When you install the Symantec Endpoint Protection Manager, a default system administrator account is created, called admin. The system administrator account gives an administrator access to all the features in Symantec Endpoint Protection Manager.
To help you manage security, you can add additional system administrator accounts, domain administrator accounts, and limited administrator accounts. Domain administrators and limited administrators have access to a subset of Symantec Endpoint Protection Manager features.
You choose which accounts you need based on the types of roles and access rights you need in your company. For example, a large company may use the following types of roles:
An administrator who installs the management server and the client installation packages. After the product is installed, an administrator in charge of operations takes over. These administrators are most likely system administrators.
An operations administrator maintains the servers, databases, and installs patches. If you have a single domain, the operations administrator could be a domain administrator who is fully authorized to manage sites.
An antivirus administrator, who creates and maintains the Virus and Spyware Protection policies and LiveUpdate policies on the clients. This administrator is most likely to be a limited administrator.
A desktop administrator, who is in charge of security and creates and maintains the Firewall policies and Intrusion Prevention policies for the clients. This administrator is most likely to be a domain administrator.
A help desk administrator, who creates reports and has read-only access to the policies. The antivirus administrator and desktop administrator read the reports that the help desk administrator sends. The help desk administrator is most likely to be a limited administrator who is granted reporting rights and policy rights.
Table: Administrator roles and responsibilities
System administrators can log on to the Symantec Endpoint Protection Manager console with complete, unrestricted access to all features and tasks.
A system administrator can create and manage other system administrator accounts, domain administrator accounts, and limited administrator accounts.
A system administrator can perform the following tasks:
Manage all domains.
View and manage all console settings.
Manage the databases and management servers.
Administrators are domain administrators who can view and manage a single domain. A domain administrator has the same privileges as a system administrator, but for a single domain only.
By default, the domain administrator has full system administrator rights to manage a domain, but not a site. You must explicitly grant site rights within a single domain. Domain administrators can modify the site rights of other administrators and limited administrators, though they cannot modify the site rights for themselves.
A domain administrator can perform the following tasks:
Create and manage administrator accounts and limited administrator accounts within a single domain.
Domain administrators cannot modify their own site rights. System administrators must perform this function.
Run reports, manage sites, and reset passwords.
Cannot administer licenses. Only system administrators can administer licenses.
Limited administrators can log on to the Symantec Endpoint Protection Manager console with restricted access. Limited administrators do not have access rights by default. A system administrator role must explicitly grant access rights to allow a limited administrator to perform tasks.
Parts of the management server user interface are not available to limited administrators when you restrict access rights. For example:
Limited administrators without reporting rights cannot view the Home, Monitors, or Reports pages.
Limited administrators without policy rights cannot view or modify the policy. In addition, they cannot apply, replace, or withdraw a policy.