Login as a the System Manager or an appropriate account that has permissions to create roles.
Users and Groups > Roles > Privileged Access Roles > Create Role
Create a copy of a Role (Pick one based on the endpoint type that you want to scope.) Example: Windows Agentless Privileged Access Role
Change Name and Description
On the Members tab is where you will be able to define the Member Rule and Scoping Roles.
On the left side of the member policies chose the Edit button.
Modify: Which users are members of this role?
This could be an AD group or a specific set of users. This sets up who has access.
The example above shows anyone who is a member of AD group Restricted Access SAM will get access.
Next, we will need to define the scope rules. This provides access for the privileged accounts to the users in the AD group defied in the Member Rule.
There are a lot of ways to scope the access but the most basic is using the Endpoint and Privileged Account options. With the endpoint you can scope down to an specific endpoint so that if the endpoint has two different types the user can get access to both. You can also use the Privileged Account option to scope our custom fields.
The example shows that if the Endpoint Type is Windows Agentless and the [privileged] Account Name is OU1Group1User109 the groups defined in the Member Rule will have access.
Now when a user in the AD group 'Restricted Access SAM' logs into Enterprise Manager they will ONLY see this account base on this Role. (*Unless of course there are other roles that give this user access to accounts.)