Groups for administration and management

(imported topic written by SystemAdmin)

Hi all,

I have a question about best practices for grouping. We are a global organization with about 16 sites. Our ideal grouping of systems would look something like this:

Each site has a “top level group” and each of those groups have subgroups called Office, Lab, Factory, Server looking like the below:

City name:

Office

Lab

Factory

Server

City name:

Office

Lab

Factory

Server

This would then be used to manage deployment of patches, products, reporting, setting up local BES administrators permissions to have access to the systems they are responsible for. This could be a site (city) or a subgroup like Factory under one specific city. Does someone have a best practices, or a recommendation for how to accomplish this? Any help would be greatly appreciated!

(imported comment written by BenKus)

Hi TonyK,

If I understand your scheme properly, I would do this:

  • Use the “location by subnet” wizard to make a “City” property. (Assuming you can identify cities based on subnet).
  • Create another property called “system group” (or whatever you want) and then your property can identify whether it is a office, lab, factory, or server… Which brings up the question of how does the computer know where/what it is?

With this approach you can filter on “by City > by System Group” or vice versa…

Ben

(imported comment written by SY57_Jim_Montgomery)

This post has a very similar discussion:

http://forum.bigfix.com/viewtopic.php?id=4415

(imported comment written by SystemAdmin)

The computers for Office, Factory, Lab, etc are further subneted within the site subnet. So is there just no way to create a retrieve group that will show up under the “By Retrieve Properties” folder structure when looking at computers?

Do I understand right that I would have to use the location wizard, create the retrieve properties, then create automatic groups for deployment and management?

To that end, if a user has access to an automatic group (and that group only) would he then be able to deploy fixlets to that group, but not other computers?

Thanks in advance for the help Ben.

(imported comment written by BenKus)

Hi Tony,

I would avoid groups altogether and just make properties…

If you know the subnet or IP ranges for these systems, then you can just run through the Location By Subnet wizard twice (once for the city, once for the system type). This will give you the ability to filter under the “By Retrieved Property”…

But I am wondering if we are misunderstanding each other here…

For your group question, you can grant operators access to computers based on properties or groups… They can only deploy actions to computers that they can access.

Ben

(imported comment written by SystemAdmin)

OK, so the access makes sense as far as users go. Here is what I’m missing; we have configured a location by subnet property via the wizard. When I look at “By Retrieved Properties” group of folders under All Computers when looking at the computers tab, I don’t see that as a “folder”

Now, If I go to setup an automatic group for example, I do see our custom property as an item when setting the configuration for “Include computers with the following property:”. Is there a way to see those properties in the “tree structure” under the computers tab?

(imported comment written by SystemAdmin)

Also, another issue with not using groups is that we haven’t found a way to report on the sites without groups. From what we have looked at, I can’t get reports for individual sites on properties… or are we missing something there too?

(imported comment written by BenKus)

Hi Tony,

Right click on your tree or the property headers in the console and you can check the box to see “Location by Subnet” as a visible property.

Ben

(imported comment written by SystemAdmin)

Thanks Ben, now that makes sense. So can you build reports on properties? That’s the other major thing we are having an issue with.

(imported comment written by BenKus)

Can you explain more about the reports that you are looking for? I don’t think I fully understand.

Ben

(imported comment written by SystemAdmin)

Basically we need to report on each site not only as a whole to compare them to each other, but individually from a patch compliance perspective. So for example; need to report not only on New York, Texas, etc as a whole but also on the Factory group for New York… or the Server group for New York. And even on the Factory groups at each site compared against each other. That kind of thing.

This kind of comparison and metrics are critical for us.

(imported comment written by BenKus)

You might try the Issue Compliance report that lets you group by property and see if that is close to your needs…

Ben