In version 8 we can now specify which computers to subscribe to a custom site by matching conditions you specify (much like an Ad-hoc custom site subscription). I’m intrested in changing our deployment to use this mechanism for site subscription since it’s easier to determine what properties are evaluated to determine site subscriptions. We have around 40 sites (one for each department) in version 7 I had automatic computer group setup and then used these automatic groups to subscribe workstations to sites. This worked fine in version 7. With the new version I noticed that if select the 4th option in the Computer Subscriptions “Computers which match the condition below” operators that have rights to these sites can change these conditions effectivly breaking the security boundary since they could specify an Active Directory path for another department. We have operator account delegation setup to go by reterive property “subscribed sites”
Is there a way to prevent operators from modifying these values but still have access to add content to a site?
Right now we are delegating rights by the retrevied property subscribed sites. If an operator goes into their custom site for their department, seletects the computer subscriptions tab and modifies the active directory path or adds an additional one they will gain access to another departments computers since that modification will make another departments computer subscribe to the site effectivly giving them permissions over that end point since we have delegation setup based on what sites the computer is subscribed to.
Hmm… I think you spotted a bug… The problem appears to be not a permissions issue, but a UI issue… Non-master operators are not supposed to be able to change computer subscriptions, but it looks like the UI allows it… But although it lets you propagate the change, it doesn’t actually change the agent permissions (agents will only listen to operators that manage them so if a non-master operator tries to add new agents to a site, the unmanaged agents won’t listen to the command).
This is something we need to fix, but it looks like it is more of a display issue on the surface… we will continue to investigate…