You must be a member of the Control Center Administrator group to modify the members of a user group or modify permission sets, but you do not have to be an administrator to assign user groups and permission sets to management groups. For more information about Control Center security, see the Administrator Guide for AppManager, available on the AppManager Documentation page.
A global permission set is a permission set associated with a specific user group that applies to all management groups in the Control Center console. Since global permissions apply to all management groups, they do not depend on association with a specific management group to take effect.
The Control Center console has a default set of user groups, permission sets, and global permission sets. For more information about these default groups and permission sets and information about which global permission sets are associated with which user groups, see the Administrator Guide for AppManager, available on the AppManager Documentation page.
Because children of a management group inherit permissions you assign to that management group, any user group you assign to the management group will have the same permissions on any children of the management group. You do not need to assign user groups or permissions sets individually on each child management group. For example, if a user has permission to view and edit jobs on management group 1 and management group 1 has child management groups 1A and 1B, the user also has permission to view and edit jobs on child management groups 1A and 1B.
If you assign a global permission set to a user group and the permission set includes management group permissions, members of the user group will have those permissions on all management groups and child management groups in the Control Center console.
You can grant one or more user groups access to a management group. You can also give the same user group access to a management group using different permission sets. If the same user belongs to more than one user group, Control Center applies the most restrictive set of permissions by combining the permissions with a logical OR. For example, if the same user is a member of two user groups associated with the same management group but with different permission sets, and you grant the user rights in one permission set but deny the same rights in the other permission set, then Control Center denies the rights. If a permission is undefined (you neither grant nor deny the permission) for the same user in two different user groups, then Control Center denies the permission. If you grant a permission for one user group and either do not define it or you grant it in another user group for the same user, then Control Center grants the permission.
To give a user group permission to access a management group:
Right-click the management group in the Enterprise Layout view of the Navigation pane and choose Management Group Properties > Security.
In the Management Group Properties window, click Add.
In the Assign Permissions window, select the user group you want from the User Group list.
Select the permission set you want to associate with the user group for this management group from the Permission Set list, and then click OK.
For information about the permissions that are defined in the default permission sets, see the Administrator Guide for AppManager, available on the AppManager Documentation page.
(Optional) If you want to add more user groups, repeat these steps to add another user group.
NOTE:
To modify a permission set associated with a user group, click Modify. To create a new permission set for a user group, click Create New.
To create a new user group, you can only do so in the Manage Security window. To open the Manage Security window, on the Global Tasks tab, in the Administration group, click Manage Security.
If you want to deny all access to a management group for a user group that currently has access, you must remove that user group from the management group.
If a user group currently has access to a management group and you want to deny access for only some of the current permissions, you can assign the user group to the management group again using a permission set with the relevant permissions set to Deny. The resultant set of permissions for the members of the user group will be the result of a logical OR of all the permissions defined across all associated permission sets to produce the most restrictive set of permissions. If the user group is assigned to the management group with a permission set that grants the right to add computers and is also assigned to the management group with a permission set that denies the right to add computers, the members of the user group will not have the right to add computers for that management group.
When removing permission to access a management group, be aware of the following:
Even though you might not see permissions assigned on a child management group, if the user group has permissions on the parent of that child management group, the user group has the same permissions on the child management group. To determine whether a user group has permissions on a child management group, you must look at the permissions on the parent management group.
Even though you remove a user group from a management group, if the user group has a global permission set assigned to it and the permission set includes management group permissions, the user group can still access the management group.
To remove a user group from a management group:
Right-click the management group in the Enterprise Layout view of the Navigation pane and choose Management Group Properties > Security.
Click the user group you want to remove and then click Remove.
Click OK.