Defining Scopes And Roles For Console Users - Lenovo ThinkCentre M58 Deployment Manual

Hardware Password Manager groups" on page 12 for a description of roles.) So, for example, a user
might see all options on the Hardware Password Manager BIOS menu but a Service Technician might
have a limited set of options available.
Note: When the client policy is set to Hardware Account equals Windows credentials, the Change
Hardware Account password option will not be displayed whether or not it is selected for the role.
The BIOS version exclude list section enables you to list BIOS versions that you want to exclude from
Hardware Password Manager management. If you attempt to perform any remote actions on a device
with a listed BIOS, the remote action will fail. Likewise, if you attempt to register a Hardware Password
Manager device that has a listed BIOS, the registration will not be performed.

Defining scopes and roles for console users

Scopes and roles can be defined to control the access to various features of Hardware Password Manager in
the ThinkManagement Console.
Scopes are used to define which devices a console user has access to. To create a new scope, do
the following:
1. Select Administration in the toolbox of the console.
2. Double-click Users to open the Users tool.
3. Click + on the toolbar or right-click Scopes, and then click New scope.
4. Enter a name for the scope.
5. Select LDMS Query as the scope type and then click New.
6. Select an element from the list of inventoried items (for example: Computer Name, Computer Location,
Domain Name, and so on).
7. Select a comparison operator (for example: =, <>, Like, Exists, and so on).
8. Either select an existing value from the displayed scanned values or enter a value under Edit values.
9. Click Insert.
10. Click OK.
11. Click OK.
After you have defined the necessary scopes, you can create various roles to be associated with the scopes.
To create a new role, do the following:
1. In the Users tool, click + on the toolbar or right-click Roles, and then click New role.
2. Enter a name for this role.
3. Select the permission levels for the various Hardware Password Manager features you want this role to
have access to. The permission levels are categorized into View, Edit, and Deploy. Some permissions
only allow one of three levels, but others might allow two.
4. Select the scopes to assign this role to.
5. Click Save.
In order to get the users access to the console, the users should be members of groups that have been
authorized the proper access. This access is controlled by creating a new authentication and defining group
permissions as the following:
1. In the User's tool, click + on the toolbar or right-click Authentications, and then click New
authentication.
2. Enter a name for the authentication.
3. Enter the full domain name.
4. Enter the user name and password of a service account that can be used to query the directory.
18
Hardware Password Manager Deployment Guide