cancel
Showing results for 
Search instead for 
Did you mean: 

Permission setting for running client tasks...

Jump to solution

I am trying to create a permission set for desktop support personnel that restricts their access to certain elements of ePO, but that will allow them to run client tasks to remove or install individual modules to workstations that they support. I have the permission set working the way I want, except for this one piece. When I log in as one of these users and I try to run a client task I get the error: 

"You do not have access to any products"

Within the permission set I have the software and software catalog rights set to view only. What am I missing here? I don't want them to be able to add or remove software packages in any of the branches, but it seems like running client tasks against individual nodes to add/remove software to those machines should be considered something different entirely. 

 

1 Solution

Accepted Solutions
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 9

Re: Permission setting for running client tasks...

Jump to solution

Ok, that didn't take long.  Under McAfee agent, you have to enable editing client tasks.  That will allow update and deployment tasks.  For ENS or VSE on demand scan tasks, you have to go to VSE or ENS threat prevention and enable editing tasks there also - you don't have to enable policies. 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

8 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: Permission setting for running client tasks...

Jump to solution

Check the audit log, it might give a clue to more specific items it doesn't have access to for that. In the meantime, I will try to test that out when I can.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Permission setting for running client tasks...

Jump to solution

Checked the audit log for that account and there's nothing mentioned aside from login activity and entries for changes to the permission set itself. 

Highlighted
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 9

Re: Permission setting for running client tasks...

Jump to solution

Ok thanks, will try to reproduce the issue to see what is required.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Permission setting for running client tasks...

Jump to solution

Thanks, I really appreciate you chasing this down for me. Cheers!

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 9

Re: Permission setting for running client tasks...

Jump to solution

Ok, that didn't take long.  Under McAfee agent, you have to enable editing client tasks.  That will allow update and deployment tasks.  For ENS or VSE on demand scan tasks, you have to go to VSE or ENS threat prevention and enable editing tasks there also - you don't have to enable policies. 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Permission setting for running client tasks...

Jump to solution

This is exactly what I needed, thank you. I will say though, this isn't a great design. There should really be a set of permissions that will allow execution, but not an assignment. With these permissions, the user can go into the client task catalog and assign any pre-existing tasks to any part of the tree that they have access to. That's dangerous for very obvious reasons, and it's totally unnecessary when all I want is for them to go to a machine and execute a pre-existing client task.  

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 8 of 9

Re: Permission setting for running client tasks...

Jump to solution

…...when all I want is for them to go to a machine and execute a pre-existing client task.  

There is really no way to split out the permissions to say the user can only assign to systems and not groups.  The assignment of tasks is just that, limited to the ability (or inability) to create their own tasks or use pre-existing ones and limited to the systems they have access to.  What is the difference whether they go to a single system in the system tree or group in system tree that they have access to and assign a task, or go to task catalog and assign from there?  They are still limited to the limitations of their permission set.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Permission setting for running client tasks...

Jump to solution

I think you may have misunderstood me. With the permissions that you listed as a solution, the desktop tech can go into the client task catalog and take something like, let's say, a drive encryption install task and could potentially accidentally assign that to an entire folder of machines. Maybe they're new and they don't know what they're doing, maybe they had a creative idea to assign it to a top-level folder but put a condition that says it will only run against machines that have a specific tag within that folder, who knows. The point is, I only want desktop guys to find a single machine in the tree and run pre-existing client tasks against single machines, or at most, a handful of machines. With the permissions required to allow them to run even a single client task against a single machine, they also now have the ability to go into the client task catalog and make assignments of tasks to entire folders in the system tree. 

 

Here's a typical scenario:

A desktop guy gets a ticket that the DLP agent on a machine is going bananas. He decides to remove the DLP client and re-install it. He finds the machine in ePO, runs a client task to remove DLP, verifies that it's gone, and then re-pushes it. 

 

There should be a way in ePO that allows me to give him the ability to do this. He can find a machine and run client tasks that I, as the administrator, have already created. In order for him to run these client tasks, we had to go in and give him permissions to edit client tasks which now allows him to go into the client task catalog and assign tasks anywhere he wants to. How does that make sense? Manually running a client task shouldn't be thrown into the same bucket as assigning a client task at the tree level. 

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community