Privileges Assigned by Installer

The following privileges are assigned to the user accounts by the Privilege Management Reporting Database Installer.

User Account Privileges Assigned by the Installer
EventParser Write access to certain database tables
Membership of local Event Log Readers group
ReportReader Read and Execute on the appropriate database objects
DataAdmin Read and Execute on the appropriate database objects

Privilege Management Permissions

Permissions that can be configured for each Privilege Management for Mac permission set are:

  • Privilege Management
  • Privilege Management Policy
  • Policy Assignment Rule
  • Policy Management

To configure user permissions for Privilege Management for Mac in the ePO Server:

Set Owner

Users who administer Privilege Management Reports or Workstyles need to be members of the permission sets that you configure.

  1. In McAfee ePolicy Orchestrator, navigate to Menu > Policy > Policy Catalog.

Select a policy to configure. A Policy Details tab opens to the right.

  1. Select the policy row of the policy you wish to configure (do not click Edit - click the row of the policy). A Policy Details tab opens to the right, with a clickable Owner link.

 

  1. Click the Owner link. The Policy Ownership page opens.
  2. Check the boxes of the users you wish to make owners of the policy.
  3. Click Save.

Configure Permissions

  1. In McAfee ePolicy Orchestrator, navigate to Menu > User Management > Permission Sets.

 

On the Permission Sets page, click the permission set to configure from the menu.

  1. Select the permission set that you want to configure from the left side.

 

Privilege Management

  1. Locate BeyondTrust Privilege Management in the list and click Edit on the right side.
  2. If users in this group are to administe Privilege Management Reporting only:

    Select Run permission for BeyondTrust Privilege Management and click Save on the bottom-right.

  3. If users in this group are to administer the Privilege Management ePO Response Generator only:

    Select Run permission for BeyondTrust Response Generator and click Save on the bottom-right.

  4. If users in this group are to administer both Privilege Management Reporting and the Privilege Management ePO Response Generator:
  5. Select Run permissions for BeyondTrust Privilege Management and for Response Generator, and click Save on the bottom-right.

  6. If you don't want users in this group to be able to administer Privilege Management Reports or the Privilege Management ePO Response Generator:

    Select No permissions and click Save on the bottom-right.

Privilege Management Policy

  1. Locate BeyondTrust Privilege Management Policy in the list and click Edit on the right-hand side.
  2. If users in this group are to edit Privilege Management policy and Workstyles:

    Select View and change task settings and click Save on the bottom-right.

  3. If users in this group are to read but not edit the Privilege Management policy and Workstyles:

    Select View settings and click Save on the bottom-right.

  4. If you don't want users in this group to be able to read or edit Privilege Management policy and Workstyles:

    Select No permissions and click Save on the bottom-right.

Policy Assignment Rule

  1. Locate Policy Assignment Rule in the list and click Edit on the right side.
  2. If users in this group will be administering policy rules:

    Select View and Edit Rules in the list and click Save on the bottom-right.

  3. If users in this group will be viewing but not administering policy rules:

    Select View Rules in the list and click Save on the bottom-right.

  4. If you don't want users in this group to be able to view or administer policy rules:

    Select No permissions and click Save on the bottom-right.

You have now added the permissions you require to administer Privilege Management Workstyles and the Privilege Management ePO Response Generator.

Policy Management

This allows you to define which users can make policy changes independently, including the ability to approve or reject policy change requests.

  1. Locate Policy Management in the list and click Edit on the right side.
  2. If users in this group are not to have permission to make policy changes independently:

    Select No Permission - Users with this permission must submit policy changes for approval and click Save on the bottom-right.

  3. If users in this group are to be able to make policy changes independently and can approve or reject policy requests:

    Select Approver Permission - Users with this permission can make policy changes independently. This includes the ability to approve or reject policy change requests and click Save on the bottom-right.