Managing Administrative Groups
•Overview of Administrative Groups
•Strategies for Creating Groups
•Configuring Administrative Groups
•Assigning Devices to Groups
•Configuring Group Assignment Rules
Overview of Administrative Groups
Groups in Orchestrator provide:
•A mechanism for role-based system security for assigning group-level permissions and control administrator access to devices. For details on role-based security and group-level permissions, see the "Configuring Permissions for Delegated Administration" section on page 4-1.
•A logical way for you to organize the devices in the system to access and manage sets of devices.
Devices can be assigned to groups, either manually or by your assignment rules (Devices > Configure Group Assignment Rules). Policies and groups have no direct relationship. You can assign policies to devices but not to groups.
You create groups on the Manage Groups page (Devices > Manage Groups). When you create a group, you can specify a parent group to create nested groups.
Orchestrator provides a root device Power management group and a Default group. New devices connected to the server and that do not meet your group assignment rules appear in the Default group.
Strategies for Creating Groups
When you create groups for devices, you should consider how you plan to apply security and role-based permissions for the groups.
You might create groups based on geographic location or on a particular business function, such as distributed administration. For example, you could create a Help Desk group that can wake or restart PCs as needed.
You can identify your security needs and groups during the 2-week period when Orchestrator is running in baseline mode.
After you set up your initial security groups, you can then set assignment rules so that PCs and other devices are placed into groups as you add them to the system. For details, see the "Configuring Group Assignment Rules" section.
Configuring Administrative Groups
•Creating Administrative Groups
•Assigning Devices to Groups
•Configuring Group Assignment Rules
Creating Administrative Groups
Step 1 From the Device menu, choose Manage Groups.
Step 2 Click New Group.
Step 3 Enter a name for the group, a description, and select a parent for the group.
Step 4 Click Save.
Assigning Devices to Groups
You can assign devices to groups manually from the device list or automatically by using group assignment rules.
For details on group assignment rules, see the "Configuring Group Assignment Rules" section.
For details on creating groups, see the "Configuring Administrative Groups" section.
Follow these steps to assign groups:
Step 1 On the Devices menu, choose Filtered Search.
Step 2 Click the tab Groups, Policies, or Subnets and select a filter option to see the results in the device list.
You can also click the Search tab, select different options in the device filters to display a set of devices, and enter a search string.
Step 3 Click the Search button to see the device list.
Step 4 Select the device or devices in the list.
Step 5 On the Move to Group menu, click Manually Assign Group or Use Group Assignment Rules.
Note When you manually assign a policy to a device, it is flagged as a manual assignment. To clear the flag, select the device from the device list. On the Move To Group menu, click Use Group Assignment Rules.
If you choose Use Group Assignment Rules and one or more of the selected devices had been manually assigned, select Include N manually assigned devices and click OK to confirm the change from a manually assigned group to rule-based assignment.
Step 6 For manual assignment, click the group name, and click OK.
Step 7 For rule-based assignment, click OK.
Configuring Group Assignment Rules
After you create groups, you can configure Orchestrator to place new devices into the appropriate groups when the devices connect to the server.
When you configure group assignment rules, devices are automatically assigned to specific groups based on a set of criteria. Because the rules that you set for automatically assigning devices to a group are saved as a set, their order is important and you will need to consider the best order to get the results you want.
You can choose the rule-set automatically only when new devices connect or for all connections. Rules run when a device wakes or when the device moves from one network card to another, such as a PC moving from a network line to a wireless connection.
Each rulehas a set of criteria that a device must meet to be placed into the group. When you connect new devices to the server, only the devices complying with the criteria of a group are placed in that group.
For example, you can create a rule for a Training Lab group that accepts clients only from a particular IP segment and with the string train in the DNS names.
Note If a device does meet the criteria in a specific rule, the device is placed into the specific group having that rule. If a device does not meet any of the criteria in the rule, the device is placed into the Default group.
Step 1 From the Devices menu, choose Configure Group Assignment Rules.
Step 2 Click New Rule. Enter a name and a description for the rule, and select the name of the group to be assigned when the rule runs.
Step 3 As you add other criteria, you can click the Test Conditions tab to see the results.
Step 4 Specify when to enforce the rule:
•When all criteria are met.
•When any criteria is met.
Step 5 Click Done.
Step 6 Specify when the rule runs automatically.
•When new devices connect to the server.
•When all devices connect to the server.
Note If you select All connections, the rules run when a computer wakes up or when it moves from one network card to another (such as from a network line to a wireless connection).
Step 7 Click Save Rule Set to save all changes.
Step 8 Order rules by selecting a rule in the set and clicking Move Up or Move Down.