Remove Endpoints from Master Operators

NoDumbQuestions · January 17, 2019, 2:13pm

I want to “encourage” users who have Master Operator accounts to use their Non Master Operator accounts when taking actions on endpoints.

Is it possible to deny the MO access to any endpoint other than the BigFix server itself?

I realise that, even if there is a way to do this, the MO will be able to reset it, but that puts an extra step in the process so that they have to deliberately allow themselves to take action on endpoints before taking the action.

In this way, we can ensure that the user doesn’t forget that they are in the MO account and accidentally take action. Is there a way to do this?

Thanks

Aram · January 17, 2019, 2:15pm

By definition, Master Operators will have management rights to all endpoints (this cannot be changed).

For this scenario, I would suggest that one approach might be to enable the Four Eyes option for these particular users: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli+Endpoint+Manager/page/Four+Eyes+Approval+Capability

NoDumbQuestions · January 17, 2019, 2:34pm

Thanks Aram,

Yes, that’s the suggestion I am leaning towards so far. It’s just a bit tricky when the MO’s are not colocated, as you are dependant on whether or not remote control facilities are available to allow the approver to approve the action.