Bigfix Remote Control View Rights

Hi bigfixers.

Is there any setting in the bigfix remote control that limits the view rights the operator has?

In my example, I have an external company that wants to utilize our remote control but I only want them to be able to see their targets.

If this is not possible is this in any future plans? This would be a key factor for us to sell the product as software as a service.

Best Regards
Bjarni Guðmundsson

It’s definitely possible to set up roles & restrictions. If I recall correctly, setting up the user roles and the restrictions is done in the Remote Control web interface, while assigning the computers to their group would be done in the BigFix console as part of the configuration file you use when deploying the client to their machines.

It will be some time before I have a chance to dig into the details, but hopefully that helps get you started.

1 Like

As stated by @JasonWalker this is indeed possible.
You can restrict the permissions of one User group to a specific Target group. Of course the Target group must contains only the wanted computers.

This can be achieved by creating a permission pair User Group <-> Target Group by clicking on User Group -> All User Groups -> “select a user group” -> Manage Peremissions -> “select a Target group” -> Submit. In order to enable the permission just check “Enabled” then “Submit” again.
Also you need to:

  • Delete or disable all the other pair which links the user group to other unwanted Target group like Default Target Group.

  • Make sure that the Target is only part of the wanted Target group by checking the Target membership.

  • Make sure that the Users belongs only to the wanted User group by checking the User membership. Note if you have LDAP enabled you can only deselect the local groups while the membership of a remote group is defined in the LDAP server and even if you change it locally it will be overwritten once the serve sync again with the LDAP server.

About the listing of the Targets instead you have less control and although this is a very demanding feature this hasn’t been implemented yet. This means that the operators can still list all Targets unless you manually disable the “All Targets” report page for users and tune some settings on the server.

I suggest you to open an “idea” (request for enhancement) on this portal:

https://bigfix-ideas.hcltechsw.com/ideas?project=BFLCM

Anyway you can set these settings on the server (Admin -> Edit properties file) in the trc.properties section:

view.all.targets.auth = A
browse.targets.auth = U

This will disable the “All Target view” for non admin user and enable the" Browse" entry in the “Targets” menu for all users.

It must be noted that a non administrative user can still use the “Search” function under Targets. In order to prevent wildcard searches you need to set:

target.search.minimum.nonwildcards = a value greather than 1
target.search.maximum.wildcards = 0

In this way you need to enter a full string instead of using * (searches like 192.168.* or Windows* won’t be allowed).

Last but not least you can set the home page for the specific User group to a report different than “All Target” by following this procedure:

https://help.hcltechsw.com/bigfix/10.0/lifecycle/Lifecycle/Remote_Control/RC_Admin_Guide/rcadmedithomepage.html?hl=change%2Cuser%2Cgroup%2Chome%2Cpage

The Browse feature can be inconvenient if you have many Targets so you can create in this case a custom report which lists all Targets in a specific Target Group and set it as home page for the specific User Group. You can leverage this SQL:

SELECT DISTINCT A.HWKEY ,A.COMPUTERNAME ,B.IP_ADDRESSES ,B.LOGGED_USER ,A.MANUFACTURER ,A.MODEL ,A.SERIAL_NO ,B.LAST_UPDATE FROM ASSET.ASSET A LEFT OUTER JOIN COMMON.LIVEPOINTS B ON A.HWKEY = B.HWKEY LEFT OUTER JOIN COMMON.GROUPASSETMEMBER G ON A.HWKEY = G.HWKEY WHERE G.GAKEY IN (1 , 3) ORDER BY A.HWKEY

You need to substitute 1 and 3 with the Target Group IDs that you want. The IDs are reported in the All Target Group page.

This is the procedure to create a custom report:

https://help.hcltechsw.com/bigfix/10.0/lifecycle/Lifecycle/Remote_Control/RC_Admin_Guide/rcadmcreatecustomreport.html?hl=create%2Ccustom%2Creport

1 Like