Administrative roles and permissions
You create roles for administrator accounts or assign preconfigured roles to administrator accounts so that you can specify what tasks an administrator can perform on the BlackBerry® Enterprise Server.
You can specify the actions that administrators can perform by changing the permission that you assign to administrative roles. Permissions specify the information that administrators can view and the tasks that they can perform using the BlackBerry® Administration Service and BlackBerry Monitoring Service. Each action that you perform in the BlackBerry Administration Service is associated with a specific permission. You can specify the actions that administrators can perform by changing the permission that you assign to administrative roles. For more information about performing specific tasks that are associated with the permissions, see the BlackBerry Enterprise Server Administration Guide. Roles do not apply to tasks that an administrator can perform using the BlackBerry Configuration Panel.
You can assign multiple roles to administrator accounts. If you assign multiple roles to an administrator account, the administrator is assigned all the permissions that are turned on for each of the roles.
You can also assign roles to groups and add administrator accounts to groups. This allows you to specify administrative role permissions at a group level instead of at an individual level. If the group contains BlackBerry device users, the roles are also assigned to the users and the users become administrators.
Preconfigured administrative roles
The BlackBerry® Enterprise Server installation process includes preconfigured administrative roles. You can use the preconfigured administrative roles in your organization's environment instead of creating customize administrative roles. Each preconfigured administrative role contains multiple permissions that are turned on. The preconfigured administrative roles make sure that users that do not have specific administrative permissions cannot escalate their permissions. For example, junior helpdesk administrators cannot escalate their roles to senior helpdesk administrator roles. You can configure additional permissions in the preconfigured administrative roles or turn off any of the permissions.
Permission name |
Security role |
Enterprise role |
Senior Helpdesk role |
Junior Helpdesk role |
Server only role |
User only role |
|---|---|---|---|---|---|---|
Create a group |
X |
X |
X |
X |
||
Delete a group |
X |
X |
X |
|||
View a group (across Group) |
X |
X |
X |
X |
X |
|
Edit a group (across Group) |
X |
X |
X |
X |
X |
|
Create a user |
X |
X |
X |
X |
||
Delete a user |
X |
X |
X |
X |
||
View a user (across Group) |
X |
X |
X |
X |
X |
|
Edit a user (across Group) |
X |
X |
X |
X |
X |
|
View a device (across Group) |
X |
X |
X |
X |
X |
|
Edit a device (across Group) |
X |
X |
X |
X |
X |
|
View device activation settings |
X |
X |
X |
|||
Edit device activation settings |
X |
X |
X |
|||
Create an IT policy |
X |
X |
X |
|||
Delete an IT policy |
X |
X |
X |
|||
View an IT policy |
X |
X |
X |
X |
X |
|
Edit an IT policy |
X |
X |
X |
|||
Import an IT policy |
X |
X |
X |
|||
Export an IT policy |
X |
X |
X |
|||
Create a user-defined IT policy template |
X |
X |
X |
|||
Delete a user-defined IT policy template |
X |
X |
X |
|||
Edit a user-defined IT policy template |
X |
X |
X |
|||
Import an IT policy template |
X |
X |
X |
|||
Resend data to devices |
X |
X |
X |
|||
Create a software configuration |
X |
X |
X |
|||
View a software configuration |
X |
X |
X |
X |
X |
|
Edit a software configuration |
X |
X |
X |
|||
Delete a software configuration |
X |
X |
X |
|||
View BlackBerry Administration Service software management |
X |
X |
X |
|||
Edit BlackBerry Administration Service software management |
X |
X |
||||
Create an application |
X |
X |
X |
|||
View an application |
X |
X |
X |
X |
X |
|
Edit an application |
X |
X |
X |
|||
Delete an application |
X |
X |
X |
|||
Create an administrator user |
X |
|||||
Specify an activation password |
X |
X |
X |
X |
X |
|
Generate an activation email |
X |
X |
X |
X |
X |
|
Assign the current device to a user |
X |
X |
X |
X |
X |
|
Turn off and on external services |
X |
X |
X |
X |
||
Clear activation password |
X |
X |
X |
X |
X |
|
Clear synchronization backup data |
X |
X |
X |
X |
||
Clear user statistics |
X |
X |
X |
X |
X |
|
Export statistics |
X |
X |
X |
|||
Reset user field mapping |
X |
X |
X |
X |
||
Turn on redirection |
X |
X |
X |
X |
||
Turn off redirection |
X |
X |
X |
X |
||
Refresh available user list from company directory |
X |
X |
X |
|||
Add User from Company Directory |
X |
X |
X |
X |
||
Synchronize GroupWise System Address Book |
X |
X |
X |
|||
Clear and synchronize GroupWise System Address Book |
X |
X |
X |
|||
View a server |
X |
X |
X |
|||
Edit a server |
X |
X |
X |
|||
View a component |
X |
X |
X |
|||
Edit a component |
X |
X |
X |
|||
View an instance |
X |
X |
X |
|||
Edit an instance |
X |
X |
X |
|||
Change the status of an instance |
X |
X |
X |
|||
Edit an instance relationship |
X |
X |
X |
|||
View a job |
X |
X |
X |
|||
Edit a job |
X |
X |
X |
|||
Manage deployment job tasks |
X |
X |
X |
|||
Change the status of a job task |
X |
X |
X |
|||
Update peer-to-peer encryption key |
X |
X |
X |
|||
View job distribution settings |
X |
X |
X |
|||
Edit job distribution settings |
X |
X |
X |
|||
Delete an instance |
X |
X |
X |
|||
Edit license keys |
X |
X |
X |
|||
View license keys |
X |
X |
X |
|||
Manually fail a job |
X |
X |
X |
|||
Clear instance statistics |
X |
X |
X |
|||
View push rules for the BlackBerry MDS Connection Service |
X |
X |
X |
X |
X |
X |
View pull rules for the BlackBerry MDS Connection Service |
X |
X |
X |
X |
X |
|
Send message (across Group) |
X |
X |
X |
X |
X |
|
Create a role |
X |
X |
||||
Delete a role |
X |
X |
||||
View a role |
X |
X |
X |
|||
Edit a role |
X |
X |
||||
Add or remove role |
X |
X |
X |
|||
Import or export groups within roles |
X |
|||||
View BlackBerry Monitoring Service information |
X |
|||||
Edit BlackBerry Monitoring Service settings |
X |
|||||
Import new users |
X |
X |
X |
|||
Import or export users |
X |
X |
X |
X |
||
Import user updates |
X |
X |
X |
|||
Import or export email message filters for a user |
X |
X |
X |
|||
Export asset summary data |
X |
X |
X |
|||
Add or remove to user configuration |
X |
X |
X |
X |
||
Delete all device data and remove device |
X |
X |
X |
X |
X |
|
Delete only the organization data and remove device |
X |
X |
X |
X |
X |
Creating roles
You can create roles for administrator accounts so that administrators in your organization can perform specific tasks and view specific information in the BlackBerry® Administration Service, BlackBerry Monitoring Service, and BlackBerry® Web Desktop Manager. For example, you can create a role that has all permissions turned off by default and you can customize the role by turning on specific permissions. You can also create a role that is based on a preconfigured role and customize the role that you create.
Create a role
- In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Role.
- Click Create a role.
- Type a name and description for the role.
- Click Save.
- In the Role information section, click the name of the role that you created.
- Click Edit role.
- Switch the appropriate tabs to turn on the appropriate permissions.
- Click Save all.
Create a role based on an existing role
- In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Role.
- Click Manage roles.
- In the list of existing roles, click the role that you want to copy.
- Click Copy role.
- Type a name and description for the role.
- Click Copy role.
- In the Role information section, click the name of the role that you created.
- Click Edit role.
- Switch the appropriate tabs to change the appropriate permissions.
- Click Save all.