(imported topic written by Shlomi91)
Hi,
i’d like to have an option for master operators to reset a BES Admin’s password from BES Console, or administration tool.
i know it is possible to change it from the DB side, but being able to change a BES admin’s password from a BES tool would save some time…
(imported comment written by SystemAdmin)
Hi Shlomi,
It would be hard to do password reset’s from the BES Console because of the private key infrastructure. You need access to the site level key file which you don’t want to expose to all BES Consoles. You also need to replace the BES Console operators key files and worry about storign them correctly which is easier to do centrally than from each BES Console.
The best solution to help you manage this situation is to keep a backup of all the Operator key files with a default password on them:
http://support.bigfix.com/cgi-bin/kbdirect.pl?id=311
This way you just give the operator a copy of their original key files with the default password whenever they forget there password. If you want to you can give all your master operators access to the key file store. They can distribute the keys with the default passwords without needing access to BES Admin or the BES Console.
(imported comment written by rharmer91)
bump.
It’s nice that this tool is built around security, but there needs to be a compromise between security and functionality (the ability to maintain users). A good for instance… Our company has just gone through a re-org and now the people who were the administrators of BigFix are going to change. As I recall, there is no way to remove an admin level access in the tool other than removing the account, and even if we do that we can’t use that same username again. Is that really practical for an enterprise? Nope.
Rich
(imported comment written by BenKus)
Hey Rich,
I think your point is clear. You posted twice in a row on this subject so rather than re-respond, I will just point to my last response: http://forum.bigfix.com/viewtopic.php?pid=8771#p8771
Ben
(imported comment written by curth)
I agree with Rich. I would like to see integration with other Directory Services to make this a more Enterprise friendly product. I have posted suggestions in the Feature Request section. Interestingly, I was told by a BigFix SE that integrating with AD would not be possible because of SOX regulations. I think that was a smoke screen (to put it politely). Please help us in the Enterprise. Make things easier for us or we will need to find other solutons. I don’t want to do that but I may be forced to because of easier administration.
(imported comment written by BenKus)
Hey curth,
If you use NT Authentication for your database logins (which will be integrated with AD users and privileges will be automatically removed when you remove the user from AD), does that help mitigate the issue? See http://support.bigfix.com/cgi-bin/kbdirect.pl?id=282 for more info…
I know this won’t help with adding users to the console, but it should help manage their login password and make it easy to remove their login (although we do recommend you eventually remove the user using the BigFix Admin tool as well).
The SOX answer you mentioned is not our official BigFix answer… I am sure our SE was just a bit confused when he/she told you that…
Also, we are now finalizing some of the feature list for the next major version… I will carry all your comments to our product committee meetings…
Ben
(imported comment written by jpeppers91)
Do you have to create a user in Bes Admin first before you use NT Authentication? If so does theat account have to login first before the NT authenticated account?
jp
(imported comment written by BenKus)
By being an administrator of the database computer, you will have access to create other accounts… and on the BigFix side, you will need to have your license.pvk file, which is the master BigFix key. As long as you have those, you should be all set…
Did I answer your question?
Ben