You can delegate Defender roles, tasks, or functions to specific users or groups by using the Defender Delegated Administration Wizard.
To delegate Defender roles, tasks, or functions
- On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
- In the left pane (console tree), expand the appropriate domain node, and click to select the Defender container.
- On the menu bar, select Defender | Delegate Control.
Step through the wizard.
- In the Users and Groups step, add the user accounts or groups to which you want to delegate Defender roles, tasks, or functions. Click Next.
- In the Tasks to Delegate step, select the check boxes next to the Defender roles, tasks, or functions you want to delegate. Click Next.
For more information, see:
- Follow the steps in the wizard to complete delegating the roles, tasks, or functions.
The wizard does not modify any standard Active Directory permissions. Rather, it modifies permissions on the Defender attributes in the Active Directory schema.
You can delegate the below-listed Defender roles to the users or groups you want. If necessary, you can delegate two or more roles to the same user.
Table 31:
Defender roles
|
Administrator |
Members of this role can modify any Defender object and have complete control over the Defender configuration. This includes modification of all user-based Defender items.
Members of this role can:
- Assign and unassign tokens.
- Set a Defender password.
- Set a Defender PIN.
- Modify access nodes, Defender Security Servers, Defender policies, tokens, and RADIUS payloads.
- Manage Defender licenses.
|
|
Basic Helpdesk |
Members of this role can:
- Reset tokens.
- Test a token via the Defender Administration Console.
- Reset a locked token by resetting the violation count for the user to whom the token is assigned.
|
|
Provisioning |
Members of this role can:
- Assign a Defender token.
- Program a Defender token.
- Remove a Defender token from a user’s account.
- Reset a Defender PIN.
|
|
Enhanced Helpdesk |
Members of this role can:
- Assign a Defender token.
- Program a Defender token.
- Remove a Defender token.
- Reset a Defender token.
- Recover a Defender token.
- Test a Defender token.
- Reset a locked Defender token.
- Set a Defender PIN.
- Set a Defender password.
- Assign a temporary token response.
|
|
Auditor |
Members of this role have read-only access to
- All Defender objects of Users and Groups.
- All Defender attributes of Users and Groups.
|
You can delegate permissions to specific user accounts so that they act as service accounts for the Defender components you want.
Table 32:
Options related to service accounts
|
Defender Security Server |
The user account to which you assign this role gets the sufficient permissions to act as the Defender Security Server service account.
To specify the user account as the Defender Security Server service account, use the Defender Security Server Configuration tool.
For more information, see Defender Security Server Configuration tool reference. |
|
Defender Management Portal |
The user account to which you assign this role gets the sufficient permissions to act as the Defender Management Portal service account.
The user account to which you assign this role must be a member of the local Administrators group on the computer where the Defender Management Portal is installed.
After assigning this role to a user account, enter the account credentials in the Defender Management Portal. For more information, see Specifying a service account for the portal. |
You can delegate permissions to perform one or several specific Defender tasks to the user accounts you want. You can delegate the following tasks:
- Assign Defender token
- Program Defender token
- Recover Defender token
- Reset Defender token
- Set and clear Defender token’s PIN
- Assign Defender token temporary response
- Set Defender password
- Test Defender token
- Unassign Defender token
- Reset Defender token violation Count
- Modify Defender ID
- Select Policy
- Select RADIUS Payload
