How users, groups, and permission sets fit together

McAfee ePO controls access to items using interactions between users, groups, and permission sets.

A user account grants log on access to the McAfee ePO console and when mapped with a permission set, it defines what the user is allowed to access. Administrators can create accounts for individual users and assign permissions, or they can create a permission set that maps to users or groups in your Active Directory/NT server.

McAfee ePO users fall into two general categories. Either they are administrators, having full rights throughout the system, or they are regular users. Regular users can be assigned any number of permission sets to define their access levels in McAfee ePO.

Administrators

Administrators have read and write permissions and rights to all operations. When you install the server, an administrator account is created automatically. By default, the user name for this account is admin. If the default value is changed during installation, this account is named accordingly.

You can create additional administrator accounts for people who require administrator rights.

Permissions exclusive to administrators include:

  • Create, edit, and delete source and fallback sites.
  • Change server settings.
  • Add and delete user accounts.
  • Add, delete, and assign permission sets.
  • Import events into McAfee ePO databases and limit events that are stored there.

Users

Users can be assigned any number of permission sets to define their access levels in McAfee ePO.

User accounts can be created and managed in several ways. You can:

  • Create user accounts manually, then assign each account an appropriate permission set.
  • Configure your McAfee ePO server to allow users to log on using Windows authentication.

Allowing users to log on using their Windows credentials is an advanced feature that requires configuration and setup of multiple settings and components.

Groups

Queries and reports are assigned to groups. Each group can be private (to that user only), globally public (or "shared"), or shared to one or more permission sets.

Permission sets

A particular access profile is defined in a permission set. This profile usually involves a combination of access levels to various parts of McAfee ePO. For example, one permission set might grant the ability to read the Audit Log, use public and shared dashboards, and create and edit public reports or queries.

Permission sets can be assigned to individual users, or if you are using Active Directory, to all users from specific Active Directory servers.

Default permission sets

McAfee ePO provides these four default permission sets that provide permissions to its functionality.

  • Executive Reviewer — Provides view permissions to dashboards, events, contacts, and can view information that relates to the whole System Tree.
  • Global Reviewer — Provides view access globally across functionality, products, and the System Tree, except for extensions, multi-server roll up data, registered servers, and software.
  • Global Admin — Provides view and change permissions across McAfee ePO features. Users that are assigned this permission set each need at least one more permission set that grants access needed products and groups of the System Tree.
  • Group Reviewer — Provides view permissions across McAfee ePO features. Users that are assigned this permission set each need at least one more permission set that grants access needed products and groups of the System Tree.

A user group administrator or the global administrator can edit the canned permission sets as required.

When you upgrade a product extension:

  • An edited canned permission set for the product is retained with the default canned permission set.
  • A deleted permission set for the product is added again.