To set permissions for a RAS administrator, do the following:
In the RAS Console, navigate to Administration > Accounts.
Select an administrator in the list and click Tasks > Properties.
Click the Change Permissions button in the Administrator Properties dialog. The following happens depending on what is selected in the Permissions field:
Root administrator. The Change Permission button is disabled because the root administrator always has full permissions.
Power administrator. The Account Permissions dialog opens. In the left pane, select one or more sites for which to grant permissions to the administrator. In the right pane, select specific permissions. See the Power administrator permissions subsection below for details.
Custom administrator. A different Account Permissions dialog opens where you can set custom permissions. Compared to the Power administrator role (see above), this option allows you to grant any permission (view, modify, add, etc.) for entire categories or specific areas or objects in the RAS Console. If a Custom administrator doesn't have permissions to even view a category or tab page, they will not even appear in the RAS Console. Using the Custom administrator role, you can limit permissions to one or more very specific tasks. For details, see Custom administrator permissions below.
The following permissions can be set for a Power administrator:
Allow viewing of site information. Whether the administrator can view the Site information.
Allow site changes. Permissions to modify the following categories: Site, Load Balancing, Universal Printing, Universal Scanning. This option is disabled if the Allow viewing of Site information option is cleared.
Allow session management. Permission to manage running sessions. This option is disabled if the Allow viewing of site information option is cleared.
Allow publishing changes. Permission to modify the Publishing category.
Allow connection changes. Permission to modify the Connection category.
Allow viewing of RAS reporting. Permission to view reports generated by RAS Reporting.
Allow client management changes. Permission to modify the Device Manager category.
In the Global permission area, set the following:
Allow viewing of policies. Whether to allow the administrator to view the Policies category.
Allow policies changes. Whether to allow the administrator to modify the Policies category.
To set custom administrator permissions, you must be either a root administrator or a power administrator with the "Allow site changes" permission granted.
When you first create an administrator of this type, they will have no permissions. To add permissions, select a Site in the left pane and then click the Change permissions button. The Account Permissions dialog opens. In the dialog, select a permission type in the left pane.
The permission types are:
RD Session hosts groups. The Groups tab in Farm > RD Session hosts.
Note: Starting from Parallels RAS 19, per-server RDSH permissions have been deprecated and must be manually replaced with per-group permissions. If you upgrade to Parallels RAS 19 or later from one of the previous versions, during the upgrade you will see a dialog that helps you with the process.
Manage Sessions by AD Groups. Permission for managing user sessions for users that belong to the same AD group as the custom administrator.
Note: Parallels RAS checks all available AD groups to find the ones that include the custom administrator. If you don't want to check certain AD groups, you can exclude them from the search by clicking the Exclude AD groups button in the bottom-left corner of the Account Permissions window.
Remote PCs. The Farm > Remote PCs view.
Secure Gateways. The Farm > Secure Gateways view.
Connection Brokers. The Farm > Connection Brokers.
HALB. The Farm > HALB view.
Themes. The Farm > Themes view.
Publishing. Permissions for individual folders in the Publishing category.
Connection. The entire Connection category.
Device Manager. The entire Device manager category.
Certificates. The Farm > Certificates view.
Application Packages. The Farm > Application Packages view.
To change global permissions, instead of a specific Site select Global in the left pane and then click the Change permissions button.
The global permission types are:
Monitoring. The Monitoring category.
Reporting. The Reporting category.
License. The License category.
After you select a permission type, you can set the actual permissions in the right pane. Different permission types may have different sets of permissions. The following list describes all available permissions:
View. View only.
Modify. View and modify.
Add. View, modify, and add new objects (e.g. servers).
Delete. View, modify, and delete an object.
Control. View and control an object. This permission enables the Tasks > Control menu (where available), which includes enable and disable logons, cancel pending reboot, install RDS role, reboot, and some other options. Also enables power operations (start, stop, etc., where available).
Manage sessions. View and manage sessions.
The lower portion of the right pane lists individual objects (e.g. servers) if the selected permission type has them. Here, you can set individual permissions for a specific object (not the entire tab, for instance, which otherwise would include all available objects).
The Global permissions options at the top of the right pane enables all permissions for all objects for the selected permission type.
As a root administrator (or a power administrator with sufficient privileges), you can apply (clone) permissions of an existing administrator account to another existing account. This way, you can configure permissions for one account and then quickly apply the same configuration to all other accounts that require them.
To clone permissions, select a source administrator account and click Tasks > Clone permissions. In the dialog that opens, select a destination account (or multiple accounts) and click OK.
There could be a situation when a power administrator needs to grant some permissions to a custom administrator. This cannot be done by modifying permissions because power administrators cannot manage administrator accounts directly. Instead, they can delegate some of their own permissions in a given Site to a custom administrator of their choice.
For example, if a power administrator wants the custom administrator to be able to manage a particular RD Session Host, he/she selects that host in the RAS Console and click Tasks > Delegate permissions. This opens a dialog where the administrator can select a custom administrator and specify which permissions (view, modify, etc.) that administrator should have. The Tasks > Delegate permissions menu option is available for many objects, such as Providers, host pools (desktops), and some others. If the menu is not available for an object, it means that this functionality is not available for objects of this type.
To view existing administrator accounts, select the Administration category in the RAS Console. The Accounts tab lists existing accounts and their properties, including:
Group or user name. Account name, which can be a user or group name.
Type. Account type. Can be one of the following: User, Group, Group User. The User and Group are self-explanatory. The Group User is a user who receives Parallels RAS administrative permissions via a group membership. When you initially add a group to the list of Parallels RAS administrators, its members are not displayed on the Accounts tab. As soon as a member of the group logs in to Parallels RAS, the account name is added to the list of administrators as a Group User and remains there. Note that you cannot change Parallels RAS permissions for such an account individually outside the group permissions.
Permissions. A security role assigned to an administrator.
Email. Email address.
Mobile. Mobile phone number.
Group. Group name. This column has a value for Group Users only (see the Type column description above).
Last Modification By. The name of the user who modified this account in Parallels RAS the last time.
Changed On. The last account modification date.
Created By. The name of the user who created this account in Parallels RAS.
Created On. The date when this account was added to Parallels RAS.
ID. Internal Parallels RAS ID.
To modify an account:
Right-click an account and choose Properties in the context menu.
Use the Administrator Properties dialog to modify the necessary information. For more info, see Adding an Administrator Account.
When an administrator is working with an object (e.g. a tab in the RD Session Host properties dialog), the object is locked for all other administrators. Therefore, upon trying to access a locked object, an administrator will be alerted with an error that the object is locked and will be denied access to it.
A root administrator (but not power or custom administrator) can release a locked object as follows:
On the Administration > Accounts tab, click the Tasks drop-down list and choose Show Sessions.
In the Sessions dialog, select the administrator who is locking an object and then click the Send Message icon (at the top).
If the administrator doesn't reply and doesn't release the object, you have an option to click Log Off, which will log them off and will unlock the category.
You can have more than one administrator in Parallels RAS. At least one administrator (called the root administrator) must be present at all times. Other administrators can be given the following roles:
Root administrator. Has full permissions to manage a Parallels RAS Farm.
Power administrator. Has most permissions granted by default, but can be configured to have limited permissions to manage certain sites or categories.
Custom administrator. Has no permission by default and can be granted specific permission to view or modify very specific areas or objects in the Parallels RAS Farm.
Read on to learn how to create and manage administrator accounts.
Parallels RAS administrators logged on to the same Farm can communicate with each other using a built-in instant messenger.
To use the instant messenger:
In the RAS Console, select the Administration category.
Expand the drop-down list next to your name (top-right corner of the console screen) and click Chat.
The Parallels Remote Application Server Chat window opens.
To send a message:
Type the message text in the lower input panel.
In the Logged on administrators list box, select a specific administrator or All to send the message to an individual or all logged on administrators.
Click Send.
Your message history is displayed in the Messages panel. To clear the history, click Clear All.
You can also view the chat history listing all messages between all administrators (not just your own messages). To do so, select the Administration node in the console and then select the Chat History tab.
If you have a number of administrators using the RAS Console to manage the same Farm, you can configure when an idle RAS Console session should be disconnected. By default, when an administrator opens the console and connects to a Farm but then forgets to log off and goes away, the session will stay active indefinitely possibly locking some of the categories for other administrators. You can change that by specifying the time period after which an idle session will be disconnected (thus unlocking the categories).
To configure idle sessions:
In the RAS Console, navigate to Administration > Settings.
Locate the Miscellaneous section (at the bottom) and choose a desired time period in the Reset idle RAS Console session after drop-down list.
When a session stays idle for close to the specified time period, the administrator (session owner) will be notified a few minutes in advance that the session is about to be disconnected. If the administrator chooses to stay connected, the time period is reset. If the administrator does nothing, the session will be disconnected when the time expires.
To add an administrator account to the Parallels RAS Farm:
In the RAS Console, navigate to Administration> Accounts.
Click the Tasks drop-down list and choose Add (or click the [+] icon).
The Account Properties dialog opens.
Click the [...] button next to the Name field. In the Select User or Group dialog, select a user or a group.
Specify an email address and mobile phone number. Both fields are optional and are disabled if the account specified in the Name field is a group.
In the Permissions drop-down list select a role to assign to the administrator:
Root administrator. Grants the administrator full permissions to manage the Farm.
Power administrator. Grants the administrator full permissions by default but allows you to limit them if needed. To grant or deny specific permissions, click the Change Permissions button. For additional info, see Administrator Account Permissions.
Custom administrator. This role doesn't have any permissions by default and allows you grant very specific permissions for a particular category, area, or object in the RAS Console. See Administrator Account Permissions for details.
In the Receive system notifications via drop-down list, select Email to send all system notifications to the specified email address, or select None to disable email system notifications for this account.
Click OK to add the new administrator account to the Farm.
Modifying an administrator account
To modify an account, select it in the list and click Tasks > Properties. This opens the Account Properties dialog where you can modify the account information.
To enable or disable an account, select or clear the Enable account option at the top of the Account Properties dialog.
Parallels Customer Experience Program helps us to improve the quality and reliability of Parallels RAS. If you accept to join the program, we will collect information about the way you use Parallels RAS. We will not collect any personal data, like your name, address, phone number, or keyboard input.
To join the program:
In the RAS Console, select the Administration category.
In the right pane, click the Settings tab.
Select the Participate in the Customer Experience Program option.
After you join the program, CEP will automatically start to collect information about how you use Parallels RAS. Data collected from you and other participants is combined and thoroughly analyzed to help us improve Parallels RAS.