I have a list of users and added them to a new Operator Role MyRole.
I removed all the users permissions and gave rights only to the Operator Role.
External Sites > BES Support. I do not want this MyRole to have access to this site or at the very least deploy fixlets from it
Under the site I applied the deny to MyRole. Under the role permissions tab.
Under the site operator permissions the grant read permissions globally checkbox is greyed out.
The read overrides the deny so all users can use the BES Support site.
I want to deny people permissions to the BES Support Site. How do I do this?
You should go through the BES Support site and Globally Hide any specific items you don’t want non-master operators to have access to. You should consider keeping some of them around depending on their utility.
You can make custom copies of specific items in the BES Support site into a custom site, then give only certain operators access to that site if you want to disable the use of them by most users, but still make it available for a limited set of non-master operators. This approach will not work for the Locking and Unlocking fixlets, as the Unlocking fixlet can only be run from BES Support.
I’m not actually certain if a non-master operator would be able to take action on a Globally Hidden item with the REST API.
You would definitely need to test this.
One thing would be list all fixlets/tasks in a site with Globally Hidden content as a non-master operator and see if it shows up. It might not.
The other thing to do would be to test Taking an Action as a non-master operator with a sourced fixlet id equal to one of the ones that are hidden. I would test this even if it doesn’t show up with the REST API because I could see this potentially working.
The roles have this feature as well but it is an all or nothing access, there will be a day soon when clients ask for API access and I need to do that granularly, IBM has stated they are working on the security model for this product, hopefully, the granularity gets bumped.
@forrest: I’m not sure if this fits your workflow or what your users need, but if all you’re looking to do is give specific users only access to specific custom sites but also exclude BES Support (in addition to other custom sites), you could give the WebUI a spin? By default users in the WebUI don’t see the stuff in BES Support (even though the same users on the thick console would be able to see BES Support Content).
They would be able to see all actions taken against devices they had management rights over, including actions in BES Support (but they wouldn’t be able to access the source or take BES Support actions on their own)
I believe there is a way to make “BES Support” not default for all users. In the below table of BF DB search for the site and modify the the column “AllOperators” value to 0.