Administrator roles in a BSI-certified UEM environment
UEM
environmentThe
UEM
administrator roles discussed below are distinct from the Windows
service account that you use to install UEM
and run the UEM
services. The service account has local administrative permissions on the underlying Windows Server
platform, can log into Windows
locally or through RDP, is responsible for the installation of UEM
, and has access to set SQL permissions to perform SQL server database actions from the UEM
server.UEM
provides the following preconfigured administrator roles:
- Security Administrator: This role is granted all available permissions for the management console. The default first administrator account is granted this role and is responsible for configuring the settings for theUEMinstance. The Security Administrator creates and manages roles for any other administrator users. This role can access and use theBlackBerry Web ServicesREST API. There must be at least one Security Administrator.
- Enterprise Administrator: This role is granted the majority of available permissions for the management console, including all permissions to manage device enrollment, provisioning, and security.
- Senior HelpDesk: This role is granted a sub-set of permissions that are appropriate for senior-level administrators.
- Junior HelpDesk: This role is granted a smaller sub-set of permissions that are appropriate for junior-level administrators.
For a complete reference of the permissions assigned to each preconfigured role, see Permissions for preconfigured administrator roles.
You can use the default roles as appropriate, or you create custom roles and grant the appropriate permissions. See Create a custom administrator role.
The following are examples of custom roles that you can create for different types of administrators in a BSI-certified environment:
Role | Description | Equivalent preconfigured role or required custom role configuration |
|---|---|---|
Security administrator | Security administrators log into the UEM management console and are responsible for configuring the UEM server. This role has full permissions to the management console, including creating and managing roles and administrative users. There must be at least one Security administrator. | The preconfigured Security Administrator role should be used for this purpose. |
Administrator | Administrators use the UEM management console to manage users, devices, and device management settings. | The preconfigured Enterprise Administrator role should be used for this purpose. |
Auditor | Auditors use the UEM management console to view audit settings and can access system and device audit logs. | Create a custom Auditor role and grant it the following permissions only:
|
Manager | Managers use the UEM management console to manage users, groups, and devices. | Create a custom role and copy the permissions from the preconfigured Senior HelpDesk role. Under Settings, remove the following permissions:
Under Auditing, grant the following permissions:
If you want to scope administrator control to specific directories or groups, you can select the directories and groups when you create the role, or you can edit the role afterwards to specify the directories and groups. See Create a custom administrator role. To scope an administrator role to a device group, you must scope that device group to specific user groups, then you can scope the role to those user groups. |
Mobile device user | Device users activate their devices on UEM , allowing administrators to use UEM to manage their devices and secure their organization’s data and access. | Device users do not require a UEM administrator role. Device users have access to limited device management functions in the UEM Self-Service console. For more information, see the UEM Self-Service User Guide. |