3 Replies Latest reply on Jun 2, 2014 4:44 PM by becke

    ePO policy ownership


      Is there any way to assign the ownership of policies to a group? Is there a way to allow the owner of a policy to add additional owners without making them a global admin for ePO?


      We have a large amount of delegated users for VSE for example that can create and modify their own policies.


      However, when there is staff turnover these policies get orphaned and as admin I have to constantly fix policy ownership or clean out abandoned polices and I'm not sure if I'm missing something or if it really is this way (which is proving to be quite unmanagable).


      What tactics are people using to manage policy ownership in the case where there are a large amount of users with the ability to create their own policies?


      per the documentation:

        By default, ownership is assigned to the user who creates the policy. If you have the

        required permissions, you can change the ownership of a policy.


      as far as I can see the "required permissions" is being the global admin - even the owners of the policy cannot add additional owners?


      Message was edited by: becke on 5/29/14 12:31:10 PM CDT
        • 1. Re: ePO policy ownership

          based on this unresolved issue from 2011 ( https://community.mcafee.com/thread/35370 ) and the lack of responses I'm thinking there is in fact no "proper" way to handle this?


          I did come up with the following db query to find all the polices owned by a specific user. perhaps I will extend it to at least allow me to replace the current owner with a new owner.


          -- ePO Policy Catalog ----------------------------------------------------------

          DECLARE @origUserName varchar(max)

          SET @origUserName = 'dom\username-adm'






                    polObj.Name as PolicyName,

                    --polObj.PolicyObjectID as PoliccObjectID,

                    ornUsers.Name as Owner



                    EPOPolicyObjects polObj

                    INNER JOIN EPOPolicyObjectUserRoles polRoles ON polObj.PolicyObjectID = polRoles.PolicyObjectID

                    INNER JOIN EPOPolicyTypes polTypes ON polTypes.TypeID = polObj.TypeID

                    LEFT OUTER JOIN OrionUsers  ornUsers ON ornUsers.Id = polRoles.UserID


                    --NOT polTypes.CategoryTextID = '.EPO_ENFORCE' AND

                    @origUserName IS NULL OR @origUserName = ornUsers.Name

          ORDER BY

                    polTypes.FeatureTextID ASC,

                    polTypes.CategoryTextID ASC,

                    polObj.Name ASC,

                    ornUsers.Name ASC

          • 2. Re: ePO policy ownership

            Hi becke, what version of ePO are you using? Unfortunately, permission sets in ePO have very limited versatiity and I too have had to deal with this administratively heavy task. I understand version 5.x has made some good changes in this area but I cannot verify yet. Thanks for the SQL query. Logging it for future.



            • 3. Re: ePO policy ownership

              we're on version 5.1