Limited Access to Users, Groups and Device List

EMM allows a super administrator to create permission sets that grant an administrator access to specific users, groups, and devices enrolled with those users and groups. Administrators who have a particular permission set can only view: 

• Sources (In the Directories page) as granted.
• Groups (in the Group list) as granted.
• Users (in the User list) as granted.
  All Users that are part of the Groups selected or Users selected individually.
• Devices (in the Device list) that are enrolled with Users as specified above.
• Device Sets created by the limited administrator.
• User Space and Shared Space details for the Users in purview.
• Users and Groups in purview while targeting apps and content.
• Groups while trying to add groups into Enforce AD Group for Enrollment in Device Settings (Usage Settings).
• An administrator with limited access can still create a user and a group.

A super administrator uses permission sets to restrict access of an administrator. Typically these restrictions apply to support administrators.

Note: If a role-based administrator wants access to manage an entire domain, the super-administrator needs to choose the domain and all users in a domain.

A limited access definition applies to the following pages:

• Groups: In the Groups List page, the administator can only see the groups to which access is granted. The administrator cannot modify the Group details for groups that are not granted access. By default, a limited administrator cannot add or import Groups. The buttons shall be invisible to them.
• Users: In the Users List page, the administrator can only see the users or users from groups to which access is granted. The administrator cannot modify the User details that are not granted. By default, a limited administrator cannot add or import Users. The buttons shall be invisible to them.
• Device List: The Device List page displays devices enrolled with users, and allows you to access their details.
• Device Set: A limited access administrator can access and modify devices created by other administrators with the same permission set. A limited access administrator cannot access other device sets (default device sets and device sets created by other limited access administrators with a different permission set).
  

If you do not want an administrator to have access to all users, it is recommended that you restrict access to pages and actions that have implications across all users.

• Page Level Permissions:
  • Enterprise Apps
  • VPP Apps
  • Device Set
  • Device Enrollment
  • Permission Set 
  • All Settings sections
• Action Level Permissions:
  • Review/Approve App
  • Publish App
  • Approve Device Set
  • Publish/Unpublish Device Set

Limited Access Changes

Be aware of the following implications when you change a limited access:

• If new domains, users, and groups are added to limited access, current devices are updated with new access defined for all device sets associated with the limited access.

• If domains, users, and groups are removed from limited access:

  • If removed groups in device set do not have a direct reference, current devices automatically update.

  • If there is a direct reference to the removed users or groups in a device set, the device set status is unpublished, and the device set state changes to draft.

  • An email is sent to all administrators of a permission set when a device set is unpublished.

• If a user is assigned a different permission set:

  • Current devices are dependent on the permission set of the user that created it and not the device user. If a user’s permission set changes, the user cannot access the device set.

• If a permission set is deleted:

  • The device set state changes to draft and the status changes to unpublished.

  • An email will be sent to super-admin with details of deleted permission set along with details of affected device sets.

• If a permission set is deactivated, device set will not be affected. The device set retains the definition as if the permission set is still active.

  Device Policy changes: An error will result if an administrator tries to modify a device policy without the required permissions.

Configuring Limited Access to Device List

A user must define the following while configuring limited access to a device list.

• Domain - If an administrator adds a new domain, all users and groups that are part of the domain are under the purview. The users and groups will not show up in the respective lists below.
• Group - If a new domain is not added, then its constituent groups can be selected for groups. When a group is chosen, all users part of that group are also chosen.
• Users - If new users are added, groups they are part of are not automatically added. The groups must be added explicitly.

To configure Limited Access to a device list, follow these steps:

1. By default, the Limit Access option is set to No. If you select Yes in the Limited Access To Device List, the following details appear:

   
   

1. Domains: Click in the text box, and select the domains from the list.
2. Groups: Click in the text box, and select the groups from the list.
3. Users: Click in the text box, and select the users from the list. Limited access to users and groups can also be set at the domain level.

   Note: Use a predictive search to choose users and groups to which you want to limit access. You can also choose all users and groups from local database and each domain in the system.

2. Configure the remaining settings from here in the Updating Permission Set section.

 

Copyright © 2018 Kony, Inc. All rights reserved.