Operator permissions per product

Is it possible to create an operator that only has permissions to deploy fixlets for a specific product?
ie: DBA’s only need to be able to view/deploy SQL patches
SharePoint Admins only need to be able to view/deploy SharePoint patches, etc

I can’t find a way of doing this since permissions are applied to the ‘Patches for Windows’ site level they can see all Windows OS patches as well.

You can create custom sites and move the appropriate patches(or baseline of those patches from “Patches for Windows”/“Enterprise Security” to a custom site for SQL patches, Sharepoint, etc. You then only give those operators permissions to the custom site and not the external Windows Patch site.

2 Likes

I don’t know if this idea would work, but could you create a site then add baseline to that site containing the SQL fixlets without having to copy them? Just thinking if there was a way to avoid using copies of fixlet as those then need to be deleted/recopied by the an op with permission to the patches for windows site each time there is a fixlet update.

1 Like

Great point about the baselines vs just copies of the fixlets.

Wouldn’t the operator need access to the baseline’s fixlets as well?

I did a very quick test on my lab. The op would get the “Source Unavailable” message for to each baseline component the op does not have access to at the site level, but as far as I can see, as long as the op is able to manage the computers, the baseline can be deployed successfully.

The Baseline should be deployable, but it can be hard to determine ahead-of-time which components are applicable to each computer.

The Baseline will appear relevant to affected computers, but the Component Applicability tab will show ‘Unknown’

2 Likes

Thanks for pointing that one out @JasonWalker I also see that on my test lab.

Guess it comes down to which is easier or better to implement and/or administer for the specific use case.

Thanks for taking the time to look into this.
I was hoping for something more automated so that whenever a new SQL patch is released it’s automatically available to the locked down group rather than having to manually add it to a baseline.

It doesn’t really help in a multi-tenanted environment where each customer has different requirements.