An administrator can use dynamic role-based access control (RBAC) to define which users can perform which operations in the system. You can grant a role to one or more Active Directory (AD) groups. The Horizon Mirage server identifies users by AD group membership and automatically assigns their matching user roles in the system.

A user can have only one active role at a time. If the user’s group is assigned to more than one role, the user inherits the superset privileges of all assigned roles.

Each role is mapped to a set of actions the user can perform in the system, such as managing CVDs, base layers, users, groups, and events, as well as viewing the dashboard and other system information.

You can define additional custom roles to suit various company processes.

The following is a list of actions in the system for which role-based access can be defined for specific users:

System Actions for which Role Based Access can be Defined for a User



View dashboard

View the dashboard.

View server status

View the server status node. If not applicable, it appears as an empty list.

View tasks

View the tasks list in the Task Monitoring node.

Manage tasks

Delete running tasks.

View CVDs

View the CVD inventory.

Manage CVDs

Delete a CVD, assign a base layer to a CVD, enforce a base layer, assign a policy to a CVD, and revert to snapshot.

Support CVDs

Enforce Base Layer, Set driver libraries, revert CVDs. confirm restore, and edit CVD comments.

Manage collections

Create and remove collections.

Manage collections CVDs

Add and remove CVDs from a collection.

View CVD policies

View CVD policies.

Manage CVD policies

Edit, create, and delete CVD policies. This role requires the view CVD policies role.

View devices

View the devices in the device inventory and the pending list.

Manage devices

Assign a device to a CVD, reject a device, restore a device, remove a device, suspend a device, and synchronize the device with the CVD.

Support devices

Suspend and resume devices, collect sysreports, restart a device, and run Sync Now on a device.

View layers

View the layers that are assigned to different devices.

Manage layers

Create layers, delete layers, cancel layer assignment (this is a bug), and update layer data (name, details).

View ref CVDs

View the Reference CVD inventory.

Manage ref CVDs

Assign a reference device to a reference CVD, assign a base layer to a reference CVD, assign a policy to a reference CVD, and delete a reference CVD.

View base layer rules

View the image rules.

Manage base layer rules

Add new rules, remove rules, test base layer draft rules, and set new default base layer rules.

View driver library

See the driver profiles and driver folders and their details in the driver library

Manage driver library

Add drivers to the driver folders and create new driver profiles, and modify existing driver folders and libraries.

View reports

View the generated reports.

Manage reports

Create reports and delete reports.

View events

View the events under the Event log and Manager Journal.

Manage events

Delete, acknowledge, and reinstate events.

View transactions

View transactions.

View users and roles

View the Mirage users and their roles.

Manage security roles

Modify user access roles.

Manage security groups

Modify the security groups.

View configuration

View system configuration settings, cluster configurations, server and volumes configurations.

Manage configuration

Modify system configuration settings.

Manage minimal restore set

Modify the minimal restore set.

Access CVDs via admin file portal

View CVDs in the file portal.

Horizon Mirage includes predefined Administrator, Desktop Engineer, and Helpdesk user roles:

Predefined User Roles

User role

Access Permission

Administrator role

Access to all Horizon Mirage functions, including base layer management functions and the management of users and roles. The Administrator role cannot be edited or deleted.

Desktop Engineer role

By default, authorized to perform all system operations except base layer management, user management, and role management. You can customize the default privilege set.

Helpdesk role

By default, authorized to perform only view operations on the system to troubleshoot a CVD problem. You can customize the default privilege set.