In some cases, you can use locally defined roles to validate the users.
If the DME server is linked with a directory server, either LDAP of Active Directory, it is not advisable to use local roles, because these can make a user's access rights less transparent. Instead, three groups must be created in the directory, and the users of DME should be divided into these groups in the following way:
The superuser can see all settings but may not be able to change them. The primary role of a superuser is to change settings for groups and devices to which he or she has access.
Please note that members of the DME_Admin or DME_Superuser groups do not have the privileges of the DME_User group. This means that an administrator or superuser will normally have to be included in both groups, if he or she is also a DME user (which will normally be the case).
It is advisable to give at least one user the local administrator role. This ensures that this user can log into the Web Administration Interface, even if the directory server should become unavailable.
If the DME server is not configured to validate users against a directory server, the two groups DME_User and DME_Admin must be created as local roles on the DME server. The users must then be related to these local roles on the user profile on the DME server. This is described in the previous section - see About users.
If you do not wish to use the standard group names (DME_User, DME_Admin and DME_Superuser), for instance if you need to use other names for these groups for policy reasons, you can impersonate these groups in the connector Domain setup page, in the User groups (group graph) section. This means that you can use other directory groups instead of the DME groups mentioned above. You can read more about this in Domain.