ZENworks 11SP3 Improved Rights Management


Introducing View Leaf Rights

One of the common complaints that we’ve heard from customers is that a delegated administrator can always see everything in ZENworks Control Center, even though they can’t necessarily do anything with those objects. With ZENworks 11SP3 we are introducing a new right called “View Leaf”. When a user is granted this right, they are able to see any leaf node objects in that container such as a device, group, bundle, policy, etc. If they are not assigned View Leaf rights then they will be able to traverse the folder structure, but they won’t be able to see any of the leaf node objects in the folder.

Configure View Leaf Rights

To grant an administrator View Leaf rights in ZENworks 11SP3 you will be able to do the following:

  1. In the ZENworks Control Center go to the properties of either an Administrator, Administrator Group, or Role object.

  • Go to the Rights tab.

  • Select the Object type that you want to either Grant or Revoke View Leaf rights on. This will open a dialog similar to the one shown below:24297-setrights

  • Select the Folder that you want to grant the user View Leaf Rights to or Remove Rights from. In this screenshot we are removing the user’s ability to see any of the leaf node objects in the Workstations folder. This means that when the user is logged in they will be unable to see any of the devices or groups in the Workstations folder.

  • Save the changes. You now have a limited administrator that cannot see workstations.

Note: With older versions of ZENworks, administrators were automatically granted View Leaf rights for all objects. With ZENworks 11SP3 new admins and groups do not automatically receive these rights, they must be explicitly granted.

Test View Leaf Rights

  1. After you have created a user with limited View Leaf rights, you can test this by doing the following
    As the super admin, review the contents of the folder where the test user does not have rights to see leaf objects. The screenshot below shows the contents of the Workstations folder in my zone as seen by the super admin user:24297-sa-workstationsfolder

  • Now logout and then login as the limited administrator.

  • Browse to the same container where the user shouldn’t have View Leaf rights. You should be able to see any folders and traverse up and down the folder structure, but you should not see any leaf node objects – such as groups and devices. The screenshot below shows the Workstations folder in my environment as seen by the limited administrator:24297-limitedadmin-workstationsfolder

    The one exception to View Leaf rights is the Relationships page of a bundle or policy. Even though the user in this case has been granted rights to see only Servers, if a Workstation is assigned to a particular bundle and the limited admin has View Leaf rights for the bundle, they will be able to see the objects assigned to the bundle. The screenshot below shows the relationships tab of a bundle that has both a server and a workstation assigned to it.


    Notice that in the screenshot the user can see all of the assigned devices, but cannot click on the device or groups that they don’t have rights to. The reason for these are displayed is to ensure that when a user makes a change to a bundle or policy they are able to determine all of the devices that will be impacted by the change.

System Update Rights

Another common issue we’ve heard is that you want the ability to delegate administrators rights to deploy system updates to the devices they are responsible for. With the introduction of View Leaf rights, and the introduction of two new Zone Rights – Apply Updates and Approve Updates – you can now do this. To grant someone the rights to deploy updates you simply need to do the following:

  1. In the properties of the Administrator, Administrator Group or Role go to the Rights tab.

  • Choose to Add or Edit System Update Rights from the rights list. This should display the following dialog:24297-surights

  • Grant the user Apply Update rights.

  • Following the steps described earlier, grant Device > View Leaf rights to the administrator for the containers to which they should be able to deploy System Updates to.

  • Save the changes.

  • Logout and log back in as the limited admin.

  • Go to the Configuration > System Update page.

  • Choose to deploy an update. Notice that the only deployment option available is the Selected as shown below:24297-limitedadmin-deploysu

  • Browse to the devices you want to deploy to. Notice that since View Leaf rights are enforced you can only select objects to which you have rights. The screen shot below shows what the user sees when they browse to the Workstations folder, to which they do not have access.24297-limitedadmin-selectdevicesforsu

    Note: If you grant a user Apply Updates and View Leaf to /Devices then that user will be able to deploy the update to Update Stages and All Devices. If you grant View Leaf rights to any folder under /Devices then the user will only be able to select the Selected Devices option.

  • If the user selects a folder to which she has rights, she should see the devices in that folder. An example is shown below:24297-limitedadmin-selectdevicesforsu-servers


With the new rights being introduced in ZENworks 11SP3 it will possible to restrict delegated administrators from seeing objects in ZENworks Control Center. It will also be possible to delegate control of System Update deployment to administrators that are not full zone admins.


How To-Best Practice
Comment List