We run BigFix 10 patch 5. Looking at operator permissions I do not find anything about site subscriptions.
As a site owner is not allowed to edit/view site subscriptions I’m wondering if this is a wanted behavior or a bug?
It’s wanted behavior. The actions that subscribe computers to site is part of the Master Action Site, and subscriptions can only be changed by Master Operators.
One common approach when delegating rights is for the master operator to create the custom site and assign subscriptions based upon tagging or computer groups that the normal operator has rights to change. The site subscription criteria is a one-time setup, but the operator can change the computer to match or not-match that criteria.
For instance as the delegated operator, you may assign a client setting on the computer for “MySiteA”=“true”, and once that setting is matched the computer matches the property to subscribe to the MySiteA custom site.
2 Likes
Thanks Jason. As site subscription is usually not a daily task it’s fine for me.
Hi Jason,
Just a thought.
Shouldn’t the owner ideally have the ability to manage the subscriptions of a site as well?
I understand that the owner can grant read/write permissions to other operators. However, from a Master Operator’s perspective, especially when managing a large infrastructure, it would seem more practical for the designated owner to have full administrative control over everything related to that site once ownership has been assigned.
Conceptually, sure I'd expect that to be true.
But the mechanism for how computer site subscriptions actually happen, involves a hidden action that gets written in to the Master Action Site; and editing that site can only be done by a Master Operator.
I don't think I see a compelling enough use-case on this that would drive changing a very low-level and security-sensitive piece of the architecture. Maybe I'm missing something, but I don't see changes to site subscription as something that would happen all that frequently?
Thinking again, I could consider that if you truly want to implement a scenario like this where the delegated admin manages it fully....you could create the site to use ad-hoc subscriptions exclusively.
With this setup, the default subscription actions are not created in the ActionSite at all. The way to get a computer to subscribe is to send a custom subscription action (which the delegated administrator can send to any computer they manage, with any action targeting they like).
The site subscription action would be something of the form
custom site subscribe CustomSite_CIS_Win2022_MS as "CIS%5fWin2022%5fMS" on "Fri, 03 Feb 2023 20:32:30 +0000"
I'm looking for a good way to generate that percent-encoded value that we use as the local directory name for the custom site; the percent-encoding helps avoid issues if the custom site name contains spaces or slashes; but for simple underscores the replacements of '_' with '%5f' may not be totally necessary.
1 Like