Disabling local operators

Starting from BigFix Version 10.0.8, this feature provides a mechanism where the creation and use of any local operator is prohibited in favor of LDAP-based operators.

When the local operators are disabled:
  • The login into the BigFix Console, Web Reports, Rest API and WebUI using a local operator is not allowed. The login using LDAP users is allowed.
  • It is not possible to modify local or LDAP operators (for example, create a new operator, set explicit permissions, or directly associate BigFix roles with LDAP users).
  • The roles are inherited according to LDAP groups - BigFix roles association.

Prerequisites:

Before disabling local operators and working only with LDAP users, it is necessary to perform the following steps:
  1. Web Reports has been launched at least once in order to create a local administrative user.
  2. An LDAP server has been configured on the BigFix Console and Web Reports.
  3. LDAP groups have been associated with BigFix roles on the BigFix Console and Web Reports.
  4. At least an LDAP group has been associated with a BigFix role having Master Operator permissions on the BigFix Console.
  5. At least an LDAP group has been associated with the Administrator role on Web Reports.
  6. After you disabled all local operators using the "Disabling local operators" feature, it is nevertheless required that:
    • At least one Local Master Operator must exist in the BigFix deployment.
    The still existing Local Master Operator does not represent an issue as it cannot be used until it is enabled.

Affected Components:

The BigFix components affected by this feature are the following:
Note:

If, for any reason, the information needed to disable the local operators is not present in the BigFix Database or is corrupted, it will not be possible to access the BigFix Console, Web Reports, Rest API and WebUI both with local operators and LDAP users.

Workaround:

To solve this issue, it is necessary to launch the BigFix Administration tool to enable or disable the local operators. For details, see the securitysettings described in BESAdmin Windows Command Line and BESAdmin Linux Command Line.

Limitations:

  • When the local operators are disabled it is not possible to login into the REST API and SOAP API using a local operator. If you configure REST API or SOAP API credentials for the BES Server Plugin Service with a local operator and the local operators are disabled, the service will not work properly.
  • When the SAML authentication is configured and the local operators are disabled, it is not possible to use REST APIs and 4-eyes authentication.