Using Computer Collections

Privilege Control for Servers (PCS) customers can save their Computers inventory queries as Computer Collections for future reuse. This provides better organization and management of assets. By using Computer Collections, you can:

  • Avoid recreating the same queries daily

  • Apply policies to specific subsets of your computer inventory

Computer Collections are automatically updated every day through Discovery and can also be updated on demand.

For information about PCS, see Using Privilege Control for Servers.

Creating a New Computer Collection

  1. Open the Computers inventory page (use the Search bar to find it).

  2. Click Show Query Builder.

  3. Enter your query terms. Results appear automatically on the page.

  4. Click Save as Collection.

  5. Enter a Collection name and Description.

  6. Click Save.

    The Collections page opens, displaying your new collection in the list.

To check the details of your new collection, click any empty space in the collection’s row. A panel opens to the right displaying the details.

Modifying a Computer Collection

  1. Open the Collections page (use the Search bar to find it).

  2. Select the collection you want to modify.

    The collection's detail page is displayed.

  3. To modify the name or description:

    1. Select the Overview tab.

    2. Click Edit.

    3. When finished, click Save.

  4. To modify the query that determines which assets are in the collection:

    1. Select the Assets tab.

    2. Use the query builder to change the query.

    3. When finished, click Save.

      If you need to discard your changes, click Reset.

  5. (For private preview customers only) To modify the user permissions assigned to the collection, select the Permissions tab. See Assigning User Permissions on Computer Collections.

Deleting a Computer Collection

To delete a Computer Collection, you must have the Manage All Collections permission.

  1. Open the Collections page (use the Search bar to find it).

  2. Hover over the name of the collection you want to delete, and click the three dots to open the context menu.

    Alternatively, you can click any empty space in the collection’s row to open the preview panel.

  3. Click Delete.

    A confirmation dialog is displayed.

  4. Confirm the deletion.

Assigning User Permissions on Computer Collections

This feature is currently available only to customers participating in a private preview. If you'd like to participate to be among the first to try this feature, ask our support or account team for details.

By assigning permissions to users for computer collections, you can gain granular control over access to computer collections within your organization. You can specify permissions for individual users and groups, ensuring that only authorized personnel can view, manage, or interact with specific computer collections. By implementing this feature, your organization can enhance security, streamline access management, and ensure compliance with internal policies.

To assign permissions on computer collections:

  1. Open the Collections page (use the Search bar to find it).

  2. Select the name of the collection for which you would like to assign user permissions.

    The detail page for that collection is displayed.

  3. Select the Permissions tab.

  4. Click Grant Access.

  5. On the Grant Access page, select users or groups to give them access to the collection.

  6. Click Next.

  7. Specify the permissions you would like your users to have on the assets within the collection, as well as on the collection itself. See Common Access Control Configurations and Permissions Reference.

  8. Click Assign.

    The Permissions tab of the Collections page is displayed, showing the members you selected and their permissions on the collection.

  9. To modify permission assignments:

    1. Click Edit.

    2. Use the dropdown menu in each column to modify the selected permissions for each member.

    3. Click Save.

Interaction Between Collection-Based and Role-Based Permissions

Collection-based permissions and role-based permissions are designed to work together.

Role-based permissions always override collection-level permissions. For example, if a user has the Launch permission at the role level, the user can launch into any machine to which they have access, as long as they also have the View Asset permission for that machine.

To control what a user can see or do at either the collection or asset level, follow these guidelines:

  • Role-based permissions for viewing results: To control what users can view, ensure they have the View Inventory permission at the role level. This grants access to inventory information across collections.

  • Collection-based permissions for collection access: Permissions at the collection level govern which collections a user can view, access, update, or delete. To allow a user to view only a collection’s results, but not the collection itself, assign the View Assets permission to the user. With the View Assets permission, the user can view the results within the collection without gaining access to the collection as a whole.

  • Granular access: To gain finer control over what a user can access, you can combine role-based and collection-based permissions. For example, you can grant the user View Inventory permission at the role level, but only grant the View Assets permission at the collection level. The user can view asset data, but not the collection structure itself.

Common Access Control Configurations

To grant a user access to view only a subset of computers in the Computers inventory, give the user the following permissions:

  • Role permission: View Inventory

  • Collection permission: View Assets

To grant a user access to launch a session to any computer within an assigned collection, give the user the following permissions:

  • Role permissions: View Inventory, Launch PRA Session

  • Collection permission: View Assets

To grant a user access to view both the collection and the collection results in the Computers inventory, give the user the following permissions:

  • Role permission: View Inventory

  • Collection permissions: View Assets, View Collection

To grant a user the ability to manage a collection, including updating its query, give the user the following permissions:

  • Role permission: View Inventory, Manage All Collections

To grant a user access to assign collections to policies, which enables the user to update the policy, give the user the following permissions:

  • Role permissions: View Inventory, Edit Policy

  • Collection permission: View Collection

    To enable the user to view all collections, Assign View All Collections at the role level.

Permissions Reference

The following table gives a summary of the role permissions.

Role Permission

Description

View All Collections

User can view details for all collections in the platform tenant
Manage All Collections User can create, view, update, and delete all collections in the tenant
Launch with PRA User can launch remote access on supported assets
View All Computers User can view all computers in the inventory
View Inventory Must be enabled for the user to view any Inventory results

The following table gives a summary of the collection permissions.

Collection Permission

Description

Permissions to a Collection

View Collection User can view the overview tab of a collection
Grant Access User can grant and manage access to a collection
Update Collection User can update Collection Query, Name, and Description
Delete Collection User can delete a Collection
Permissions to Assets in a Collection
View Assets User can view Collection results in Inventory
Launch Session User can launch a session to collection results in Inventory