(imported topic written by nzim)
In our server environment, we have several different support groups which are each responsible for a certain subset of services and applications–for example, a database admin team, an Active Directory team, and a server operations team (that handles general OS maintenance), all with BigFix accounts.
Our server operations team uses BigFix to deploy most fixlets to their servers, but should not deploy SQL or AD patches, as in this case, the database and Active Directory teams are responsible for testing and deploying those. We’re exploring options for a way to help avoid deployments of fixlets by groups that should not address those products.
We understand that one option would be to create new custom sites and copy individual patch content to the sites, divided by role, but this creates quite a bit of repeated manual intervention to ensure that the custom sites are kept up-to-date as fixlets are released or modified by BigFix. We have also used Baselines to help define a “whitelist” of recent fixlets to deploy, but due to baseline component size limitations, they can’t help with “catching-up” a system.
Because of that, we’ve been looking at the option of duplicating locally hidden content definitions from the BFEnterprise database (table USER_FIXLET_VISIBILITY). Our thoughts are around having a dummy user for each role, and locally hiding fixlets that aren’t needed for that role. We’d then look at automating a process to replicate the locally hidden content definitions for that user against our list of other users in that similar role.
Has anyone else considered a situation like this or worked on a process for automating fixlet visibility for a group of users?