Bigfix Action Restriction

Hi,

I would like to ask if there’s a way to restrict the first two radio options whenever a team member initiate a bigfix action.
1)Select devices
2)Dynamically target by property
3)Enter device names

If possible, only the 3rd radion option is Enabled(3) Enter device names

Thanks.Bigfix Take Action options

I must ask: what is the use case here whereby you would want to disable the first 2 targeting options?

Hi Aram,

Or perhaps radio option #2 can be Disabled, we had an issue during Patching, radio option was accidentally selected and when the OK button was click it automatically search all Windows platform devices, installed the patch then Reboot the Servers as well as the desktops. The deployment as planned should be in staggered basis base on schedule and version of Windows - as we did on the previous patch deployment.

So I think the issue is when you click the “Dynamically by Property” button, “All Computers” is selected by default.

There is a way to have it pop-up a summary preview before the action runs, including an estimated number of computers affected.

1 Like

Note also that with v10, we changed the targeting behavior in the Take Action Dialog to avoid selecting ‘All Computers’ by default. Please see BigFix 10 Platform is now available! for reference.

1 Like

Hi Jason,

Appreciate if you can share the steps on how to implement to have a pop-up summary preview? is it a fixlet? We’re using 9.5 version by the way.

That would be requireConfirmAction, an option configured via BESAdmin, described at
https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Installation/c_list_of_advanced_options.html

Many Thanks! I’ll take a look on this.

Hi Jason,

I’ve checked and saw the details with regards to Pop up confirm a summary every time an action is taken.

requireConfirmAction
If set to “1”, every time an action is taken a confirmation pop-up window with a summary of the action details is displayed. The information listed in the pop-up window is:
Action Title
Estimated endpoints targeted
Start time
End time

We need to Disable the option #2 radio "Dynamically target by property.

In the HCL help portal, I saw an entry only to disable Computer Name Targeting.

disableComputerNameTargeting
If set to “1”, the third radio option “target by list of computer names” is removed on the targeting tab of the take action dialog.

As far as I know, there’s not an option to disable dynamic targeting.

Usually we would want to disable static targeting instead - static targeting, especially at large scale, can be detrimental to the platform performance and database health.

In both BigFix 10, and 9.5.15 (I’m told), we change the console Dynamic Targeting so when it is selected, ‘All Computers’ is no longer the default.

There is actually a way to disable dynamic targetting - it was something we requested after a similar issue several years back. It’s via advanced options: disableNmoDynamicTargeting = true and when enabled the 2nd checkbox is disabled for ALL regular operators (it’s still there for Master Operators). The setting was delivered based on specific request and that is why it was never officially documented but it does work!

The problem we are facing is the fact that per best practices you should not be setting open policies with MO accounts because there is performance implications, however, we need some policies set with NMO and to do that we have to lock the environment (so nobody takes advantage of the restriction lifting), change the value of the advanced option to “false”, login with NMO account, create/update policies as need and set everything back. We did have an RFE to enhance this setting and make it configurable per User Role instead of just all NMO but since it was only impacting us, it never went anywhere so to this day the above is the painful process we go through while updating/creating any open policies (several times a month at least).

Hope this helps you!

1 Like

Thanks ageorgiev.

Just a quick clarification, Once this is Implemented, this doesn’t affect the ‘Master Operator’ ?

Correct. MO will still see it just like without it, the restriction is for NMO only.