jdashn 12 Posted July 28, 2016 Share Posted July 28, 2016 Good Morning/Afternoon/Evening, A little background, we have 2000+ endpoints we manage via ERA. Recently migrated to version 6x from 5x. In looking at the security setup for ERA, i've noticed that it's not as granular as i'd like. I'm hoping there is just something here i'm missing. I see how we can integrate into AD, which is great - I've got an AD group for our Helpdesk users - the issue i'm seeing is that i'm unable to assign them the permissions i'd like to, as far as i've been able to see. Ideally i'd like to allow the Helpdesk to initiate a full scan on a machine, Deploy Agent, Delete computer (when it's pulled from production for a re-image or what not), I'd like for them to be able to create and run display message tasks. -- that said, i dont want them to be able to do much else -- I dont want them to be able to create their own custom tasks (Run command, OS Update, Shutdown Computer, Software Install/Uninstall, etc) or run these types of tasks if they're already created. Is this sort of granularity possible? Thanks, Jdashn Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted July 28, 2016 ESET Staff Share Posted July 28, 2016 Hello, as of now, this is not possible. The current security model in ERA V6 works in a way, that you can grant access to groups (static ones) and to functionality modules (tasks / policies ...). Meaning, if you grant access to someone to "tasks" he is able to execute / create / change all of the tasks which are listed in your ERA, however only on the computer which are in groups that they have access to. We are currently working on a larger change of the ERA security model, which should improve the user experience, and allow you to granular control the access rights. Link to comment Share on other sites More sharing options...
jdashn 12 Posted July 28, 2016 Author Share Posted July 28, 2016 MichalJ Thanks for your reply. Is there a way to script the execution of a task? (ERAServer.exe -scan ScanWithCleaning -endpoint XXXCompName -trigger ASAP) Even if it's by Direct manipulation of the DB i could then use 3rd party tools to limit access to the scripts i create? At least this way I can allow my Helpdesk to preform some functionality without having to provide them with the ability to do just about everything. It seems odd that i'm not able to allow my Helpdesk to Initate a full scan, while not allowing them to install/uninstall software/agent or run commands against the os it's self. Thanks a ton!!!! Jdashn Link to comment Share on other sites More sharing options...
Recommended Posts