Whether you are the only systems administrator in your environment or have a large IT team collaborating on management and monitoring tasks using ControlUp, it is important that you make yourself familiar with out-of-the-box Security Policy and adjust it to your needs.
(This article provides a brief overview of ControlUp’s Security model. For more information regarding ControlUp’s rights and permissions, please refer to the “Security Policy Pane” chapter).
Know Your Roles
ControlUp’s default Security Policy grants permissions for two built-in user roles. You cannot delete or modify membership for these roles:
Local Admins – a ControlUp user is considered a member of this role when they have local administrative privileges on the managed computer. By definition, your membership in this role may vary depending on the context. When performing a management action on multiple computers, a ControlUp user’s current Windows credentials are evaluated on each computer, so a user might be a member of “Local Admins” on one computer but not on another.
Organization Members – this role includes all ControlUp users logged into your organization. When a user on your network launches ControlUp and logs on to your current organization, they become members of this group and remain so until logging off or exiting ControlUp.
Review Default Permissions
By default, Local Admins are granted permission to perform all management actions available in ControlUp. This means that before a ControlUp user can perform a management action, ControlUp checks whether this user’s current Windows account is a member of the local Administrators group on the managed computer. If this validation fails, the management action is not invoked.
Organization Members are allowed to perform organization-wide actions but not management actions. For example, they can see the folder tree, create or modify folders, add or remove computers and connect to computers to see their performance information. However, they cannot perform any actions on the managed computers.
Configure Custom Roles and Restrict Actions
You can create custom roles for different teams or individuals on your network using the “Manage Roles” window. Active Directory users and groups from any domain or forest configured in ControlUp may be members of these custom groups.