Read-only console user broken in 8.2

Usage and Config Platform
1

(imported topic written by PaulPhillabaum)

We upgraded to v8.2 and the console seems to be ignoring bypass key registry entry for our read-only console users.

http://support.bigfix.com/cgi-bin/kbdirect.pl?id=207

Is there a workaround?

2

(imported comment written by BenKus)

Hi Paul,

I believe the new method to do this is to create console role that has read-only capabilities.

Ben

3

(imported comment written by PaulPhillabaum)

I’ve continued to work with this since I replied earlier. I’m still stuck. Without “reader” permission, the operator can’t see the site’s fixlet content. With “reader”, they can take action on the computers assigned to them.

To recap for those who have never used what I called the “read-only console user”, formerly you could give an operator access to the console with the ability to view any computers assigned to them, but they could not take any actions.

4

(imported comment written by BenKus)

Sorry for lack of detail…

In 8.2, we have added “FourEyes” functionality (this is very specific functionality that we expect a very small percentage of users to use), but you can use this functionality to a read-only user. Here is what you do:

  1. Open BES Admin Tool on the server (Start > Tivoli Endpoint Manager > Tivoli Endpoint Manager Administration Tool).

  2. Go to “Advanced Options” tab.

  3. Add a new advanced option with name “UseFourEyesAuthentication” and the value “true”.

  4. Go to the BigFix Console and create/edit a user. Check the box “Actions require approval”. This will prevent users from taking actions (without someone from the Approval group using it).

Ben

5

(imported comment written by PaulPhillabaum)

That worked great Ben.

6

(imported comment written by PaulPhillabaum)

oh my! I meant to say “That worked great Ben. Thanks!!”

7

(imported comment written by PaulPhillabaum)

Thanks Ben, but could you be more specific? I’m having trouble figuring out what role settings will replicate the previous read-only setup.

Do I assign the role to computers, but not give them any “site” access?

The BES Support site has a flag “Grant read permission globally” that the master operator can’t change from within the console. And operators with read permission “will be able to view this site and take actions based on its content”. But I can’t see a way to assign that site to a role, and then explicitly set its permission to none.