Solved: Profile a device to an Endpoint group outside of "Profiled Endpoints"

ketigges · ‎09-20-2017

Is there a way to automatically profile a device into a higher level pre defined Endpoint Group.

i.e.

- Device Group A --> I want to put it here and not underneath "Profiled Devices"

- Device Group B

- Profiled Devices

Windows Machines

MAC Machines

ESXI Hosts

etc..

Yes I know we can move an endpoint to another group, no issues there.

The reason for this is I'm defining RBAC for different departments to be able to manage their own devices, but nobody elses. i.e. a Biomedical department that manages medical devices in a hospital, should be able to add / delete medical devices, but not other devices.

This works well, as long as I assign the Menu Data Access to only the device group at the top tier. Granting them access to a device group under the "Profiled Devices" hierarchy in turn grants them access to view and modify everything under profiled devices.

Granting up a level where there is no sub tree, displays and only allows them to edit the specific device group which is what the customer wants. Having a person with more admin rights move the profiled devices to the upper level group isn't operationally feasible as they do not want to involve general "IT" in the management of their endpoints. Yes we can add devices manually or import them, but we want to take advantage of profiling so they can minimize the touch.

This may be a simple task, but I can't seem to get a device to profile, and populate something outside of the "Profiled Endpoints" group.

Any thoughts are appreciated.

Thanks

Craig Hyps · ‎09-20-2017

The option to automatically map profile to endpoint ID group via the "Yes, create matching Identity Group" option is limited to the Profiled category. You cannot override that. Current logic is to create all of these dynamic profile groups under the same top level group "Profiled".

It is possible to create a script that automatically assigns devices in a specific profile to a select ID group via ERS API, but then you should not use the profiler auto ID group option. Devices will be dynamically added/removed based on matching profile using the "Create matching ID group" option. It is not static unless create exception actions and apply to profile.

Craig

View solution in original post

Craig Hyps · ‎09-20-2017

The option to automatically map profile to endpoint ID group via the "Yes, create matching Identity Group" option is limited to the Profiled category. You cannot override that. Current logic is to create all of these dynamic profile groups under the same top level group "Profiled".

It is possible to create a script that automatically assigns devices in a specific profile to a select ID group via ERS API, but then you should not use the profiler auto ID group option. Devices will be dynamically added/removed based on matching profile using the "Create matching ID group" option. It is not static unless create exception actions and apply to profile.

Craig

paul · ‎09-20-2017

You can use RBAC to lock down at whatever level you want you just have to remember that you need to give them read/write access to move them out of the current identity group assignment.

I was easily able to lock down an RBAC group to only be able to control the Android profiled group on the Identity group. I gave myself Context Visibility->Endpoints and Identity Management->Groups menu access and access to read/write the Unknown, Profiled top level and Android under Profiled. All other identity groups under profiled had no access and all other groups had no access.

I was able to assign a MAC address that was in the Unknown or general Profiled category to the Android group just fine. If the MAC address was in one of the profiled sub folders I couldn't see it nor manipulate it.