2 Replies Latest reply on Jul 15, 2015 2:18 PM by travis.fenton.41

    Security and User Management Question

    SolarWinds Community Team

      Is there a detailed list anywhere as to what each internal Security group is permitted to do?

       

      I want to delegate the installation of patches to servers to another team here, but don't want them to be able to approve/decline patches at all, but am unsure as to which group would be the best fit.

      Basically what I want this group to be able to do is:

      Install Patches

      Reboot Servers

      RDP to Servers

      What I don't want them to be able to do is

      Approve or Decline patches

       

       

      If I can also deny them access to specific Client Side groups ( eg Workstations ) that would be fantastic.

      *Just found the Approval Delegation groups which I assume I can use to block the approval/Decline aspect. Does this setting take precedence over the rights granted by being a member of one of the Security Groups?

        • Re: Security and User Management Question
          SolarWinds Community Team

          Security Roles are documented in Section 4.2.3 of the Extension Pack Administration Guide.

          In the scenario you describe you'll want to make the users a member of the Computer Configuration Administrators role, which will grant them the ability to perform computer configuration tasks, but not perform any tasks regarding approving updates.

          Managing access to specific machines is done through the use of Credentials. Credentials can be assigned by Organizational Unit. In the absence of an OU heirarchy that can be used, you can allocate a different credential for each group and configure that credential to have access to the individual machines in that group. Then assign that credential to the Domain or OU rule for each user, according to what they should have the ability to access.

          Approval Delegation can be used to completely block the ability to approve/decline updates, but note that this feature only is functional within the Extension Pack. You will also need to restrict access to the native WSUS Administration Console (as well as Remote Desktop to the WSUS Server), in order to fully restrict this ability.