How do others configure permissions for console users in a multi-tenanted environment?
I tried to setup a new role and give it only access to a custom site for that specific customer, but after logging in to the console, I can see ALL groups across all sites.
It does at least lockdown visibility to only the computers in the site I specified which is expected. But I can’t allow users to see other group names as it identifies customer names. Is there a way to hide All Computer Groups?
Another concern I have is that where there is a user that manages multiple tenants/customers, it’s potentially easy to make a mistake and push out a fixlet (and restart) machines in the wrong group. How do others mitigate this?
Groups in the Action Site should be visible to all console operators.
Groups within a Custom Site should only be visible to operators with read access (or more) to that particular site.
You want to create custom sites for each tenant and create a group within that site that contains all computers within that site.
The computers that an operator sees and the computers subscribed to a site are not directly tied to each other, though they often are the same in cases like these… but you should realize that giving someone access to a Site DOES NOT give them access to any computers. You assign these rights separately, even if you may assign them identically.
For example, you could have a shared site called “Windows/Servers” which contains shared content for use on Windows servers and make that available to all operators and have “all” computers subscribe to it, but operators would only be able to use the content on computers they manage.
There isn’t really a good way to entirely prevent this from happening, but you can enable a message that pops up in the console before running something that says some info for review to make it more likely the operator catches the error.
Thanks guys.
I was able to sort out the groups, to an extent.
If I create low level relay group that isn’t in the master site, none of the other automatic groups in custom sites will have membership due to my rules so I’ve left just that group at master and it’s all good.
Thanks for the suggestion, I was hoping it was a great solution.
But, I tried this FourEyes Approval, and it’s terrible.
Very primitive and unfortunately doesn’t add much value.
It basically needs someone to sit next to the person while creating an action to watch what they click, and then approve on the spot.
Hopefully it will be updated one day to be of use in 2019 onwards when so many people are remote workers, and also allows to view logs (where is this in the console to see who approved?), and to actually see which fixlets are selected (multiple) before approval (have to click cancel and go through everything to see this)?