Role-based Administration

Using role-based administration helps reduce management effort and complexity with regards to the OfficeScan infrastructure and is especially helpful for companies with a robust Active Directory structure.

Role-based administration gives administrators the ability to assign specific privileges to users and to present the user with only the tools and permissions necessary to perform specific tasks. Administrators can delegate tasks to sub-domains and users can perform specific tasks without the interference of root domains to avoid conflict with tasks. Since users will only have to look at screens related to their task, they can then focus on their tasks or responsibilities.

Active Directory integration enables logging on to the OfficeScan Web console using Active Directory accounts. Each Active Directory account will have specific roles and each role can be granted several types of permissions.

A user role can be granted three types of permissions: >>>

Each user role will get the default OfficeScan domain settings if the role was imported from another OfficeScan server. The imported role will retain the permissions for the global menu items. However each domain will have to reconfigure the client management menu items and restructure the domain permissions.

Menu Items for Servers/Clients: Specify which menu items for managing the OfficeScan server and clients all users can see or configure, regardless of selected domains. This role should have the necessary permissions on the OfficeScan root directory to ensure that the view and configure options can be enabled. Only users with privileges to manage all domains can configure permissions.

Available menu items for servers/clients

	View	Configure
Scan Now for All Domains Only those using built-in administrator roles can access this feature.	Disabled by default	Disabled by default
Networked Computers Client Management Client Grouping Global Client Settings Computer Location Connection Verification Outbreak Prevention	Enable/Disable	Disabled by default
Smart Protection Smart Protection Sources Integrated Server Smart Feedback	Enable/Disable	Disabled by default
Updates Server Scheduled Update Manual Update Update Source Networked Computers Automatic Update Update Source Rollback	Enable/Disable	Disabled by default
Logs Networked Computer Logs Security Risks Component Update Server Update Logs System Event Logs Log Maintenance	Enable/Disable	Disabled by default
Cisco NAC Policy Servers Agent Management Agent Deployment Client Certificate	Enable/Disable	Disabled by default
Notifications Administrator Notifications General Settings Outbreak Notifications Client User Notifications	Enable/Disable	Disabled by default
Administrations User Accounts User Roles Only users using the built-in administrator account can access User Accounts and Roles. Active Directory Active Directory Integration Scheduled Synchronization Proxy Settings Connection Settings Inactive Clients Quarantine Manager Product License Control Manager Settings Web Console Settings Database Backup	Enable/Disable	Disabled by default
Tools Administrative Tools Client Tools	Enable/Disable	Disabled by default
Plug-in Manager Only users using the built-in administrator account can access this feature.	Disabled by default	Disabled by default

Menu Items for Managed Domains: Specify menu items that users with the necessary permissions for domains can see or configure.

Available menu items for managed domains

	View	Configure
Summary Any user can access this page, regardless of permission.	Enabled by default	N/A
Security Compliance Compliance Assessment Compliance Report Scheduled Compliance Report Outside Server Management	Disabled by default	Enable/Disable
Networked Computers Firewall Policies Profiles Client Installation Browser Based Remote	Enable/Disable	Enable/Disable
Updates Summary Networked Computers Manual Update	Enable/Disable	Enable/Disable
Logs Networked Computer Logs Connection Verification Spyware/Grayware Restore	Enable/Disable	Enable/Disable
Notifications Administrator Notifications Standard Notifications	Enable/Disable	Enable/Disable

Client Management Menu Items: Specify client management tree drop-down menu items that can be seen or configured for each domain on the OfficeScan client tree.

Available menu items from the Client Management screen

	View	Configure
Status	Enabled by default	Enable/Disable
Tasks Scan Now Client Uninstallation Spyware/Grayware Restore	Enable/Disable	Enable/Disable
Settings Scan Methods Manual Scan Settings Real-time Scan Settings Scheduled Scan Settings Scan Now Settings Update Agent Settings Privileges and Other Settings Additional Service Settings Web Reputation Settings Behavior Monitoring Settings Device Control Settings Spyware/Grayware Approved List Export Settings Import Settings	Disabled by default: Import Settings Export Settings Others: Enable/Disable	Enabled by default: Export Settings Others: Enable/Disable
Logs Virus/Malware Logs Spyware/Grayware Logs Firewall Logs Web Reputation Logs Behavior Monitoring Logs Device Control Logs Delete Logs	Enable/Disable	Disabled by default: Virus/Malware Logs Spyware/Grayware Logs Web Reputation Logs Behavior Monitoring Logs Device Control Logs Others: Enable/Disable
Manage Client Tree Add Domain Rename Domain Move Client Sort Client Remove Domain/Client	Disabled by default	Enable/Disable
Export	Disabled by default	Enabled by default

Role-based administration involves the following tasks: >>>

Define user roles. Refer to User Roles.

Specify the domains this role can configure or view.
Specify the role permissions.

Configure user accounts and assign a particular role to each user. Refer to User Accounts.

View Web console activities for all users from the System Events Logs. The following activities are logged:

Logging on to the console

Password modification

Logging off from the console

Session timeout (user automatically gets logged off)