You can create roles using the Role Wizard in the Information Manager console.
Only a user who has either the Domain Administrator role or the SES Administrator role can create roles.
See“About planning for role creation”on page 133.
Note:If the Role members will have access to all archives option is selected, role members can access new archives automatically. If the Role members will have access to only the selected archives option is selected, role members cannot access new archives automatically.
To create a role
1 In the Information Manager console, click System.
2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Roles.
3 On the toolbar, click + (the plus icon).
4 In the first panel of the Role Wizard, click Next.
5 In the General panel, do the following, and click Next:
■ In the Role name text box, type a name for the role.
■ In the Description text box, type a description of the role (optional).
6 In the Products panel, do one of the following:
■ To give the role members access to all of the listed products, click Role members will have access to all products, and click Next.
■ To limit the role member's access to certain products, click Role members will have access to only the selected products and select the appropriate products. Then click Next. Symantec Security Information Manager is checked by default in the Product List.
7 In the SSIM Permissions panel, do one of the following:
■ To give role members all permissions that apply to Information Manager, click Enable all Permissions, and click Next.
■ To give role members a limited set of permissions, click Enable specific Permissions. From the permissions list, uncheck the permissions that you do not want to enable and click Next.
You must check at least one permission.
8 In the Console Access Rights panel, do one of the following:
■ To give role members the ability to see all parts of the Information Manager console, click Role members will have all console access rights, and click Next.
■ To limit what role members can see when they display the console, click Role members will have only the selected console access rights. From the list, enable at least one of the console access rights, and click Next.
See“Modifying Information Manager console access rights ”on page 139.
9 In the Organizational Units panel, do one of the following:
■ To give role members access to all organizational units, click Role members will have access to all organizational units, and click Next.
■ To give role members access to specific organizational units, click Role members will have access to only the selected organizational units. In the organizational unit tree, select at least one organizational unit to associate with this role, and click Next.
units also.
If you add an organizational unit to a role, the following users can see the events that are generated by the security products:
■ Users who are role members
■ Users who have event viewing access
These users can view only those events that are generated by the security products that are installed on the computers of that organizational unit.
Role members can see events only from computers in the organizational units that have been added to their roles.
10 In the Servers panel, do one of the following:
■ To give role members access to all of the Information Manager servers in your security environment, click Role members will have access to all servers, and click Next.
■ To limit role members' access to certain servers, click Role members will have access to only the selected servers. In the server tree, select at least one server to associate with this role, and click Next.
Members of the role can modify configurations on the selected servers. The role members can also view event archives that reside on the selected servers.
11 In the Members panel, do one of the following:
■ To add individual users to the role now, click Add Members. In the Find Users dialog box, add one or more users, from the Available Users list to the Selected Users list and click OK. In the Members panel, click Next.
■ To add the users who are members of a specific user group, click Add Members From Groups. In the Find User Groups dialog box, add one or more user groups, and click OK. The users that are associated with the groups you selected are added to the Selected Users list. When you are finished, click Next.
■ To continue without adding users to the role, click Next.
You can add users to the role later by editing the role’s properties.
See“Adding a user to a role”on page 137.
You can also associate a role with a user by editing the user’s properties.
You can assign users to a role only if you have already created those users.
See“Creating a new user”on page 158.
12 In the Role Summary panel, review the information that you have specified, and click Finish.
The role properties that are created are shown in the list at the bottom of the panel. A green check mark next to a task indicates that it was successfully completed.
13 Click Close.