About administrator account roles and access rights
|Article:HOWTO81226|||||Created: 2012-10-24|||||Updated: 2014-09-21|||||Article URL http://www.symantec.com/docs/HOWTO81226|
When you install the Symantec Endpoint Protection Manager, a default system administrator account is created, called
admin. The system administrator account gives an administrator access to all the features in Symantec Endpoint Protection Manager.
To help you manage security, you can add additional system administrator accounts, domain administrator accounts, and limited administrator accounts. Domain administrators and limited administrators have access to a subset of Symantec Endpoint Protection Manager features.
You choose which accounts you need based on the types of roles and access rights you need in your company. For example, a large company may use the following types of roles:
An administrator who installs the management server and the client installation packages. After the product is installed, an administrator in charge of operations takes over. These administrators are most likely system administrators.
An operations administrator maintains the servers, databases, and installs patches. If you have a single domain, the operations administrator could be a domain administrator who is fully authorized to manage sites.
An antivirus administrator, who creates and maintains the Virus and Spyware Protection policies and LiveUpdate policies on the clients. This administrator is most likely to be a limited administrator.
A desktop administrator, who is in charge of security and creates and maintains the Firewall policies and Intrusion Prevention policies for the clients. This administrator is most likely to be a domain administrator.
A help desk administrator, who creates reports and has read-only access to the policies. The antivirus administrator and desktop administrator read the reports that the help desk administrator sends. The help desk administrator is most likely to be a limited administrator who is granted reporting rights and policy rights.
Table: Administrator roles and responsibilities describes the account type and the access rights that each role has.
Table: Administrator roles and responsibilities
System administrators can log on to the Symantec Endpoint Protection Manager console with complete, unrestricted access to all features and tasks.
A system administrator can create and manage other system administrator accounts, domain administrator accounts, and limited administrator accounts.
A system administrator can perform the following tasks:
Administrators are domain administrators who can view and manage a single domain. A domain administrator has the same privileges as a system administrator, but for a single domain only.
By default, the domain administrator has full system administrator rights to manage a domain, but not a site. You must explicitly grant site rights within a single domain. Domain administrators can modify the site rights of other administrators and limited administrators, though they cannot modify the site rights for themselves.
A domain administrator can perform the following tasks:
See About domains.
Limited administrators can log on to the Symantec Endpoint Protection Manager console with restricted access. Limited administrators do not have access rights by default. A system administrator role must explicitly grant access rights to allow a limited administrator to perform tasks.
Parts of the management server user interface are not available to limited administrators when you restrict access rights. For example:
Article URL http://www.symantec.com/docs/HOWTO81226