cancel
Showing results for 
Search instead for 
Did you mean: 
Jmac24
Level 9
Report Inappropriate Content
Message 1 of 8

Policy Approver view and change

Jump to solution

Starting to set up rights for policy approver roles. A couple questions.

Do the approvers have to have view and change to all policies they approve or can they just be given view rights and the approver rights allow the approvals to function?

If they have to have change settings, I would guess we would have to set approvers to need approval to make changes, will they be able to approve for themselves or would it make another approver do so? 

I'd test this out myself to find out, but I don't want to turn on the server setting for approvals until I build out all the roles first.

1 Solution

Accepted Solutions
Highlighted
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: Policy Approver view and change

Jump to solution

With that enabled, both approvals and global admins will require approvals - they cannot approve their own changes.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

7 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Policy Approver view and change

Jump to solution

For those with task approver permissions, the only option is this:

Approver Permission - Users with this permission can make task changes independently. This includes the ability to approve or decline task change requests.  

for those with policy management permissions:

Approver Permission - Users with this permission can make policy changes independently. This includes the ability to approve or reject policy change requests.  

So there is no way to not give them rights to modify policies.  I would suggest setting that as an idea (kb60021)

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Jmac24
Level 9
Report Inappropriate Content
Message 3 of 8

Re: Policy Approver view and change

Jump to solution

If I enable the "Administrator/Approver need approval for policy changes" setting in Server Settings - Approvals for both, would they the approver/admin who makes a change be able to approve their own change or does a different admin/approver need to?

If not, I will put in an idea.

Highlighted
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: Policy Approver view and change

Jump to solution

With that enabled, both approvals and global admins will require approvals - they cannot approve their own changes.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Jmac24
Level 9
Report Inappropriate Content
Message 5 of 8

Re: Policy Approver view and change

Jump to solution

Cool thanks. Now the problem I am running into is outlined in this (my comment is in there). Having to make folks admins or give policy ownership kind of defeats the purpose of enabling approvals.

https://community.mcafee.com/t5/Business-Ideas/Policy-Ownership-Modification/idc-p/622677#M13204

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 8

Re: Policy Approver view and change

Jump to solution

There is a kind of problem with what you want also.  First, a person that is not an admin (as it currently stands) that has permissions to edit policies, can only edit ones that they have created - they can't edit someone else's policy and especially if one is assigned to locations they don't have permissions to access.  This is as designed to limit their ability to change policies that might affect other groups they should not be able to modify anything with. 

The whole concept of the policy and task approvals was to prevent times when someone inadvertently changes a client task or policy that can adversely affect an environment, even accidental changes.  Too many times this has occurred in outages, unintended product deployments, etc.  By requiring approvals, it can catch things that might break things otherwise. 

As with any security implementation, there is a balance between functionality and security.  Some security measures are necessary, but they reduce functionality or add complications to the mix.  So implementation decisions are made to hopefully find that balance between the two.  By not requiring admins to require approval, it can ease some of the complications, but then you still run the risk of some other admin making a mistake with a policy or task.  Believe me, I have seen way too much of that happening and then we are asked to show who did it, what changes were made, etc.  That can be very difficult at times tracking down something like that.  Requiring approvals adds accountability for the user that made the change as well as the approver.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Jmac24
Level 9
Report Inappropriate Content
Message 7 of 8

Re: Policy Approver view and change

Jump to solution

Makes sense, the only thing is that I am creating roles that link to AD groups and/or individuals. To allow them to actually modify policies, it only lets me add individual users as owners, not the role. It would be a lot easier and make more sense to add the permission set that we've already mapped out the rights to rather than now having to account for any new people separately...as their AD rights would determine the permission sets.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: Policy Approver view and change

Jump to solution

Now that would be a great idea to submit, to add permission sets as ownership.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator