Role-based administration

LANDesk Management Suite lets you manage console users with an extensive set of role-based administration features. You can:

You can create roles based on user responsibilities, the management tasks you want them to be able to perform, and the devices you want them to be able to see, access, and manage. Access to devices can be restricted to a geographic location like a country, region, state, city or even a single office or department. Or, access can be restricted to a particular device platform, processor type, or some other device hardware or software attribute. With role-based administration, it's completely up to you how many different roles you want to create, which users can act in those roles, and how large or small their device access scope should be. For example, you can have one or more users whose role is software distribution manager, another user who is responsible for remote control operations, a user who runs reports, and so on.

If you don't have many console users or you don't want to limit the console users that you do have, you can bypass role-based administration entirely and just add users to the core server's local LANDesk Administrators group. Members of this group have full access to the console and can manage all devices. By default, the account used to install Management Suite is placed into the LANDesk Administrators group.

The table below lists some of the possible Management Suite administrative roles you might want to implement, the common tasks that user would perform, and the permissions that user would need in order to function effectively in that role.

Role Tasks Required rights


Configure core servers, install additional consoles, perform database rollup, manage users, configure alerts, and so on. (Of course, administrators with full permissions can perform any management tasks.)

Management Suite administrator
(all permissions implied). Member of core's LANDesk Administrators local group.

Device inventory manager

Discover devices, configure devices, run the inventory scanner, create and distribute custom data forms, enable inventory history tracking, and so on.

Device management. Member of core's LANDesk Management Suite local group.


Remotely control devices, chat, transfer files, execute software, shutdown, reboot, view agent and health status, and so on.

Remote control tools. Member of core's LANDesk Management Suite local group.

Application manager

Distribute software packages, use Targeted Multicast and peer download, and so on.

Software distribution. Member of core's LANDesk Script Writers local group.

Migration manager

Create images, deploy OS images, migrate user profiles, create and distribute user-initiated profile migration packages, deploy PXE representatives, assign PXE holding queues, configure the PXE boot menu, create boot floppy disks, and so on.

OS deployment - provisioning. Member of core's LANDesk Script Writers local group.

Reporting manager

Run predefined reports, create custom reports, print reports, publish reports, import and export reports, test user reports, and so on.

Reporting designer or Reporting viewer roles. Member of core's LANDesk Management Suite local group.

Software license monitoring manager

Configure applications to monitor, add licenses, downgrade licenses, verify reports, and so on.

Software license monitoring. Member of core's LANDesk Management Suite local group.

Security manager

Download security content updates and patches, configure devices for security and antivirus scanning, create vulnerability scans and configure security scanner settings, create antivirus scans and configure antivirus settings, edit custom variables and configure custom variable override settings, and many more security-related tasks.

Endpoint security. Member of LANDesk Script Writers local group.

NOTE: Some of the example administrative roles would require the "Basic Web console" permission in order to use the features in the Web console.

These are just example administrative roles. Role-based administration is flexible enough to let you create as many custom roles as you need. You can assign the same few permissions to different users but restrict their access to a limited set of devices with a narrow scope. Even an administrator can be restricted by scope, essentially making them an administrator over a specific geographic region or type of managed device. How you take advantage of role-based administration depends on your network and staffing resources, as well as your particular needs.

The following is the basic process for using role-based administration:

  1. Create roles for console users.
  2. Add console users to the Windows LANDesk Management Suite group.
  3. Create authentications for each Active Directory you will be using to designate console users.
  4. Optionally use scopes to limit the list of devices that console users can manage.
  5. Create a group permission by assigning the roles you created to the Active Directory groups containing your console users.
  6. Optionally use teams to further categorize console users.

NOTE: If you've upgraded from Management Suite 8, setup creates a log file called ..\LANDesk\Management Suite\RBAUpgradeReport.txt. This file has information to help you map 8.x roles to 9.x.

For more information on using roles, see the following sections: