Default Operator permissions

We use a least privilege administration model so new operators have no rights until they are assigned to a role. Most of our operators just issue patching actions so there is no need for them to have custom content, locking, rest api access, etc. We were using AD groups in roles until a few months ago when an AD hiccup caused a lot of our operators to lose rights to assigned computers and content. The only fix was to delete and manually re-create the operator’s LDAP account in the console. So we’ve abandoned using the LDAP groups so this does not happen again and we are manually creating new operators. We only have a dozen or less each month but for the most part the operators remain static. However, some of our MOs forget to remove the permissions when creating accounts.

Does anyone know if there is a way to change the default permissions that are applied when a new Operator is created in the console? Instead of them having all permissions turned on we would like to have them all off by default.

Probably not the answer you’re looking for, but it seems like getting LDAP to work consistently is still your best option.

If not, can you use the rest api to create your operators?

To mirror @jhickok’s suggestion what I would probably do is create roles to grant the permissions and write a script using the REST API to set every operator’s explicit permissions to none each day/hour.

We pretty much have the roles already in place. Using the REST API to reset the permissions is an interesting idea. I would imagine that it would only need to be ran once a week or even on demand considering the accounts stay relatively static once created.

I did find the stored proc in SQL for creating operators where I could change the settings but I don’t think I want to go down that road.

Thanks for the suggestions!