3 Replies Latest reply on Jul 26, 2013 9:51 AM by pboedges

    McAfee ePO Orchestrator administration question

      I am in an environment where I want to completely segregate administrative access. 


      I have 2 administrative users, one for Division_A, one for Division_B. I have the servers/workstations separated into different subtrees Subtree_A Subtree_B. Say each administrator belongs to a different Active Directory group as well Group_A and Group_B. Is it at all possible to restrict access so that each Administrator could only see the Servers/Workstations in his Subtree? For instance the Division_A administrator wouldnt even have read access to Subtree_B; this user should not be able to see the Hosts or the Policies that are in place.


      Is this possible?


      The other solution I am looking into is to create 2 separate ePO servers to manage a very small number of Nodes, separation is important.


      Thank you,

        • 1. Re: McAfee ePO Orchestrator administration question
          Laszlo G

          Hi mattwod, you can assign different permission sets to them so they can only see their specific system tree but you won't be able to set them see only their own policies because on ePO you can set permissions by product but not by policy owner


          El mensaje fue editado por: ulyses31 on 26/07/13 10:58:16 CEST
          1 of 1 people found this helpful
          • 2. Re: McAfee ePO Orchestrator administration question

            Thanks for the response, I just need a little clarification please...


            So all administrators can see and use all policies? But only policy owners can edit the policies they own? 


            When you say I can set permissions by product does that means I could set permissions so that an administrator could either not see any policies or I can set it so he could see all policies?  (But I cannot set permissions that would allow him to see some but not others)


            So I would have 2 SUBtrees right? and I can assign permissions and access to those in such a manner that Admin_B would not even see the Division_A Subtree, or that person would see the Directory and it would be empty?


            McAfee ePO Tree


                      |      Division_A Systems: (Only Admin_A can see these systems and systems within the tree)

                      |                   |__

                      |                         Division_A_Workstations      


                      |      Division_B Systems: (Only Admin_B can see these systems)



                             Other Systems: (Both Admins can see these systems)



            Thanks again, really appreciate the quick response!

            • 3. Re: McAfee ePO Orchestrator administration question



              By default Global Administrators would have visibility into everything and are not effected by other permission sets. 


              You can configure a permission set for each product that you have and assign someone full rights for the policies for that product and they would be the only ones aside from the Global Admins that would have access to those policies. 


              You can also configure a permission set to restrict who has visibility into each point product (i.e VSE, HIPS, HDLP). 


              Additionally for the two Divisions you have listed above, you would need to create two permission sets and under the System Tree Access field, grant them only access to their respective container.  only the user assigned to that permission set would be able to see the systems contained within.


              Also you can have one person assigned to multiple permission sets if need be.