You are here: Defining Intel AMT Profiles > Defining the Access Control List (ACL) > Adding a User to the ACL

Adding a User to the ACL

The User/Group Details window lets you add a new user or user group to the profile’s Access Control List.

To add a user:

  1. From the Access Control List (ACL) window, click Add. The User/Group Details window opens.

  2. In the User Type section, select the required type of user:
    • Digest User – Enter the username and password (see Password Format). The usernames “admin” and “administrator” are not permitted (these names are reserved for the default admin user). The username must be unique in this profile, a maximum of 16 characters, and cannot contain these characters:

      ( , ), ( : ), ( “ ), ( & ), ( < ), or ( > ). Usernames starting with $$ are not permitted.

    • Active Directory User/Group – Click Browse and select the user or group.
    Note:
    You cannot select the default user groups from the Active Directory Builtin folder. Instead, either add the required users individually or create and add a new group containing the users.
  3. From the Access Type drop-down list, specify an access type. This parameter defines the locations from where the user is allowed to do an action. A user might be limited to local actions or might also be able to do actions from the network. Select one of these:
    • Local – The user can access the Intel AMT system only via the local host.
    • Remote – The user can execute an action only via the network.
    • Both – The user can execute an action either locally or from the network.
  4. From the Realms section, select the check boxes of the realms that you want to make available to this user. The realms define specific functional capabilities, as described in this table. Note that not all realms are available on all versions of Intel AMT.
    RealmCapabilities
    RedirectionEnables and disables the redirection capability and retrieves the redirection log
    PT Administration

    Manages security control data such as Access Control Lists, Kerberos parameters, Transport Layer Security, Configuration parameters, power saving options, and power packages. A user with PT Administration Realm privileges has access to all realms.

    Note: If this user will be used to run the Configurator to do host-based configuration, the Access Type must be Local (or Both).

    Hardware AssetUsed to retrieve information about the hardware inventory of the Intel AMT system
    Remote ControlEnables powering a system up or down remotely. Used in conjunction with the Redirection capability to boot remotely.
    StorageUsed to configure, write to, and read from non-volatile user storage
    Event ManagerAllows configuring hardware and software events to generate alerts
    Storage AdministrationUsed to configure the global parameters that govern the allocation and use of non-volatile storage
    Agent Presence LocalUsed by an application designed to run on the local platform to report that it is running and to send heartbeats periodically
    Agent Presence RemoteUsed to register Local Agent applications and to specify the behavior of Intel AMT when an application is running or stops running unexpectedly
    Circuit BreakerUsed to define filters, counters, and policies to monitor incoming and outgoing network traffic and to block traffic when a suspicious condition is detected (the System Defense feature)
    Network TimeUsed to set the clock in the Intel AMT device and synchronize it to network time
    General InfoReturns general setting and status information. With this interface, it is possible to give a user permission to read parameters related to other interfaces without giving permission to change the parameters
    Firmware UpdateUsed only by manufacturers via Intel-supplied tools to update the Intel AMT firmware
    EITImplements the Embedded IT service
    Local User NotificationProvides alerts to a user on the local interface
    Endpoint Access ControlReturns settings associated with NAC/NAP posture
    Endpoint Access Control AdministratorConfigures and enables the NAC/NAP posture
    Event Log ReaderAllows definition of a user with privileges only to read the Intel AMT system log
    Access MonitorAllows a system auditor to monitor all events. Before assigning this realm, see Using Access Monitor.
    User Access ControlGroups several ACL management commands into a separate realm to enable users to manage their own passwords without requiring administrator privileges