Hello Ian Wilcox!
To avoid cloned role to see all available computer resources, need to:
1. Need to create a custom org view and org group where will be added only appropriate computers, resources, etc (This org group will be used for cloned role, so only these resources will be shown in SMP Console for this cloned role)
Example
2. Open "Security role manager" page for "Cloned Patch Management Rollout role" > choose "Resources" and uncheck "Read" permission to make that now this role doesn't have any read permissions for resources
Click "Refresh" button
Click "+" button to add only custom Org group
Now this cloned role will see limited amount of resources according to scope of Org group that is added in previous step
After all made changes above, this "Cloned Patch Management Rollout role" role must change default "Computer" org group to only available org group to see reports output
Now this cloned role is able to see report output only for allowed scope of computers
Now need to remove "Delete" action for this "Cloned Patch Management Rollout role" role to avoid Computers deletion
Open same "Security Role Manager" page for this cloned role and uncheck "Read" permission for "Right click Menu" folder and save changes
Now click "Refresh" button
Now click "+" add button > choose "Right click menu" folder and click ">>" to add available right click menus
Now type "Delete" in list of added actions to remove "Delete" action from allowed list clicking "<" and click "OK"
Confirmation dialog will appear, where you can click "OK"
Now this cloned role unable to delete computers from reports (you can remove other right click actions in previous steps, like "Edit" etc)
Best regards,
IP.
Original Message:
Sent: Mar 27, 2024 09:36 AM
From: Ian Wilcox
Subject: Access to patch compliance reports
Hi Igor, thanks for your response. This is intended to provide patch compliance visibility for one of our regions only so we need to ensure that they can only see the computers for that region and not computers in other regions. Do you know if it is possible to control this with this solution?
Original Message:
Sent: Mar 26, 2024 12:00 PM
From: Igor Perevozchikov
Subject: Access to patch compliance reports
Hi Ian Wilcox!
For such purposes we have a default security role "patch management rollout"
This role unable to to distribute new software updates, update PM pre-import data as well as perform new PM Import tasks
Default "patch management rollout" role is able to manage only existing distributed Patch policies (modify, enable/disable policies)
To avoid this, need to clone default "patch management rollout" role and make sure that appropriate account is member of this cloned role only and is not member of default "patch management rollout" role or other default role(s).
Then open security role manager for cloned "Cloned patch management rollout" role and remove write, enable policy permissions > save changes
Now all accounts that only members of this cloned/modified "patch management rollout" role will be able to see all patch reports, etc and not able to update PMimport data, distribute new patches or modify existing patch policies.
Best regards,
IP.
Original Message:
Sent: Mar 22, 2024 06:29 PM
From: Ian Wilcox
Subject: Access to patch compliance reports
Is it possible to provide users with read only access to the compliance reports in patch management? We would like to give some of our users access to view these reports but need to ensure they are not given administrator permissions or the ability to deploy updates.