I would like to request that as a full console admin - there would be more availability (for me) to administer console user rights/permissions. Besides setting console users to have rights to certain systems within specific retrieved properties - I would also like the ability to lock specific console users out of fixlets and tasks. Globally hiding them is fine if I want no one to use a particular task/fixlet - but there are some tasks that we have built that I only want a certain subset of the console users to have access to.
Here is our setup.
We have 3 geographical sites that utilize an existing BES server. These are 3 distinct hospitals with 3 groups of IT admins that administer their own PCs and servers. My site owns the the BES system and the other sites purchase licenses through us. As an example - when I create a task to perform an application update that application may have only a certain number of licenses purchased - and belonging to only one site. Once the task is created, the other sites have access to that task. I don’t want to hide it - because there are console users at my site that I want to have access too. This also works the other way. I don’t want their tasks necessarily available to my group of console users.
So, having a way to really define permissions and rights within the console would be awesome!
What you want to do is available in BES 6.0 today using “Custom sites”. Here is what you do:
Make a Custom Site (Tools > Manage Sites). You can call it something like “Application Updates-Hospital 1”.
Grant “Read” privileges to all the BES Console users in Hospital 1.
Using the “Edit Settings” dialog, subscribe all the BES Clients in Hospital 1 to this custom site.
Now when you create Tasks that are specific to Hospital 1, they will only be viewable by the BES Console operators in Hospital 1 and the other BES Clients/BES operators will never see these Fixlets.
More info about custom sites is available in the BES Administrators Guide. They are very flexible and powerful.
Question about previously created tasks. Doesn’t appear that I can add old tasks that I created into my custom site. For new tasks I can. Is there a way to get old tasks in the new site? Thanks.
You can right-click–>edit the task and it will allow you to move it to another site (drop down in the upper right corner of the edit dialog).
You can also right-click–>export, and then double click the exported file to import it, and it will take you to the edit dialog where you can select the site as above. Then delete the old task.
In BES 6.0, you can’t move a task between custom sites by editing it. For a single task, the easiest way is to right-click on the task and create a custom copy. Then you will be able to put the copy into any custom site. For a large number of tasks, exporting/importing is the easiest way to move them.
How about this one. We are purchasing the Anti-Spyware site. The other 2 hospitals that utilize our BES system are not part of the purchase of this site. So, I want to keep all the tasks/analysis associated with this site from their console. I know that I won’t have access in the site properties to assign rights. And I assume creating custom copies of BES generated tasks and then moving them to a custom site is not advisable? Plus, I would think it would also be messy to have to constantly make custom copies each time the fixlets are updated. What are my options? Is Global Hide, the best direction? Thanks.
Hmmm, I think I might of missed a setting when I created the custom site. Should I have selected “Create a policy action that will subscribe all computers to this Custom Stie by default”? Now that I have moved my tasks to the new site - there are no relevant clients.
In 6.0 external Fixlets sites can’t be assigned to specific console operators, only custom sites have this capability. You’ll be able to permission external Fixlet sites in 7.0 though.
So, one option you have would be to globally hide the external site and copy its Fixlets into a custom site. This is a recommended approach to solving the problem. You will need to move updated Fixlets into the custom site as you noted.
When you create a custom site, there is an option to globally subscribe all clients to that site. If you don’t check this when you create the site you’ll need to subscribe BES Clients to be a part of the site. You can do this by selecting computers, right-clicking, select edit custom settings and Selecting the appropriate custom site membership. If you go to the ‘more options’ you’ll get an edit custom settings dialog that you can use to automatically subscribe all computers to the custom site, equivalent to checking the box when you created the Fixlet site.
Ahhh. The last part of number 3 was the key I needed to not have to recreate a new custom site. Awesome, thanks.
Now, even if I globally hide the external fixlets - I still have access to them under hidden fixlets (they still work, correct, even if hidden) - so maybe that is enough to keep the riff-raff out
Hopefully you have noted by now that you can restrict console operators (or agents) from subscribing to sites… So in your scenario where you wanted only 2 of the 3 console operators to have access to anti-spyware, you can do that through the “Manage Sites” dialog in the console.
Actually I had not noticed. That is very cool. Thank you for the update on that. I have gone through and made the necessary changes. Thanks for following up.