Configure role-based access control for managing Drive Encryption

ePolicy Orchestrator administrator rights management determines what administrators can do while managing the Drive Encryption software.

The administrator can set up Drive Encryption-specific permission sets for different users in ePolicy Orchestrator. The permission sets can be created for a variety of roles including but not restricted to Executive Reviewer, Global Reviewer, Group Admin, and Group Reviewer. The Drive Encryption extension enables ePolicy Orchestrator administrators to control Drive Encryption Systems that are managed through ePolicy Orchestrator.

The McAfee ePO administrator for Drive Encryption can:

  • Manage Drive Encryption users, policies and server settings
  • Run queries to view the encryption status of the client systems
  • View client system audits
  • View McAfee user audits
  • Manage Drive Encryption providers

Administrative roles can be configured and implemented using the User ManagementPermission Sets option in ePolicy Orchestrator. It is possible to configure a number of admin roles using this option. For example, you can create admin roles such as:

  • Drive Encryption Administrator: User accounts in this level have full control of Drive Encryption, but cannot manage any other software in ePolicy Orchestrator.
  • Drive Encryption Helpdesk: User accounts in this level can do Drive Encryption password resets only.
  • Drive Encryption Engineer: User accounts in this level can do password resets as well as export recovery files to be used with DETech tool.
  • Drive Encryption Auditor: User accounts in this level can view Drive Encryption reports only.

For more information on configuring roles, see the documentation for the relevant version of ePolicy Orchestrator.

Before you begin:

  • Make sure that your LDAP server is configured and registered in ePolicy Orchestrator.
  • Make sure that you schedule and run the LdapSync: Sync across users from LDAP task.
  • Make sure that you enable the Active Directory User Login option in ePolicy Orchestrator. To enable, navigate through Menu | Configuration | Server Settings | Active Directory User Login | Edit, then enable Allow Active Directory users to login if they have at least one permission set option.

You can create different permission roles and assign them with different Drive Encryption Permission Sets to different users.

To verify the configured permission sets, log off from ePolicy Orchestrator, then log on with a user account that belongs to any one of the new roles.

Note: Use the correct format of the user name when logging on to ePolicy Orchestrator.