Advanced access options
Advanced access options provide more granular control over unattended device access compared to Basic access options. This feature enables you to configure global policies, create access groups, and assign permissions for specific operations on unattended devices.
Policies
Administrators can create policies that define permissions for all unattended devices in the company. These policies can then be assigned to selected users.
Groups
Administrators can create user groups. These groups allow unattended device owners to assign permissions to multiple users at once, simplifying user permission management.
Permissions
Permissions define the ability to perform tasks on unattended devices. Each permission can be set to either Allow or Deny a specific action.
The following states define the level of access for a permission:
- Not set - Implicitly denies the ability to perform a task on an unattended device. This is the default state.
- Allow - Explicitly grants the ability to perform a task on an unattended device.
- Deny – Explicitly restricts the ability to perform a task. This setting overrides any other Allow permission.
A special permission state is used in the system policy named "System: Grants access to all unattended devices."
- System Allow: Grants a permission that cannot be restricted or overridden by any Deny setting.
You cannot use the System Allow state in custom policies you create. The settings of this system policy cannot be modified. Administrators can assign this system policy to selected users.
Permission overriding
Users assigned an access policy receive permissions to all unattended devices according to that policy's settings. However, device owners can override these permissions for the specific devices they manage.
- A user can be granted permissions in three ways: directly, through group membership, or through an assigned policy.
- If a user has an Allow permission through group membership but also a Deny permission through another group, the Deny permission takes precedence
- If a user has an Allow permission directly or through group membership but also a Deny permission through policy, the Deny permission takes precedence
- If a user has an Allow permission through policy but also a Deny permission directly or through group membership, the Deny permission takes precedence
- If a user has a System Allow permission through system policy but also a Deny permission directly or through a group membership, the System Allow permission takes precedence.
Actions / Tasks
You can allow or deny specific actions for users who have access to an unattended device. The following task-based permissions are available:
- Manage: Allows changing the device owner and its access options. When set to Allow, this permission grants full access to the device, including the ability to connect, edit, and delete it.
- View: Allows viewing the device in the unattended device list.
- Connect: Allows establishing a connection to the unattended device. Enabling the Allow permission for Connect automatically enables Allow for View.
- Edit: Allows modifying the unattended device settings, including its properties, session settings, and installation settings. Enabling the Allow permission for Edit automatically enables Allow for View.
- Delete: Allows removing the device from the unattended list and uninstalling the unattended access software from the device itself. Enabling the Allow permission for Delete automatically enables Allow for View.
Using Advanced access options, company administrators and unattended device owners can flexibly configure and fine-tune access to unattended devices.