Secure Your Users
Whether you are the only systems administrator in your environment or have a large IT team collaborating on management and monitoring tasks using ControlUp, it is important to make yourself familiar with the out-of-the-box Security Policy and adjust it to your needs.
This article provides a brief overview of ControlUp’s Security model. For more information regarding ControlUp’s rights and permissions, see the Security Policy Pane article.
Know Your Roles
ControlUp’s default Security Policy grants permissions for two built-in user roles. You cannot delete or modify membership for these roles:
Local Admins – a ControlUp user is considered a member of this role when they have local administrative privileges on the managed computer. By definition, your membership in this role may vary depending on the context. When performing a management action on multiple computers, a ControlUp user’s current Windows credentials are evaluated on each computer, so a user might be a member of “Local Admins” on one computer but not on another.
Organization Members – this role includes all ControlUp users logged into your organization. Users on your network who launch ControlUp and log into your current organization become members of this group until they log off or exit ControlUp.
Review Default Permissions
By default, Local Admins are granted permission to perform all management actions available in ControlUp. This means that before a ControlUp user can perform a management action, ControlUp checks whether this user’s current Windows account is a member of the local Administrators group on the managed computer. If this validation fails, the management action is not invoked.
Organization Members are allowed to perform organization-wide actions but not management actions. For example, they can see the folder tree, create or modify folders, add or remove computers and connect to computers to see their performance information. However, they cannot perform any actions on the managed computers.
Configure Custom Roles and Restrict Actions
You can create custom roles for different teams or individuals on your network using the “Manage Roles” window. Active Directory users and groups from any domain or forest configured in ControlUp may be members of these custom groups.