You can delegate the below-listed Defender roles to the users or groups you want. If necessary, you can delegate two or more roles to the same user.
Table 31:
Defender roles
|
Administrator |
Members of this role can modify any Defender object and have complete control over the Defender configuration. This includes modification of all user-based Defender items.
Members of this role can:
- Assign and unassign tokens.
- Set a Defender password.
- Set a Defender PIN.
- Modify access nodes, Defender Security Servers, Defender policies, tokens, and RADIUS payloads.
- Manage Defender licenses.
|
|
Basic Helpdesk |
Members of this role can:
- Reset tokens.
- Test a token via the Defender Administration Console.
- Reset a locked token by resetting the violation count for the user to whom the token is assigned.
|
|
Provisioning |
Members of this role can:
- Assign a Defender token.
- Program a Defender token.
- Remove a Defender token from a user’s account.
- Reset a Defender PIN.
|
|
Enhanced Helpdesk |
Members of this role can:
- Assign a Defender token.
- Program a Defender token.
- Remove a Defender token.
- Reset a Defender token.
- Recover a Defender token.
- Test a Defender token.
- Reset a locked Defender token.
- Set a Defender PIN.
- Set a Defender password.
- Assign a temporary token response.
|
|
Auditor |
Members of this role have read-only access to
- All Defender objects of Users and Groups.
- All Defender attributes of Users and Groups.
|
You can delegate permissions to specific user accounts so that they act as service accounts for the Defender components you want.
Table 32:
Options related to service accounts
|
Defender Security Server |
The user account to which you assign this role gets the sufficient permissions to act as the Defender Security Server service account.
To specify the user account as the Defender Security Server service account, use the Defender Security Server Configuration tool.
For more information, see Defender Security Server Configuration tool reference. |
|
Defender Management Portal |
The user account to which you assign this role gets the sufficient permissions to act as the Defender Management Portal service account.
The user account to which you assign this role must be a member of the local Administrators group on the computer where the Defender Management Portal is installed.
After assigning this role to a user account, enter the account credentials in the Defender Management Portal. For more information, see Specifying a service account for the portal. |
You can delegate permissions to perform one or several specific Defender tasks to the user accounts you want. You can delegate the following tasks:
- Assign Defender token
- Program Defender token
- Recover Defender token
- Reset Defender token
- Set and clear Defender token’s PIN
- Assign Defender token temporary response
- Set Defender password
- Test Defender token
- Unassign Defender token
- Reset Defender token violation Count
- Modify Defender ID
- Select Policy
- Select RADIUS Payload
You can delegate permissions to manage specific Defender objects, including the permissions to view or modify any of the object properties and the permissions to create, delete, rename or move objects on a user or group.
The available options are:
- Defender access node full control
- Defender Security Server full control
- Defender License full control
- Defender Security Policy full control
- Defender RADIUS Payload full control
- Defender Token full Control
