About assigning access rights to the manager accounts

When you create or modify a manager user account, you give the account-specific access rights to domains, to policies, and to templates. Users can perform only those functions that these access rights allow.

The Account wizard automatically assigns access rights when you create a new account on the manager. You can modify existing accounts by assigning the access rights that are specific to job responsibilities. You should assign to manager accounts only the minimum rights that users need to perform their assigned tasks. For example, you can set up an account with permissions to manage a single domain or policy. You can then restrict the user from viewing unauthorized domains or policies.

Before you can assign access rights to a manager account, you must log on to the manager using an account that already has those rights. Symantec ESM does not let you exceed the access rights of the account that is in use. Access rights apply only to the manager and to the nodes directly beneath the manager on the enterprise tree.

Note:

Due to the security that the manager logon requirements provide, ESM console users can freely add, or remove regions and managers.

Symantec ESM applies the access rights for a manager account when a user connects the ESM console to the manager. If you change the access rights of the accounts, the active account users do not see the change until they do the following:

Symantec ESM provides the following privilege categories:

The following tables describe the access rights that Symantec ESM provides for domains:

Table: Privilege categories and assignable domain rights

Privilege category

Assignable rights

Domain

View

This right lets you see the domain and the policy run summaries on the agents in the domain. Symantec ESM displays the domain only if the account has View access.

Modify

This right lets you remove an existing domain from domains, or an agent from the domain. You can do the following if you have the Create New Domains access rights enabled:

  • Create a new domain.

  • Copy a current domain.

  • Delete an existing domain.

  • Add an agent to an existing domain.

You cannot change the default system domains such as All Agents, and NT Agents.

Run Policies

This right lets you run policies on agent computers in the domain if you also have the Run access rights enabled in policies. The Policy Run wizard can lead you through the process of starting or scheduling policy runs.

Snapshot Updates

This right lets you update snapshots, templates, and name lists.

Apply to all domains

This right lets you apply changes to all current and future domains.

Create new domains

This right lets you create new domains.

Note:

Any user with the View access rights to domains can correct the policy report items from the Symantec ESM. To correct the report items, you need to log on to the agent computer using an account with administrative, supervisory, or superuser privileges .

Table: Privilege categories and assignable policy rights describes the access rights that Symantec ESM provides for policies.

Table: Privilege categories and assignable policy rights

Privilege category

Assignable rights

Policy

View

This right lets you see the policy. Symantec ESM displays the policy only if the account has View access.

Modify

This right lets you do the following:

  • Add or remove modules in policies.

  • Enable or disable security checks in modules.

  • Edit the name lists and the templates that are associated with checks.

  • Delete the policies, if the account has the Modify and the Create New Policies access rights enabled.

Run

This right lets you run policies on agent computers in the domain if you also have the Run Policies access rights enabled in domains. The Policy Run wizard can lead you through the process of starting or scheduling policy runs.

Assign to all current and future policies

This right lets you apply changes to all current and future policies.

Create new policies

This right lets you create new policies.

Table: Privilege categories and assignable template rights describes the access rights that Symantec ESM provides for templates.

Table: Privilege categories and assignable template rights

Privilege category

Assignable rights

Template

View

This right lets you see the template. Symantec ESM displays the template only if the account has View access.

Modify

This right lets you add, change, or remove the following if the account also has the Create New Templates access rights enabled:

  • Templates

  • Directories

  • Files

  • Registry keys or their related sublists

Assign to all templates

This right lets you apply changes to all current and future templates.

Create new templates

This right lets you create new templates.

Table: Privilege categories and advanced manager rights describes the access rights that Symantec ESM provides for administering Symantec ESM.

Table: Privilege categories and advanced manager rights

Privilege category

Assignable rights

Advanced manager rights

Manager user rights

This right lets you change the access rights of any account on the manager except the default superuser account. You can also change password configuration requirements.

Modify own password

This right lets you change account passwords. New passwords must comply with password configuration requirements.

Modify ESM options

This right lets you change audit log configuration and manager sumfinal database options. You can also assign manager licenses.

Perform upgrades

This right lets you upgrade the agent software on remote computers.

Register agents with managers

This right lets you use the installation program or the register program to register an agent to the manager. User accounts with this right should have no other access rights.

Note:

You can modify the pre-defined access rights that ESM provides.

[an error occurred while processing this directive]