Want to limit web report access to subgroup of computers

I’m using a Windows server system, Active Directory, BigFix version 9.2.2.21, with several groups within the structure limited in the console via AD groups. No problems with the console or permissions there.

However, web reports users (signed in with AD credentials) can see all computers. This is bad. I’ve tried creating roles and applying them to existing users, creating new AD users and adding the roles to them, everything. The relevant documentation I’ve found has the role created using “Restrict view with a filter”, which I’ve done to limit the possible computers viewable to just one subgroup. No luck.

Any suggestions?

1 Like

This is related, but no answers their either: Web Reports Showing All Computers on limited access account

I’d suggest filing a PMR.

It has been too long since I have played with Web Reports in any significant way. There are multiple methods to limit access to machines in Web Reports, but they are definitely supposed to be there and work.

Bump. Anyone out there with a solution to this problem?

@Arthur I do this in the Bigfix/IEM/TEM environment I manage.

For the sake of this Example, I’m going to allow some mythical “Field Techs” access to a subset of Endpoints. I’m going to be using an Automatic Group to collect the Endpoints, but you can also use other BES Properties to associate the Endpoints to the Role we going to create.

  • If it doesn’t already exist, create an automatic group in Bigfix to ‘Gather’ the Endpoints. (ie: Field Tech Computers)
  • create a Security Group in AD to ‘Gather’ the Web Report Users. (ie: Field Tech Web Reports)
  • In Web Reports, click on “Administration”
  • Click on “User Management”
  • Click on “Manage Roles”
  • Click on “Create Role” (just beneath the “User Management” bread crumb)
  • Name your New Role. (ie: Field Techs)
  • In the Filter section where it says “Search Properties” type “Computer Group”.
  • You should now see a Drop Down selector “IS” followed by a Drop Down selector with all your Bigfix Groups.
  • Find your Bigfix group in the list. (ie: Field Tech Computers)
  • Click the “Create Role” button. You now have a Role in Web Reports that is associated with the Computers in the Field Tech Computers group.
  • Make sure you are back at “User Management”
  • Click “Active Directory Permissions”
  • Log in with your AD Credentials.
  • Navigate through the OU’s (click the OU names) to find the AD Group you created (ie: Field Tech Web Reports).
  • Once you have found your AD Group, put a check mark next to it and click the “Assign Roles” button.
  • Find your Bigfix Role you created (you can filter the list by typing in the text box at the top).
  • Put a Check next to the desired Role (ie: Field Techs).
  • Click somewhere outside the “All Roles” popup, or click back to “User Management” and you should be all set. The Role (ie: Field Techs) should now be listed next to the AD Security Group.

AD users added to the specified AD Security Group should now be able to see the Computers in the specified Bigfix Group when they log into the Web Reports Server.

2 Likes

Out on business for the next week or so. This answer looks promising, but I won’t be able to test it for a while.