rbarole

User Roles

A user role determines the web console menu items accessible to a user. A role is assigned a permission for each menu item.

Menu Item Permissions

Permissions determine the level of access to each menu item. The permission for a menu item can either be:

Configure: Allows full access to a menu item. Users can configure all settings, perform all tasks, and view data in a menu item.
View: Only allows users to view settings, tasks, and data in a menu item.
No Access: Hides a menu item from view.

Menu Item Types

There are 3 types of menu items in OfficeScan.

Menu Item Types

Type	Scope
Menu Items for Servers/Clients	Server settings, tasks, and data Global client settings, tasks, and data For a complete list of available menu items, see Menu Items for Servers and Clients.
Menu items for managed domains	Granular client settings, tasks, and data that are available outside the client tree For a complete list of available menu items, see Menu Items for Managed Domains.
Client management menu items	Granular client settings, tasks, and data that are available in the client tree For a complete list of available menu items, see Client Management Menu Items.

Menu Items for Servers and Clients

The following table lists the menu items for servers/clients:

Menu Items for Servers/Clients

Main Menu Item	Submenus
Scan Now for All Domains Only those using built-in administrator roles can access this feature.	None
Networked Computers	Client Management Client Grouping Global Client Settings Computer Location Digital Asset Control Definitions Templates Connection Verification Outbreak Prevention
Smart Protection	Smart Protection Sources Integrated Server Smart Feedback
Updates	Server Scheduled Update Manual Update Update Source Networked Computers Automatic Update Update Source Rollback
Logs	Networked Computer Logs Security Risks Component Update Server Update Logs System Event Logs Log Maintenance
Cisco NAC	Policy Servers Agent Management Agent Deployment Client Certificate
Notifications	Administrator Notifications General Settings Outbreak Notifications Client User Notifications
Administration	User Accounts User Roles Only users using the built-in administrator account can access User Accounts and Roles. Active Directory Active Directory Integration Scheduled Synchronization Proxy Settings Connection Settings Inactive Clients Quarantine Manager Product License Control Manager Settings Web Console Settings Database Backup
Tools	Administrative Tools Client Tools
Plug-in Manager Only users using the built-in administrator account can access this feature.	None

Menu Items for Managed Domains

The following table lists the menu items for managed domains:

Menu Items for Managed Domains

Main Menu Item	Submenus
Summary Any user can access this page, regardless of permission.	None
Security Compliance	Compliance Assessment Compliance Report Scheduled Compliance Report Outside Server Management
Networked Computers	Firewall Policies Profiles Client Installation Browser Based Remote
Updates	Summary Networked Computers Manual Update
Logs	Networked Computer Logs Connection Verification Spyware/Grayware Restore
Notifications	Administrator Notifications Standard Notifications

Client Management Menu Items

The following table lists the client management menu items:

Client Management Menu Items

Main Menu Item	Submenus
Status	None
Tasks	Scan Now Client Uninstallation Spyware/Grayware Restore
Settings	Scan Settings Scan Methods Manual Scan Settings Real-time Scan Settings Scheduled Scan Settings Scan Now Settings Web Reputation Settings Behavior Monitoring Settings Device Control Settings Digital Asset Control Settings Update Agent Settings Privileges and Other Settings Additional Service Settings Spyware/Grayware Approved List Export Settings Import Settings
Logs	Virus/Malware Logs Spyware/Grayware Logs Firewall Logs Web Reputation Logs Behavior Monitoring Logs Device Control Logs Digital Asset Control Logs Delete Logs
Manage Client Tree	Add Domain Rename Domain Move Client Sort Client Remove Domain/Client
Export	None

Built-in User Roles

OfficeScan comes with a set of built-in user roles that you cannot modify or delete. The built-in roles are as follows:

Built-in User Roles

Role Name	Description
Administrator	Delegate this role to other OfficeScan administrators or users with sufficient knowledge of OfficeScan. Users with this role have "Configure" permission to all menu items.
Guest User	Delegate this role to users who want to view the web console for reference purposes. Users with this role have no access to the following menu items: Scan Now for All Domains Plug-in Manager Administration > User Roles Administration > User Accounts Users have "View" permission to all other menu items.
Trend Power User	This role is only available if you upgrade from OfficeScan 10. This role inherits the permissions of the "Power User" role in OfficeScan 10. Users with this role have "Configure" permission to all client tree domains but will have no access to the new features in this release.

Custom Roles

You can create custom roles if none of the built-in roles meet your requirement.

Only users with the built-in administrator role and those using the root account created during OfficeScan installation can create custom user roles and assign these roles to user accounts.

To add a custom role:

Administration > User Roles

Click Add. If the role you want to create has similar settings with an existing role, select the existing role and click Copy. A new screen appears.
Type a name for the role and optionally provide a description.
Define the client tree scope.

You will not be able to save a custom role if you do not define the client tree scope.

Click Define Client Tree Scope. A new screen opens.
Select the root domain icon , or one or several domains in the client tree.
Click Save.

Only the domains have been defined at this point. The level of access to the selected domains will be defined in step 6 and step 7.

Click the Global Menu Items tab.
Click Menu Items for Servers/Clients and specify the permission for each available menu item. For a list of available menu items, see Menu Items for Servers and Clients.

The client tree scope you configured in step 3 determines the level of permission to the menu items and defines the targets for the permission. The client tree scope can either be the root domain (all clients) or specific client tree domains.

Menu Items for Server/Clients and Client Tree Scope

Criteria	Client Tree Scope
	Root Domain	Specific Domains
Menu item permission	Configure, View, or No Access	View or No Access
Target	OfficeScan server and all clients For example, if you grant a role "Configure" permission to all menu items for servers/clients, the user can: Manage server settings, tasks, and data Deploy global client settings Initiate global client tasks Manage global client data	OfficeScan server and all clients For example, if you grant a role "Configure" permission to all menu items for servers/clients, the user can: View server settings, tasks, and data View global client settings, tasks, and data

Some menu items are not available to custom roles. For example, Plug-in Manager, User Roles, and User Accounts are only available to users with the built-in administrator role.
If you select the check box under Configure, the check box under View is automatically selected.
If you do not select any check box, the permission is "No Access".

Click Menu items for managed domains and specify the permission for each available menu item. For a list of available menu items, see Menu Items for Managed Domains.

Menu Items for Managed Domains

Criteria	Client Tree Scope
	Root Domain	Specific Domains
Menu item permission	Configure, View, or No Access	Configure, View, or No Access
Target	All or specific clients Examples: If a user deployed firewall policies, the policies will be deployed to all clients. The user can initiate manual client update on all or specific clients. A compliance report can include all or specific clients.	Clients in the selected domains Examples: If a user deployed firewall policies, the policies will only be deployed to clients in the selected domains. The user can initiate manual client update only on clients in the selected domains. A compliance report only includes clients in the selected domains.

If you select the check box under Configure, the check box under View is automatically selected.
If you do not select any check box, the permission is "No Access".

Click the Client Management Menu Items tab and then specify the permission for each available menu item. For a list of available menu items, see Client Management Menu Items.

Client Management Menu Items

Criteria	Client Tree Scope
	Root Domain	Specific Domains
Menu item permission	Configure, View, or No Access	Configure, View, or No Access
Target	Root domain (all clients) or specific domains For example, you can grant a role "Configure" permission to the "Tasks" menu item in the client tree. If the target is the root domain, the user can initiate the tasks on all clients. If the targets are Domains A and B, the tasks can only be initiated on clients in Domains A and B.	Only the selected domains For example, you can grant a role "Configure" permission to the "Settings" menu item in the client tree. This means that the user can deploy the settings but only to the clients in the selected domains.
Target	The client tree will only display if the permission to the "Client Management" menu item in "Menu Items for Servers/Clients" is "View".

If you select the check box under Configure, the check box under View is automatically selected.
If you do not select any check box, the permission is "No Access".
If you are configuring permissions for a specific domain, you can copy the permissions to other domains by clicking Copy settings of the selected domain to other domains.

Click Save. The new role displays on the User Roles list.

To modify a custom role:

Administration > User Roles

Click the role name. A new screen appears.
Modify any of the following:

Description
Client tree scope
Role permissions
Menu items for servers/clients
Menu items for managed domains
Client management menu items

Click Save.

To delete a custom role:

Administration > User Roles

Select the check box next to the role.
Click Delete.

A role cannot be deleted if it is assigned to at least one user account.

To import or export custom roles:

Administration > User Roles

To export custom roles to a .dat file:

Select the roles and click Export.
Save the.dat file. If you are managing another OfficeScan server, use the .dat file to import custom roles to that server.

Exporting roles can only be done between servers that have the same version.

To export custom roles to a .csv file:

Select the roles and click Export Role Settings.
Save the .csv file. Use this file to check the information and permissions for the selected roles.

If you have saved custom roles from a different OfficeScan server and want to import those roles into the current OfficeScan server, click Import and locate the .dat file containing the custom roles.

A role on the User Roles screen will be overwritten if you import a role with the same name.
Importing roles can only be done between servers that have the same version.
A role imported from another OfficeScan server:
Retains the permissions for menu items for servers/clients and menu items for managed domains.
Applies the default permissions for client management menu items. On the other server, record the role’s permissions for client management menu items and then re-apply them to the role that was imported.