Console operators with same roles see different devices


I am having an issue pinpointing the cause of this situation:
we have a number of bigfix LDAP operators (non-master). They all have same roles and same sites assigned, but the number of administered computers differs (range between aprox 3400 to 5700).

Effective permissions are set to show all for unmanaged assets for all.
Although there are differences in Explicit Permissions, none of them are less restricitive than the effective ones (ex: some have set Yes for Can Create Actions, but it was already on Yes via effective inherited permissions).

I do not think this is caused by part of devices not having reported since the operator was created, as a specific older operator can only see 3000+ devices (as opposed with 5000+) on which he should have access to.

They do not have any rules for Computer Assignments.

Any ideas what the issue might be here?

Thank you!

This may be an entirely different issue, but I’ve had issues with computer assignments using roles and AD groups. There have been a couple instances where some/most operators were loosing most of there managed computers. The operators still showed as belonging to the correct roles and the roles showed the correct computer assignments. I noticed if a user was explicitly assigned to a role, instead of by AD group, then they were not affected. This has only happened a couple times over the course of about a year and only since we activated a secondary DSA server. I haven’t bothered opening a PMR.

To remediate I removed the AD group(s) from the role, saved it, then re-added the group(s). I also manually assigned some of my power users to roles instead of allowing it to be managed by AD groups. And I setup a web report to alert me if any operators fall below a certain number of managed computers.

I would try removing and re-adding your users or groups from the roles and see if that makes a difference.

I also occasionally have the same problem.

Non-Master Operators are added to Active Directory groups to join various Roles. Occasionally someone will lose control of a large number of their computers.

To fix their access I remove them from the AD Group, send a blank action to the computers associated with the Role, wait a few minutes, then add them back to the group and repeat the blank action.

Recently, our AD management group replaced several of our Domain Controlers, and we had a large number of Console Operators lose computers.

I usually only see no more than one or two users a year with the problem.

1 Like

I have this similar issue (running both on local and ldap users. Is there any solution available ?

Not beyond what I listed as my “fix” when it happens. Take the user our of the AD group, send a blank action, put the user back into the group, and send another blank action.

It has always worked, it’s just a pain!

I don’t see it happen very often, but it’s been doing it for years. I can’t isolate the source of the problem. Is it a BigFix problem or an Active Directory problem? It happens too in frequently for me to be able to tell.

This is happening to us ever since we added a backup 2 and backup 3 LDAP server after implementing DSA. Its wide spread across all roles and LDAP users. I temporarily resolved the issue by deleting the role, recreating it, and then adding the LDAP OU back to the role. This resolved the issue for only about 15 to 20 minutes, and then poof, all the computers fell off of each operator’s assigned computer list, yet the Role itself still showed all computers assigned. I’m not sure what to do. Did this ever get solved? I’m thinking I just have to open a PMR and temporarily disconnect the backup2 and backup3 LDAP servers.

1 Like

If you run this command, you don’t have to delete and recreate Roles.
This doesn’t solve the underlying problem, but it saves time troubleshooting.

I have actually this issue, I already did the procedure @GAllen mention with no success.

We have not solved this issue yet either. We had to disable DSA to make LDAP function on our primary server. We are in the process of updating to 9.5.9 across all domains and applications. We have hopes that it will fix this issue.

I think an important point to consider is the LDAP connectivity from the primary server. In my case I had a poor experience when I tried to use different LDAP servers based on the sites in which each DSA was hosted, but I think the roles propagation all runs from the primary server only. Would love some IBM / HCL comment on that.