3 Replies Latest reply on Jul 18, 2016 10:14 AM by frgpugs

    Delegation of WSUS approval

    rosscrawford

      Hi All,

       

      I'm hoping this is just something simple I'm missing,  I've got a WSUS 2012 R2 server and a SolarWinds Patch Manger 2.0 server which is connected to the WSUS server,  I can approve updates which works fine.

       

      My problem is I want to be able to give granular access to AD security groups for example,  I want the helpdesk to login to the SW PM console and only see their WSUS computer group that they are responsible for.

       

      I've been trying to figure out the permissions however when I login I seem to be able to access more than I want,  I can't seem to give access soley to approve updates on a particular WSUS computer group.

       

      Can this be acheived?

       

      Thanks

      Ross

        • Re: Delegation of WSUS approval
          Michael Halpin

          Hi rosscrawford,

           

          sorry for the delay. Simply select the computer group and then in the action pane you can select "approval delegation".  This will allow you to add in AD groups to approve the updates

           

            • Re: Delegation of WSUS approval
              rosscrawford

              Thanks Michael,   I had found that area and added my AD user to it.  This may be a silly question,  do you need to use a managed computer group and map it to the WSUS computer group for this to work?   As I cannot see any other way,  and even when I do this I can see how to install updates but not approve them without giving full access to all WSUS groups.

                • Re: Delegation of WSUS approval
                  frgpugs

                  You need to use a target group to use the AD delegation like that.

                   

                  The security section under patch manager system configuration would allow you to set what users can do but the closest to what you want would allow approval for all target groups.  Approval as far as I know cannot be set to only allow a user to approve for one group.  They can choose not to approve for other groups but if they can approve for one they can approve for all