Users of the Nova application can be assigned one or more roles. Each role provides functionality in the Nova application itself. Roles can be combined. The following is a list of the roles, and what they give access to:
This roles gives access to the Tenant Management System, and does not give any direct access to the Nova application (unless it is combined with other roles).
This gives access to be able to create and manage policies in Delegation and Policy Control. In addition audit logs can be viewed to see how the policies have been used by delegated administrators. There are several other administrative functions which are shown in this screenshot:
This gives access to be able to perform allowed actions against users, mailboxes, groups, contacts and Microsoft Teams. It is the role most appropriate to a delegated administrator. What the user will be able to do is governed by the policies which are applied to them, and were configured by someone with at least the Account Administrator role. This is an example of the menu that a user will see, if they are given this role:
This gives access to reporting data, and the Report Center.
Report Readers are assigned a view-only status for reports. They can read, print and download (.CSV or .PDF) reports, but unable to create, import, clone or edit reports. Nova administrators have the right to grant this access to protect and maintain accountability, data integrity and security. For more on this role, click here.
Auth Policy Admin
This gives users the ability just to manage policies within Nova. The option to get into Autorization Policies will be enabled in the Manage Administration menu.
This gives people the ability to create and maintain License Policies. The option will be available on the Manage Administration menu.
Organizational Unit Admin
This gives users the ability to maintain virtual organizational units. The Tenants option will be available on the Manage Administration menu.
This gives a user the ability to use Nova, but restricts them from changing the configuration or security of Nova itself.
Why do we use the ‘Classic’ names?
Two parts of Nova have existed in different systems and different formats before Nova. We have customers which are now using Nova that used to use those systems, so these roles are named as shown on this page so that those customers understand what functionality, broadly speaking, they’ll be getting with those roles. These two are:
- Radar Classic: This gives users the same functionality as they would have had in our Radar product.
- Autopilot Classic: This gives users the same functionality as they would have had in our Autopilot product.
Examples of combining roles
If someone needs to be able to create authorization policies, and actually perform actions on customer tenants (such as password resets, maintaining groups, adding Microsoft Teams and so on) then they should be assigned these roles:
- Account Administrator
- Autopilot Classic
If someone needs to be able to access reporting data, and perform actions on customer tenants (such as password resets, maintaining groups, adding Microsoft Teams, and so on) then they should be assigned these roles:
- Autopilot Classic
- Radar Classic
Granting Account Administrator
The following should be considered when assigning roles
- The Account Administrator roles does not work on it’s own. It needs to be combined with the Autopilot Classic role.