Hello Folks,
I need help to understand below case.
Operator from one BigFix role is unable to stop action of operator from another BigFix role. Both roles have similar access.
Very likely the role misses “Stop Other Operator’s Actions”
This has been a problem for us for years. 10.0.X through 11.0.X.
I am told anyone in the same role should be able to stop, not true for us. Multiple environments say the same thing.
Don’t quote me, but I believe using API works, but not console. It’s something we have planned to look into further, just hasn’t been prioritized (Agile lol).
If the same operator can stop action via API, but not using a Console, then there’s a defect and a security hole… Open a support ticket, if so.
1 Like
Review this:
Stop Other Operator’s Actions feature
My understanding is that the person that is stopping the action has to have equal or a superset of those of the issuer. It is my understanding that if they have less permissions, they won’t be able to stop the action.
3 Likes
As said from @Jstev the feature is documented in that doc page …
And in order an NMO is permitted to stop an action deployed from another NMO all 3 points indicated in that doc page need to be satisfied
In the latest version of Bigfix the NMO is attempting to stop an action using the console can choose that action and, if the button ‘Stop’ is ‘grayed out’, going with the mouse over that button a tooltip will explain the reason why that action cannot be stopped ( one of them if there are multiple reasons )
In addition can be said that, for performance reason, roles and ‘Explicit Computer Assignments Definitions’ are evaluated separately and, let me say, literally.
So for example suppose an NMO deploy an action and has assigned all Ubuntu machines because the role ‘AllUbuntu’ … a second NMO has assigned all Unix machines ( and so among them all Ubuntu machines ) because the role ‘AllUnix’ … despite the second NMO in this way should have assigned all machines of the first one will be NOT permitted to stop the action of the first NMO … this because the roles are matched based on their name only … to permit the second NMO to stop the actions deployed from the first NMO will be necessary that this NMO has also the role ‘AllUbuntu’ …
A similar concept apply to the comparison of ‘Explicit Computer Assignments Definitions’, is performed definition by definition, not in base on the computers are assigned at the end … an example about this detail has been added at the end of the same doc page … Note that on v11 only ( this is not available on v10 ) ‘All Computers’ is considered to be a superset of whichever other ‘computer assignment definition’ ( and the related note is not present in the v11 version of the same doc page ) …
1 Like