Configure Windows bulk enrollment settings. |
Support
Administrators can do various support tasks.
| NetScaler Gateway Connectivity Checks | Perform various connectivity checks for NetScaler Gateway by IP address. Requires a user name and password. |
| Endpoint Management Connectivity Checks | Do connectivity checks for selected Endpoint Management features, such as database, DNS, and Google Plan. |
| Citrix Product Documentation | Access the public Citrix Endpoint Management documentation site. |
| Citrix Knowledge Center | Access the Citrix Support site to search for knowledge base articles. |
| Logs | View and download log files. |
| Macros | Populate user or device property data in the text field of a profile, policy, notification, or enrollment template. Configure a single policy, deploy the policy to a large user base, and have user-specific values appear for each targeted user. |
| PKI Configuration | Import and export PKI configuration information. |
| APNS Signing Utility | Submit a request for Apple Push Network signing (APNs) certificates, or upload a Secure Mail APNs certificate for iOS. |
| Citrix Insight Services | Upload logs to Citrix Insight Services (CIS) for assistance with various issues. |
| Device Citrix Gateway connector for Exchange ActiveSync Status | Query Endpoint Management for the status of a device sent to the connector for Exchange ActiveSync. The query is based on the device ActiveSync ID. |
Restrict Group Access
Admin users can apply permissions to all user groups.
Console features for device provisioning
Device provisioning users have the following restricted access to the Endpoint Management console. By default, each of the following features is enabled.
Device restrictions
| Edit device | Change settings on the device. |
| Add/Delete device | Add or remove devices from Endpoint Management. |
Settings for device provisioning
Device provisioning users can access the Settings page, but do not have the rights to configure the features.
User role
Users with the User role have the following limited access to Endpoint Management.
Authorized access for users
| Self-Help Portal | Provide users access only to the Self-Help Portal in Endpoint Management. |
Console features for users
Users have the following restricted access to the Endpoint Management console.
Device restricted access for users
| Full Wipe device | Erase all data and apps from a device, including memory cards if the device has one. |
| Selective Wipe device | Erase all corporate data and apps from a device, leaving personal data and apps in place. |
| View locations | See the location of and set geographic restrictions on a device. Included: Locate device, See the location of a device, Track device, Track device location over time |
| Lock device | Remotely lock a device so that it cannot be used. |
| Unlock device | Remotely unlock a device so that It can be used. |
| Lock container | Remotely lock the corporate container on a device. |
| Unlock container | Remotely unlock the corporate container on a device. |
| Reset container password | Reset the corporate container password. |
| Enable ASM/Bypass activation lock | Store a bypass code on a supervised iOS device when Activation Lock is enabled. To erase the device, use this code to clear the Activation Lock automatically. |
| Get Resident Users | List the users that have active accounts on the current device. This action forces a sync between the device and the Endpoint Management console. |
| Logout Resident User | Force a log out of the current user. |
| Delete Resident User | Delete the current session for a specific user. The user can sign in again. |
| Rings the device | Remotely ring a Windows device at full volume for 5 minutes. |
| Reboot the device | Restart a Windows device. |
| App lock | Deny access to all apps on a device. On Android, users can’t sign in to Endpoint Management. On iOS, users can sign in, but they can’t access apps. |
| App wipe | On Android, this restriction deletes the user’s Endpoint Management account. On iOS, this restriction deletes the encryption key required for users to access Endpoint Management features. |
| View software inventory | See what software is installed on a device. |
Enrollment restrictions for users
| Add/Delete enrollment | Add or remove an enrollment invitation to a user or a group of users. |
| Notify user | Send and enrollment invitation to a user or group of users. |
Restrict Group Access for all roles
For the default roles, this permission is set by default and can be applied to all user groups. You can’t edit the role.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论