The only way to limit access to Machine Groups is to set the user as Scan and Report Only, Deploy and Report Only or Report Only. It's not possible to get that granular in the current release, we do intend on expanding on this in a future release. It would be a good idea to submit a feature request.
The basics are:
- Administrator: Full access to all features of the program. Only an administrator user can modify the roles assigned to other users.
- Full User: Access to all features except for the ability to administer roles.
- Scan and Report Only: Can perform patch scans and can generate reports.
- Deploy and Report Only: Can perform patch deployments and can generate reports.
- Report Only: Can generate reports
You could set Tools > Options > Display > Show only items created by me. This would help prevent admins modifying other users items.
I know in the AppSense world Object based Security was a big feature with Enterprise Customers in our AMC. I will submit a feature request.
So please give me some advice.
Do I go back and just say - install two consoles, one with a machine group containing the servers, managed by the server team, and a second one with a machine group containing workstations managed by the workstation team ? Is that able to be done with one license key ?
Thanks in advance.
I agree the feature needs to be expanded. Give me the feature request number and I will get some feedback from the Product Manager on it.
The only method of preventing admins from modifying other admins Machine Groups but still allowing them access to everything else is to use separate consoles, pointing to a separate database. You can setup Data Rollup to rollup the scan/deployment data to one of the consoles for centralized reporting. Technically, you purchase the number of consoles you can install on.
I would say most of our customers enable the option Tools > Options > Display > Show only items created by me, and trust the admins will behave themselves.