2012-04-27 06:26 AM
Customer would like to restrict access to users who are not logged into the system. They are concerned about alarm emails sent to large distribution lists and they want to prevent users from being able to make changes on the system when they are not logged in.
I would think they could do this by removing privileges to the "Everyone" account, but what would our recomemndation be for admins who want to lock down the system to users who are not logged in? What roles/capabilities would be required to present a screen with no visibility into the Operations Manager GUI for users who are not logged in? They would like to restrict visibility to system names, reports, events, etc...
2012-04-28 04:55 AM
1. Can you paste the output of "dfm user list"?
2. Yes, do not provide any roles for everyone. Any user who logs in through CLI will go through RBAC privileges except for Administrator and Domain Administrator of that server.
3. If other users are part of windows administrator group, then even if you remove all the roles from Everyone, through UI alone they can access everything. There is a BURT for this 257432 which is getting fixed in OnCommand 5.1 to provide enhanced security and much reliability.