I have a situation where I would like to implement Four-Eyes authentication. We have a 24/7 Operations Center that needs to have the ability to Stop actions deployed by other Console Operators who might be out of the office.
We currently use SAML Authentication to access BigFix, so does anyone know if Four-Eyes works with SAML Authentication?
While I myself have not specifically tested this configuration, at first thought, I donāt see why it wouldnāt work.
That said, Iām not entirely sure I follow the scenario. Operators can be configured to be able to stop other operatorsā actions without the need for Four-Eyes (in fact, theyāre quite separate use cases). For reference, please see āStop Other Operatorsā Actionsā section of the following link: https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Console/c_adding_local_operators.html.
Also, with regard to SAML authentication, are you referring to logging in with Windows session credentials? With Four-Eyes, the approving user will need to supply (type in) their credentials.
@Aram The Primary goal is to give Operations the ability to Stop any ārogueā actions, and potentially deploy actions to any computer in the event of an emergency. The use of āFour-Eyesā authentication is more an attempt on my part (at the request of our ISO) to keep the Operations folks in check a bit when it comes to using their MO accounts.
The scenario Iām dealing with regarding Stopping of Others Actions is that we have a LOT of Roles defined in our environment and Iāve had trouble getting Action stopping to work properly in all cases with some of the Console Operators. Documentation indicates that you need to have matching Roles for the ability to stop another Console Operatorās actions, and up to now, Iāve not tried adding someone to ALL the Roles.
If someone can tell me that simply adding the Ops folks to ALL the Roles would resolve the issue then I would be thrilled!!! My concern then is Actions deployed from content is in a Console Operators Personal site. Would Operations be able to stop those actions?
I would LOVE to find a way to keep Operations out of the Master Operator role if at all possible.
My under standing is that if you added an operator to all roles, they should be able to stop any actions except those issued by Master Operators.
That is, assuming that everyone elseās permissions are assigned by rolesā¦if you had operators that had machine permissions explicitly configured on the operator without using a role, your mileage may vary.
Ok, I just got around to testing Four Eyes Authentication when SAML Authentication is being enforced.
I created a Role āFour Eyes Authenticationā and added LDAP Groups to it.
I then opened the Operator account for one of my āTestā environment Master Operators and assigned the āFour Eyes Authenticationā role as the required Authenticaters for the user. I then logged in as the user I configured for Four Eyes, using SAML to authenticate, and when I attempted to deploy an action, it gave me the following ā¦
It doesnāt work the way I hoped it would. It displays a basic Authentication dialog box and no matter what you enter, it results in an āApprover credentials need to be for a local user.ā message.
Guess Iām going the route of adding the Operations folks to all the Roles and removing their Master Operator rights. Not that Iām terribly sad about reducing their rights, I just wish SAML authentication worked with Four Eyes. Maybe Iāll add a Feature Request for this since I still donāt want Operations running rampant inside BigFix. (Paranoia is a terrible thing, unless someone really is out to get you!)