Parallels RAS 19 Administrator's Guide - Administrator account permissions

Introduction
- Parallels RAS 19 release history
- About Parallels RAS
- About this guide
- What's new
- Terms and abbreviations used in this guide
Installing Parallels RAS
- System requirements
- Install Parallels RAS
- Log in and activate Parallels RAS
Getting Started with Parallels RAS
- The Parallels RAS Console
- Set up a basic Parallels RAS Farm
Farm and Sites
- Connecting to a Parallels RAS Farm
- About Sites
- Sites in the RAS Console
- Adding a Site to the Farm
- Replicating Site settings
- Managing Licensing Site
- Managing administrator accounts
RAS Connection Broker
- Configuring RAS Connection Brokers
- Secondary Connection Brokers
- Managing Secondary Connection Brokers
- Using computer management tools
RAS Secure Gateway
- Overview
- Adding a RAS Secure Gateway
- Manually adding a RAS Secure Gateway
- Checking the RAS Secure Gateway status
- Configuring a RAS Secure Gateway
- Secure Gateway tunneling policies
- Configure logging
- Viewing Secure Gateway summary and metrics
- Using computer management tools
RD Session Hosts
- RD Session Host types
- Add an RD Session Host
  - Installing the agent manually
- Add a template-based RD Session Host
- Manage RD Session Hosts
- Planning for high availability
- Managing logons
- Using computer management tools
- Publishing from an RD Session Host
- Viewing published resources
Virtual Desktop Infrastructure (VDI)
- Supported providers
- Add a provider
- Manage VDI
- Configure logging
- Enabling high availability for VDI
- Site defaults (VDI)
- Using computer management tools
- Viewing Provider summary
- Remote PC pools
Azure Virtual Desktop
- Introduction
- Prerequisites
- Deploy Azure Virtual Desktop
- Manage Azure Virtual Desktop
- Site defaults (Azure Virtual Desktop)
  - Site defaults for single-session hosts
  - Site defaults for multi-session hosts
- Using Parallels Client with Azure Virtual Desktop
- Verify the deployment
Remote PCs
- Overview
- Adding a Remote PC to a Farm
  - Admin-initiated Remote PC enrollment
  - Self-service Remote PC enrollment
- Configuring a Remote PC
- Viewing Remote PC summary
- Using computer management tools
Publishing
- Overview
- Publishing a desktop
- Publishing an application
- Publishing an application with MSIX app attach
- Publishing a web application
- Publishing a network folder
- Publishing a document
- General management tasks
- Manage published applications
- Manage published desktops
- Manage published documents
- Manage folders
- Site defaults (Publishing)
- Using filtering rules
- Configuring preferred routing
- Understanding session prelaunch
- Checking effective access
- Specifying client settings
- Quick keypad
Session Management
- Overview
- Session information
- Monitoring settings
- Managing sessions
- The Resources tab
SSL Certificate Management
- Generating a self-signed certificate
- Generating a certificate signing request (CSR)
- Let's Encrypt certificates
  - Requesting a Let's Encrypt Certificate
  - How Parallels RAS requests certificates from Let's Encrypt
- Importing a certificate
- Exporting a certificate
- Assigning a certificate to Secure Gateways and HALBs
- Auditing certificates
- Permissions to manage certificates
- Upgrading from an older RAS version
Connection and Authentication Settings
- RAS Connection Broker connection settings
- Remote session settings
- Logon hours settings
- Restricting access by Parallels Client type and build number
- Multi-factor authentication
- Allowing users to change domain password
- Allowing users to discover RAS connections via email address
Load Balancing and HALB
- Resource based & round robin load balancing
  - Configure CPU optimization
- High availability load balancing (HALB)
RAS Multi-Tenant Architecture
- Overview
- Architecture description
  - Implementation overview
  - User connection flow
- Deploying Tenant Broker and Tenants
- Managing Tenants
- Shared Gateways
- Third-party network load balancers
- Web Client and Themes
- Monitoring Tenants
- Tenant Broker compatibility and updates
- Upgrading from an older RAS version
- Configuring notifications
- Communication ports
SAML SSO Authentication
- Introduction
- System requirements
- SAML basics
- SAML configuration
- Parallels Client configuration
- Parallels client policy configuration
- Test the SAML SSO deployment
- Error messages
Parallels Web Client and User Portal
- Configure Web Client
- Configure Themes
- Open Parallels Web Client
- Main menu options
- Running remote applications and desktops
- Auto login
- Direct App access
- Using the toolbar
Universal Printing
- Managing Universal Printing settings
- Universal Printing drivers
- Font management
Universal Scanning
- Managing Universal Scanning
- Adding scanning applications
User Device Management and Client Policies
- Inviting users to connect to Parallels RAS
- Mass configuring user devices
- Enabling Help Desk support
- Monitoring devices
  - Getting additional device information
- Windows device groups
- Managing Windows devices
  - Windows desktop replacement
- Scheduling Windows devices & groups power cycles
- Client Policies
- Configuring remote file transfer
Reporting
- System requirements
- Install Microsoft SQL Server
  - Install Microsoft SQL Server 2016 or earlier
  - Install Microsoft SQL Server 2017 or 2019
- Install Parallels RAS Reporting
- Running Parallels RAS reports
- GDPR compliance
Performance Monitor
- Overview
- Install RAS Performance Monitor
- Using Parallels RAS Performance Monitor
- Configure RAS Performance Monitor Security
- Updating RAS Performance Monitor
Common Management Tasks
- Recovery - add a root administrator
- Host name resolution
- Computer management tools
- Site information
- Site settings
- Using MSIX application packages
- Using template versions
- Settings audit
- Upgrading RAS agents
- Licensing
- Configure HTTP proxy settings
- System event notifications
- RAS session variables
- Maintenance and backup
  - Exporting and importing Farm settings from the command line
- Problem reporting and troubleshooting
- Logging
- Suggest a feature
Parallels RAS Management Portal
- Overview
- Prerequisites
- Installation
- Log in to RAS Management Portal
- Configure RAS Web Administration Service
- RAS Management Portal user interface
Parallels RAS APIs
- RAS PowerShell API
- RAS REST API
- RAS Web Client API and Parallels Client URL scheme
Appendix
- Microsoft license requirements in Parallels RAS
- Port reference
- RAS performance counters

View PDF

Administrator account permissions

To set permissions for a RAS administrator, do the following:

In the RAS Console, navigate to Administration > Accounts.
Select an administrator in the list and click Tasks > Properties.
Click the Change Permissions button in the Administrator Properties dialog. The following happens depending on what is selected in the Permissions field:
- Root administrator. The Change Permission button is disabled because the root administrator always has full permissions.
- Power administrator. The Account Permissions dialog opens. In the left pane, select one or more sites for which to grant permissions to the administrator. In the right pane, select specific permissions. See the Power administrator permissions subsection below for details.
- Custom administrator. A different Account Permissions dialog opens where you can set custom permissions. Compared to the Power administrator role (see above), this option allows you to grant any permission (view, modify, add, etc.) for entire categories or specific areas or objects in the RAS Console. If a Custom administrator doesn't have permissions to even view a category or tab page, they will not even appear in the RAS Console. Using the Custom administrator role, you can limit permissions to one or more very specific tasks. For details, see Custom administrator permissions below.

Power administrator permissions

The following permissions can be set for a Power administrator:

Allow viewing of site information. Whether the administrator can view the Site information.
Allow site changes. Permissions to modify the following categories: Site, Load Balancing, Universal Printing, Universal Scanning. This option is disabled if the Allow viewing of Site information option is cleared.
Allow session management. Permission to manage running sessions. This option is disabled if the Allow viewing of site information option is cleared.
Allow publishing changes. Permission to modify the Publishing category.
Allow connection changes. Permission to modify the Connection category.
Allow viewing of RAS reporting. Permission to view reports generated by RAS Reporting.
Allow client management changes. Permission to modify the Device Manager category.

In the Global permission area, set the following:

Allow viewing of policies. Whether to allow the administrator to view the Policies category.
Allow policies changes. Whether to allow the administrator to modify the Policies category.

Custom administrator permissions

To set custom administrator permissions, you must be either a root administrator or a power administrator with the "Allow site changes" permission granted.

When you first create an administrator of this type, they will have no permissions. To add permissions, select a Site in the left pane and then click the Change permissions button. The Account Permissions dialog opens. In the dialog, select a permission type in the left pane.

The permission types are:

RD Session hosts groups. The Groups tab in Farm > RD Session hosts.

Note: Starting from Parallels RAS 19, per-server RDSH permissions have been deprecated and must be manually replaced with per-group permissions. If you upgrade to Parallels RAS 19 or later from one of the previous versions, during the upgrade you will see a dialog that helps you with the process.
Remote PCs. The Farm > Remote PCs view.
Secure Gateways. The Farm > Secure Gateways view.
Connection Brokers. The Farm > Connection Brokers.
HALB. The Farm > HALB view.
Themes. The Farm > Themes view.
Publishing. Permissions for individual folders in the Publishing category.
Connection. The entire Connection category.
Device Manager. The entire Device manager category.
Certificates. The Farm > Certificates view.
Application Packages. The Farm > Application Packages view.

After you select a permission type, you can set the actual permissions in the right pane. Different permission types may have different sets of permissions. The following list describes all available permissions:

View. View only.
Modify. View and modify.
Add. View, modify, and add new objects (e.g. servers).
Delete. View, modify, and delete an object.
Control. View and control an object. This permission enables the Tasks > Control menu (where available), which includes enable and disable logons, cancel pending reboot, install RDS role, reboot, and some other options. Also enables power operations (start, stop, etc., where available).
Manage sessions. View and manage sessions.

The lower portion of the right pane lists individual objects (e.g. servers) if the selected permission type has them. Here, you can set individual permissions for a specific object (not the entire tab, for instance, which otherwise would include all available objects).

The Global permissions options at the top of the right pane enables all permissions for all objects for the selected permission type.

Clone permissions

As a root administrator (or a power administrator with sufficient privileges), you can apply (clone) permissions of an existing administrator account to another existing account. This way, you can configure permissions for one account and then quickly apply the same configuration to all other accounts that require them.

To clone permissions, select a source administrator account and click Tasks > Clone permissions. In the dialog that opens, select a destination account (or multiple accounts) and click OK.

Delegate permissions

There could be a situation when a power administrator needs to grant some permissions to a custom administrator. This cannot be done by modifying permissions because power administrators cannot manage administrator accounts directly. Instead, they can delegate some of their own permissions in a given Site to a custom administrator of their choice.

For example, if a power administrator wants the custom administrator to be able to manage a particular RD Session Host, he/she selects that host in the RAS Console and click Tasks > Delegate permissions. This opens a dialog where the administrator can select a custom administrator and specify which permissions (view, modify, etc.) that administrator should have. The Tasks > Delegate permissions menu option is available for many objects, such as Providers, host pools (desktops), and some others. If the menu is not available for an object, it means that this functionality is not available for objects of this type.

Was this topic helpful?

Yes No

Adding an administrator account

Managing administrator accounts