Am I missing something or is the permissions scheme with Patch Policy just dumb. As far as I can tell, only the MO can do anything meaningful? We have several roles where users handle different divisions, operating systems, servers/desktops, etc. For my Windows Server team, they handle all of the Windows Server patches, but nothing else. So for them to use the Patch Policy I have to give them all MO keys to the kingdom when they don’t and should not have that!
Yes, I’m afraid I think you’re missing something. As far as I recall Master Operator permissions are not required for any part of Patch Policy?
I’ll go review the docs again but I’m pretty sure that policies and schedules can be configured without MO rights.
I would be interested to know this, as well. It seems we need pretty much all of MO to do anything of note in Patch Policies.
Here is the doc I am referring to: Patch Policy Overview
And the excerpt in particular:
BigFix master operators (MOs) have full access to all Patch Policy functions. MOs can create, edit, delete, activate, and suspend polices, manage patch rollouts and schedules, and refresh policies when new patches are released. non-master operators (NMOs) can add, edit or delete a policy. NMOs can also add targets to an existing schedule, and remove targets from a schedule if they have relevant permissions.
So a non-mo can add/edit/delete but not activate, suspend or manage any schedules. Thats a non-starter for us.
Hi @paulhlee , you can provide granular controls to a role that has your NMOs associated with it. See this documentation linked below for more details on the WebUI permissions service where you can provide additional controls to a NMO role as depicted in the image below:
-Gus
1 Like