Endpoint Protection

I'm in the process of setting up local and regional support people with restricted access to the SEPM console for reporting purposes. I've only granted permission to each admin to view reports. Based on the users location or region I then used the Reporting Rights to lock down what they have access to in the reports. I'm doing this by Client Groups since our clients are distributed with different client group names based on region and location. Keep in mind that I'm using SEPM to import SAV10.x logs. I also have a pilot group of SEP users and have a handful of different SEP groups under My Company. Anyways when an admin logs in to view reports they have access to the client groups that I assigned and no access to the other client groups that were not assigned. The issue is that they also have access to all SEP groups as well even though I didn't add them under the reporting rights.

Is this a bug?

 Have you created Administrators or Limited Administrators ?

• System Administrator

  Administrators with full access rights for all domains.

• Administrator

  Administrators with full access rights for a single domain. The only restriction you can configure for this type of administrator is for viewing reports for the computers that run Symantec AntiVirus 10.x and earlier.

• Limited Administrator

  Administrators with assigned access and permissions for specific groups. When you add a limited administrator, you can also define reporting rights, group rights, command rights, and policy rights

I'm using Limited Administrator, Only checking view reports, and then using the reporting rights to setup access to only certain SAV10 groups. This part is working since we have almost 100 different SAV groups but only the 4 that I'm allowing shows up under one of the limited admins. The problem is all of my SEP11 groups show up as well.

I went back and cleared the groups I was allowing in the reporting rights section and only entered one of my SEP 11 group names. When I login with this limited account I see all of my SEP11 groups so something isn't working with the reporting rights feature as it relates to SEP11

Ok it appears I resolved this by checking the manage groups option under the limited administrator. Then under group rights I set each group to No-Access.

So the question now is what happens when I want a limited administrator to only review reports for particular SEP groups? It appears the reporting rights only applies to SAV10.x clients.

When you create a user with limited rights then user can access the logs and report of allowed group only... 

You have to make sure that your have removed access to all other groups.

You can set the access rights to subgroup by right clicking on the group name when the selection box appears. Check these images. i created one user and assigned access rights to one group. in the reporting section i am able to see reports related to that group only.








 

I appreciate the response but I already figured this out... now the question has to do with reporting rights and SEP11. It appears the reporting rights only apply to SAV10.x