Role-Based Administrative Accounts - Novell ZENWORKS 10 CONFIGURATION MANAGEMENT SP3 - SYSTEM PLANNING-DEPLOYMENT-BEST PRACTICES GUIDE 10.3 30-03-2010 System Planning Manual

(for example, ZENworks 7 Desktop Management), you must have your user sources defined prior to
running any of the migration steps. If you do not do this, you will not be able to migrate user-based
associations (including associations to user groups).
You can connect to Novell eDirectory and Microsoft Active Directory for your user sources. After
you connect to either of these LDAP directories, you define the containers within the directory that
you want exposed. Or, you could reference the top-level containers of the user source as the source
or the containers that contain users. This limits access within the directory to only those containers
that include users.
Both methods have some advantages and disadvantages that are mostly related to administration.
There is no difference in assigning bundles or policies.
Selecting top-level containers ensures that all users in subcontainers and all containers added to the
structure are maintained automatically and can be used for assignments without changes within
ZENworks Configuration Management. However, there is no way to detect deleted containers in the
user source. If you assign a bundle to a container that is later deleted, you cannot see this change in
ZENworks Configuration Management.
In addition, it is not possible to add subcontainers if the parent container is already in list. If you
want to change the structure, you need to delete the parent container and you lose all assignments.
Because of this, we recommend that you use only containers where users reside. This means adding
multiple sublevel folders from an eDirectory or Active Directory rather than only one.

4.2.3 Role-Based Administrative Accounts

The roles feature allows you to specify rights that can be assigned as roles for ZENworks
administrators. You can create a specialized role, then assign administrators to that role to allow or
deny them the ZENworks Control Center rights that you specify for that role. For example, you
could create a Help Desk role with the ZENworks Control Center rights that you want help desk
operators to have. You can also create individual administrative accounts and assign these to
managers of the system.
Common roles in most installations of ZENworks Configuration Management include the
following:
Help Desk: The Help Desk role should include common tasks, such as remote control, remote
view, and so forth, and be bound to specific boundaries (device folders), especially where there
are multiple sites and administration is not centralized.
Application Management: The Application Management role should include tasks and
functions for creating bundle content in specific folders and restricting it to folder boundaries.
Some administrators require more rights than others, so multiple roles could be created.
Backup Administrator: The Backup Administrator role is used if the default administrator
account can no longer be used.
Individual Administrator Accounts: It is also a best practice to create different levels of
administrator accounts and assign these separately to individuals. Do not give the administrator
credentials (the default Administrator account set up during the initial installation) to everyone.
The following graphic is an example of the kinds of roles you should consider when implementing
ZENworks Configuration Management:
Performing Design Activities 49