About Symantec Enterprise Security Manager accounts and permissions

Symantec ESM supports the separation of administration and security tasks by providing different types of manager accounts for the Symantec ESM users.

Symantec ESM managers support the following types of accounts:

You can use these account types to separate the security and the administration duties. Each account gives a user access to only the information that is necessary to perform the assigned duties.

Table: Account types and access permissions describes each account type and its access permissions.

Table: Account types and access permissions

Account type

Description

Access permissions

Read-only

These accounts are useful for creating specialized accounts, starting with minimal permissions.

These accounts have permissions to view assigned domains, policies, and templates. They also have permissions to modify their own passwords.

Read-only users cannot start policy runs, but they can use the functions that are associated with messages. To use the message-related functions, the users need appropriate permissions on the specific agent host computers.

ESM administrator

ESM administrators have the same permissions that the superuser account has. These accounts can be deleted.

These permissions give a user full access to Symantec ESM functions for all domains, policies, reports, and templates.

All accounts that have these permissions can limit user functions to assigned domains, policies, and templates. These permissions include the following:

  • View domains, policies, templates, and reports.

  • Modify domains, policies, and templates.

  • Run policies and domains

  • Create new domains, policies, and templates

  • Update domain snapshots

  • Manage user permissions and password configuration requirements

  • Modify own password.

  • Modify Symantec ESM options including audit log configuration and manager sumfinal database options.

  • Upgrade agents.

  • Register agents with a manager.

System administrator

System administrators provide the security tools that the computer owners need to maintain their computers.

The following specific permissions are provided to the system administrators:

  • View domains, policies, templates, and reports.

  • Modify domains, policies, and templates.

  • Run policies and domains.

  • Create new domains, policies, and templates.

  • Update domain snapshots.

  • Modify own password.

Security officer

Security officers set the security policies and monitor the day-to-day operations.

The following specific permissions are provided to the security officers:

  • View domains, policies, templates, and reports

  • Modify domains, policies, and templates.

  • Run policies and domains.

  • Create new domains, policies, and templates.

  • Modify own password.

Register only

The Register only users distribute the Symantec ESM across the enterprise.

The Register only users cannot log on to the ESM managers. These users can register the agents using the following methods:

  • Launch the Symantec ESM installation program

  • Launch the Symantec ESMregister program from the command prompt using the register command

The register command requires an account with permissions to register the agents even though no logon is required.

Table: Default domain access permissions lists the domain access rights for each Symantec ESM account.

Table: Default domain access permissions

Account type

Domain access permissions

Read-only

  • View

  • Apply to all domains

ESM administrator

  • View

  • Modify

  • Run policies

  • Snapshot updates

  • Apply to all domains

  • Create new domains

System administrator

  • View

  • Modify

  • Run policies

  • Snapshot updates

  • Apply to all domains

  • Create new domains

Security officer

  • View

  • Modify

  • Run policies

  • Apply to all domains

  • Create new domains

Register only

  • Apply to all domains

Table: Default policy access permissions lists rights that pertain to policy access rights for Symantec ESM user accounts.

Table: Default policy access permissions

Account type

Policy access permissions

Read-only

  • View

  • Assign to all current and future policies

ESM administrator

  • View

  • Modify

  • Run

  • Assign to all current and future policies

  • Create new policies

System administrator

  • View

  • Run

  • Assign to all current and future policies

Security officer

  • View

  • Modify

  • Run

  • Assign to all current and future policies

  • Create new policies

Register only

  • Modify

  • Assign to all current and future policies

  • Create new policies

Table: Default template access permissions lists rights that pertain to templates for Symantec ESM user accounts.

Table: Default template access permissions

Account type

Template access permissions

Read-only

  • View

  • Apply to all templates

ESM administrator

  • View

  • Modify

  • Apply to all templates

  • Create new policies

System administrator

  • View

  • Modify

  • Apply to all templates

  • Create new policies

Security officer

  • View

  • Modify

  • Apply to all templates

  • Create new templates

Register only

  • Modify

  • Apply to all templates

  • Create new templates

Table: Default advanced manager permissions lists the advanced manager rights for each Symantec ESM manager account.

Table: Default advanced manager permissions

Account type

Advanced manager permissions

Read-only

  • Modify own password

ESM administrator

  • Manage user rights

  • Modify own password

  • Modify ESM options

  • Perform upgrades or register agents with managers

System administrator

  • Modify own password

Security officer

  • Modify own password

Register only

  • Register agents with managers

Although the Register only account contains all access rights, you cannot use this account to connect to a manager from the ESM console. Users can register agents only with the installation program or the register program.