2.4.3. Role-Based Management

During the initial UGMC configuration, creating at least one managed realm will create the following administrators:

  • UGMC Administrator. Usually, this is the user with the login name Admin. To log in to the console, they must specify the name as Admin/system, where "system" means they are logged in to manage UGMC services and not the managed realm.

  • The root administrator of the realm. This user can have any login name, e.g., Admin. To log in to the console, they must enter their name as Admin/realm_code, where realm_code is the code of the managed realm.

UGMC Administrators can create additional UGMC administrators and give them special rights (administrator profiles) to manage UGMC services. However, UGMC administrators are only allowed to manage UGMC services (see Configuring UserGate Management Center) and are not allowed to manage realms. Example of UGMC administrators' access rights:

Administrator

Administrator Profile

Access level

Admin/system

Root profile

Full. The administrator and their profile are created when the UGMC services are initialized.

AdminRO/system

ReadOnly

View-only access to all UGMC services without the ability to modify them.

AdminRealm/system

RO+realms

Create managed realms and their administrators as well as view any other UGMC settings without the right to modify them.

AdminDash/system

Dashboard

Only allowed to view the Dashboard section.

Root realm administrators can create additional administrators in their realm and assign them special rights (administrator profiles). Realm administrators are only allowed to manage their own realms (see Managed Realms). They cannot manage other realms or UGMC services. The root realm administrator can only be local and cannot be bound to an LDAP directory. Additional administrators created by the root realm administrator can be either local or bound to an LDAP directory. Examples of access rights for realm administrators:

Administrator

Administrator Profile

Access level

Admin/realm_code

Root profile

Full. Administrators and their profiles are created by the UGMC administrator.

AdminRO/realm_code

ReadOnly

View-only access to all realm settings; no modification rights.

AdminTemplates/realm_code

Templates

Create and modify all realm templates.

AdminTemplateGeneral/realm_code

TemplateGeneral

Only modify the General template.

AdminTemplateGeneralNET/realm_code

TemplateGeneralNET

Only modify network settings in the General template.