Endpoint Protection

 View Only

  • 1.  How do you assign "Monitoring" rights in a granular fashion?

    Posted Apr 03, 2013 08:41 AM

    We have granted our help desk personnel granular rights to the SEPM web console.  At this point, they only have rights to initiate full scans on remote devices, with read only access to the clients (We have a policy to intiate a full scan on any machine that generates a single risk event, and I wanted the help desk to deal with those).  I can't seem to decipher how to give them just enough additional rights to have access to "Monitors" so they can check on scan progress.  Which setting in the admin rights allows you to add just "Monitors"?



  • 2.  RE: How do you assign "Monitoring" rights in a granular fashion?

    Posted Apr 03, 2013 08:46 AM

    You have to give them administrator rights because

    Limited administrators without reporting rights cannot view the HomeMonitors, or Reports pages.

    http://www.symantec.com/business/support/index?page=content&id=HOWTO81226



  • 3.  RE: How do you assign "Monitoring" rights in a granular fashion?

    Posted Apr 03, 2013 08:50 AM

    I don't believe there is an option to only show the 'Monitors' page. I assume this is what you mean?

    Uncheck all the options except 'View Reports'

    This will allow them to do what they need, without being able to do much else.



  • 4.  RE: How do you assign "Monitoring" rights in a granular fashion?

    Trusted Advisor
    Posted Apr 03, 2013 09:34 AM

    Hello,

    I agree. 

    Check this Articlehttp://www.symantec.com/docs/HOWTO81226

    Administrators are domain administrators who can view and manage a single domain. A domain administrator has the same privileges as a system administrator, but for a single domain only.

    By default, the domain administrator has full system administrator rights to manage a domain, but not a site. You must explicitly grant site rights within a single domain. Domain administrators can modify the site rights of other administrators and limited administrators, though they cannot modify the site rights for themselves.

    A domain administrator can perform the following tasks:

    • Create and manage administrator accounts and limited administrator accounts within a single domain.

      Domain administrators cannot modify their own site rights. System administrators must perform this function.

    • Run reports, manage sites, and reset passwords. You must explicitly configure reporting rights to groups that are migrated from Symantec AntiVirus 10.x.

    • Cannot administer licenses. Only system administrators can administer licenses.

    • Cannot manage Enforcers.

    Limited administrators can log on to the Symantec Endpoint Protection Manager console with restricted access. Limited administrators do not have access rights by default. A system administrator role must explicitly grant access rights to allow a limited administrator to perform tasks.

    Parts of the management server user interface are not available to limited administrators when you restrict access rights. For example:

    • Limited administrators without reporting rights cannot view the Home, Monitors, or Reports pages.

    • Limited administrators without policy rights cannot view or modify the policy. In addition, they cannot apply, replace, or withdraw a policy.

    Hope that helps!!



  • 5.  RE: How do you assign "Monitoring" rights in a granular fashion?

    Posted Apr 03, 2013 10:00 AM

    Once I saw someone mention reporting rights the light bulb went off, I just added that right on my help desk test account and monitors showed up.  Given they only have read-only rights to the clients, I don't think they can run amok too badly there.  I need to test if they can alter the notifications configurations though, which does show up and appear to be accessible once you give them access to "Monitors".  A "nice to have" from Symantec would be a simple tool for the help desk to run, to simply run, pick a machine or enter a machine name, select a scan type and initiate it.  Then just have a simply monitoring interface to watch status of the scans initiated.  I tried to rig a tool to do that running psexec on a remote device with a script pushing a doscan on that remote device with switches, but just couldn't get it to pass credentials correctly in Windows 7 to make it work.  But, I got close just using Winbatch.  Something like that would be very useful. 



  • 6.  RE: How do you assign "Monitoring" rights in a granular fashion?

    Broadcom Employee
    Posted Apr 04, 2013 07:24 AM

    Hi,

    You should check this article : About administrators

    http://www.symantec.com/docs/HOWTO55478

    A limited administrator can be granted access to perform tasks within a single domain. These tasks include:

    • Run reports on specified computers, IP addresses, groups, and servers.

    • View Home, Monitors, and Reports pages in the console only if granted reporting rights.

    • Manage the groups within a single domain.

    • Remotely run commands on client computers.

    • Fully manage a site, or, view or manage the database or the selected servers for a site within a single domain.

    • View or manage installation packages.

    • Manage policies

      Limited administrators who do not have access to a specific policy and related settings cannot view or modify the policy. In addition, they cannot apply, replace, or withdraw a policy.

      See Configuring the access rights for a limited administrator.

    • Cannot create other limited administrator accounts.

      Only a system administrator or an administrator can create limited administrator accounts.

    • Manage the password rights for own account only.

    Also check this article:How to change Manage Group permissions for Limited Administrators in SEPM for multiple groups.

    http://www.symantec.com/docs/TECH92651