Creating scopes

A scope defines the devices that can be viewed and managed by a Management Suite user.

A scope can be as large or small as you want, encompassing all of the managed devices scanned into a core database, or possibly just a single device. This flexibility, combined with modularized tool access, is what makes role-based administration such a versatile management feature.

Default scopes

Management Suite's role-based administration includes one default scope: the "default all machines scope." This scope includes all managed devices in the database. You can't edit or remove the default scope.

Custom scopes

There are three types of custom scopes you can create and assign to users:

• LDMS query: Controls access to only those devices that match a custom query search. You can select an existing query or create new queries from the Scope properties dialog box to define a scope. Note that you can also copy queries from the Queries groups in the network view directly into the Scopes group. For more information on creating queries, see Creating database queries.
• LDAP: Controls access to only those devices gathered by the inventory scanner that are located in an LDAP-compliant directory structure. Select directory locations from the Select visible devices dialog to define a scope. This directory-based scope type also supports custom directory locations (if you've entered custom directory paths as part of an agent configuration). Available custom directory paths appear in the Select visible devices dialog. Use custom directories to define a scope if you don't have an LDAP-compliant structure, or if you want to be able to restrict access to devices by a specific organizational detail such as geographic location or department.
• Device group: Controls access to only those devices that belong to a specific device group in the network view.

A Management Suite user can be assigned one or more scopes at a time. Additionally, a scope can be associated with multiple users.

How multiple scopes work

More than one scope can be assigned to any of the Management Suite users. When multiple scopes are assigned to a user, the user has rights to all computers in all assigned scopes. The cumulative list of computers in all assigned scopes is the user's effective scope.

A user’s effective scope can be customized by adding and removing scopes at any time. Multiple scopes and scope types can be used together.

A user’s rights and scopes can be modified at any time. If you modify a user’s rights or scopes, those changes take effect the next time that user logs into the console or when a console administrator clicks the Refresh scope toolbar button on the Console (top of window).

Creating a scope

To create a scope

1. Click Tools > Administration > Users.
2. Right-click Scopes and click New Scope.
3. In the Scope Properties dialog, enter a name for the new scope.
4. Specify the type of scope you want to create (LDMS query, LDAP or custom directory, or device group) by clicking a scope type from the drop-down list, and then clicking New.
5. If you're creating an LDMS query-based scope, define the query in the New scope query dialog, and then click OK.
6. If you're creating a directory-based scope, select locations (LDAP directory and/or custom directory) from the Select visible devices list, and then click OK.

Click on the plus (+) and minus (-) signs to expand and collapse nodes in the directory tree. You can multi-select locations by using Ctrl+click. All nodes under a selected parent node will be included in the scope.

LDAP directory locations are determined by a device's directory service location. Custom directory locations are determined by a device's computer location attribute in the inventory database. This attribute is defined during device agent configuration.

7. If you're creating a device group-based scope, select a group from the available device group list, and then click OK.
8. Click OK again to save the scope and close the dialog.

About the Scope Properties dialog box

Use this dialog box to create or edit a scope. You can access this dialog box by selecting a scope and clicking the Edit scope toolbar button or by right-clicking the scope and then clicking Properties.

• Scope name: Identifies the scope.
• Select a scope type:
• • LDMS query: Creates a scope whose device range is determined by a custom query. Clicking New with this scope type selected opens the New query dialog where you can define and save a query. This is the same query dialog you use when creating a database query from the network view. (Note that you can also copy queries from the Queries groups in the network view directly into the Scopes group.)
  • LDAP: Creates a scope whose device range is determined by the device location (LDAP directory and/or custom directory). Clicking New with this scope type selected opens the Select visible devices dialog where you can select locations. Click on the plus (+) and minus (-) signs to expand and collapse nodes in the directory tree. You can multi-select locations by using Ctrl+click. All nodes under a selected parent node will be included in the scope.
  • Device group: Creates a scope whose device range is determined by an existing group of devices contained under the Devices object in the network view. Clicking New with this scope type selected opens the Query filter dialog where you can select a device group.
• Current scope definition: Displays the query statements for a query-based scope, the location paths for a directory-based scope, or the group name for a device group-based scope.
• Edit: Opens the scope's appropriate dialog where you can change query parameters and statements.