Configuring Compliance 1.9

Usage and Config
1

Ok, so I’m installing Compliance 1.9.7 on a new host and the setup doesn’t look like the guide. The page at IBM Documentation, linked from the Compliance 1.9.7 installation fixlet, has a screenshot that looks like this:

My new setup has a screen that looks like this:

Capture.JPG936×703 67.6 KB

This brings up several questions to me -

  1. When connecting to the BigFix Database Server, what permissions are needed on the Compliance service’s account? I am planning to go with only “public” and “db_datareader” roles on the BFEnterprise database…

  2. Is the requirement for a Console Operator account new? What permissions need to be assigned to the Console Operator account? Subscribed Sites? Subscribed Computers? Custom Content? Create Actions? I found no reference in any of the guides I could find as far as requiring a console operator account.

  3. What permissions are needed on the Web Reports database?

2
  1. I usually ask for the SQL USER or Windows account to be listed explicitly as DBO on the BFEnterprise Database.
  2. Console Operator account is relatively new. It allows for usage of the REST API to take action within tema which is the analytic framework that sits below compliance and inventory. Within Inventory it can do quite a bit like modify settings, take actions, schedule scans, etc. I believe the primary function in Compliance would be to pull data/information in similar to the database link. I usually create a REST_API BigFix userid that has the ability to create custom content, and can administer all machines in a POC. ( I use this in a few places.)
  3. I believe the web reports is really just for user federation. IE. you would not have to create a new user, rather the user could use the same one they did from web reports.
    -typing.
    -jgo
1 Like
3

Hopefully I can finish the installation tomorrow and dig in to the privileges. I’m concerned with ensuring a Compliance user cannot make changes to the endpoints - we’re planning to give auditors acces to Compliance but expect them to be read-only.