When we were setting Bigfix up a long time ago, I was using my corporate id as a master operator, which does not fit with our naming scheme today. I deleted this user and tried recreating him as a normal operator but I get this message:
A user with the same name was once a master operator. You cannot create a non-master operator with this name.
Is there any way around this? We need to implement our corporate naming scheme.
Yes… unfortunately, due to the way that we use the OpenSSL components, the name of the user is part of the the identification of the certificate that is used in the digital signatures on all actions, Fixlets, etc. In the past we hit very troublesome signature issues when users would delete and then create a new user with the same name. So we had to design a protection to prevent people from shooting themselves in the foot.
It will take a significant re-architecture to eliminate this annoying issue of not being able to make the change, but hopefully we will get it done within a couple major version updates.
I think our next major release (after the upcoming release) will likely do some of the rearchitecting that will help this… but it will still be a while… Sorry…
Still waiting for this to be fixed, any update on how long this will take. It seems rather silly and Illogical that you cannot change a user account from a MO to a NMO account and vice versa, especially when the BES Admin is the only account which can change these setting anyhow.
When you delete an MO account it should be deleted, I guess this is why you use the wording Remove User!!! and not delete user .
Additionally you should make a note on the user creation dialogue box, which states that when you create a MO account the username cannot be renamed or removed from the database and cannot change roles to NMO permissions. Informing people after the fact, means that there is a lack of information.
I have now just built my new BES server and now cannot fix your limitations of poor ACLs.
We are now working on the changes to our authentication scheme… It will still be a while… I will try to confirm with the developers to see if this will fix the issue going forward…
So… I check into this and it seems that even though we are redoing some of our authentication, this issue remains at the moment… I have escalated this bug to see if we can fix it at the same time as our other work, but for the moment, it remains just as before that it is a known limitation that you cannot delete a master operator and then make a non-master with the same name.
As a way of empathizing with everyone: I hate when products that I use have silly limitations like this one too… But in this case it is just not easy to fix and it is hard when there are so many things we want to add to BigFix to make it better and going back and removing this limitation would mean that we couldn’t get a whole new big feature…
DeviousDog, I realize that hindsight is 20/20, but you may want to consider adopting a practice where all master operators have separate console operator accounts.
All of our master operators have always had a separate console operator account, and we rarely use our MO accounts for anything more than provisioning tasks and globally activating analyses. For just about everything else, we use console operator accounts. This prevents us from unintentionally taking actions that would affect the entire environment.
Since you’re less likely to have more master operators than console operators, I’d suggest a different naming scheme for master operator accounts… something different from the corporate/organizational user naming scheme. I agree that this limitation is annoying, but I think it can be avoided.