About
assigning access rights to the manager accounts
When you create or modify
a manager user account, you give the account-specific access rights
to domains, to policies, and to templates. Users can perform only
those functions that these access rights allow.
The Account wizard
automatically assigns access rights when you create a new account
on the manager. You can modify existing accounts by assigning the
access rights that are specific to job responsibilities. You should
assign to manager accounts only the minimum rights that users need
to perform their assigned tasks. For example, you can set up an
account with permissions to manage a single domain or policy. You
can then restrict the user from viewing unauthorized domains or
policies.
Before you can assign
access rights to a manager account, you must log on to the manager
using an account that already has those rights. Symantec ESM does
not let you exceed the access rights of the account that is in use.
Access rights apply only to the manager and to the nodes directly
beneath the manager on the enterprise tree.
|
Note:
|
Due
to the security that the manager logon requirements provide, ESM
console users can freely add, or remove regions and managers.
|
Symantec ESM applies the
access rights for a manager account when a user connects the ESM
console to the manager. If you change the access rights of the
accounts, the active account users do not see the change until they
do the following:
Symantec ESM provides the
following privilege categories:
-
Domains
-
Policies
-
Templates
-
Advanced manager rights
The following tables
describe the access rights that Symantec ESM provides for
domains:
Table: Privilege categories and assignable domain
rights
|
Privilege category
|
Assignable rights
|
|
Domain
|
View
This right lets you see the domain and the policy run summaries
on the agents in the domain. Symantec ESM displays the domain only
if the account has View access.
|
|
Modify
This right lets you remove an existing domain from domains, or
an agent from the domain. You can do the following if you have the
Create New Domains access rights enabled:
You cannot change the default system domains such as All Agents,
and NT Agents.
|
|
Run Policies
This right lets you run policies on agent computers in the
domain if you also have the Run access rights enabled in policies.
The Policy Run wizard can lead you through the process of starting
or scheduling policy runs.
|
|
Snapshot Updates
This right lets you update snapshots, templates, and name
lists.
|
|
Apply to all domains
This right lets you apply changes to all current and future
domains.
|
|
Create new domains
This right lets you create new domains.
|
|
Note:
|
Any
user with the View access rights to domains can correct the policy
report items from the Symantec ESM. To correct the report items,
you need to log on to the agent computer using an account with
administrative, supervisory, or superuser privileges .
|
Table: Privilege categories and assignable
policy rights describes the access rights that Symantec ESM
provides for policies.
Table: Privilege categories and assignable policy
rights
|
Privilege category
|
Assignable rights
|
|
Policy
|
View
This right lets you see the policy. Symantec ESM displays the
policy only if the account has View access.
|
|
Modify
This right lets you do the following:
-
Add or remove modules in policies.
-
Enable or disable security checks in modules.
-
Edit the name lists and the templates that are associated with
checks.
-
Delete the policies, if the account has the Modify and the
Create New Policies access rights enabled.
|
|
Run
This right lets you run policies on agent computers in the
domain if you also have the Run Policies access rights enabled in
domains. The Policy Run wizard can lead you through the process of
starting or scheduling policy runs.
|
|
Assign to all current and future policies
This right lets you apply changes to all current and future
policies.
|
|
Create new policies
This right lets you create new policies.
|
Table: Privilege categories and assignable
template rights describes the access rights that Symantec ESM
provides for templates.
Table: Privilege categories and assignable
template rights
|
Privilege category
|
Assignable rights
|
|
Template
|
View
This right lets you see the template. Symantec ESM displays the
template only if the account has View access.
|
|
Modify
This right lets you add, change, or remove the following if the
account also has the Create New Templates access rights
enabled:
|
|
Assign to all templates
This right lets you apply changes to all current and future
templates.
|
|
Create new templates
This right lets you create new templates.
|
Table: Privilege categories and advanced manager
rights describes the access rights that Symantec ESM provides
for administering Symantec ESM.
Table: Privilege categories and advanced manager
rights
|
Privilege category
|
Assignable rights
|
|
Advanced manager rights
|
Manager user rights
This right lets you change the access rights of any account on
the manager except the default superuser account. You can also
change password configuration requirements.
|
|
Modify own password
This right lets you change account passwords. New passwords must
comply with password configuration requirements.
|
|
Modify ESM options
This right lets you change audit log configuration and manager
sumfinal database options. You can also assign manager
licenses.
|
|
Perform upgrades
This right lets you upgrade the agent software on remote
computers.
|
|
Register agents with managers
This right lets you use the installation program or the register
program to register an agent to the manager. User accounts with
this right should have no other access rights.
|
|
Note:
|
You
can modify the pre-defined access rights that ESM provides.
|
