Protect what you value.
Understanding Permission Sets for Host
Intrusion Prevention in McAfee ePolicy
Orchestrator (ePO) 4.0
Abstract
McAfee® ePolicy Orchestrator® (ePO™ ) allows security administrators to grant permission to
users for specific products or features of a product. This centralized control for permission
setting minimizes the risk of error by the security team. It also reduces the number of places an
administrator has to go to make necessary changes to user permissions.
This tech note explains:
• How permission sets are defined in McAfee ePO
• McAfee Host Intrusion Prevention (HIPS) permission sets
• Various permission levels and what they mean to the user
• How to easily assign and modify permissions
Understanding Permission Sets in ePO
A permission set in McAfee ePO is a group of permissions granted to a user account for specific
products or features of a product. One can assign one or more permission sets to a user account.
When multiple permission sets are applied to a user account, they are combined into one.
For example, if one permission set does not provide any permission to server tasks, but another
permission set applied to the same account grants all permissions to server tasks, then that
account has all permissions to server tasks.
For global administrators, all permissions to all products and features are automatically assigned.
As a matter of fact, permission sets only grant permissions, they never remove permissions.
Ways of Assigning Permission Sets in ePO
There are two ways in ePO 4.0 that global administrators can assign permissions:
1.They can assign permission sets while creating or editing user accounts.
2.They can assign permission sets while creating or editing permission sets.
Every point product adds a section to the permission sets. When the HIPS extension is installed,
it also adds a section to the permission sets with “no permissions” applied by default. It’s
up to the global administrator to make use of different permissions for HIPS and create new
permission sets.
Understanding HIPS Permission Sets
When you install the HIPS extension, it adds the following permission set section on the
Permission Sets page under the Configuration section of ePO Console:
Technical Brief
Host Intrusion Prevention 7.0
The following HIPS permissions appear on the page when you click on the Edit link for this
permission set section:
1. Host Intrusion Prevention 7.0.0:
Application Blocking
2. Host Intrusion Prevention 7.0.0: Firewall
3. Host Intrusion Prevention 7.0.0: General
4. Host Intrusion Prevention 7.0.0: IPS
of the common set of permissions are:
• No Permissions
• View Settings
• View and Change Settings
How do different permissions work for these HIPS features? What a user is able to do when a
particular permission is assigned to him is explained below:
No Permissions
If No Permissions is assigned for any of the above four features of HIPS, then the user will not
be able to view any of the HIPS components in the ePO Console. As an example, an individual
with these permissions will not be able to view or change any policies, events, or client rules
related to HIPS. Use this permission if you do not want to give any type of permission related to
HIPS to a particular user account in ePO.
View Settings
If View Settings is assigned for any of the above four features of HIPS, then the user will
be able to view only the policies and client rules related to HIPS in ePO Console. When this
permission is assigned, the user will not be able to change or edit any of the HIPS-related policies
or client rules.
For example, if you want to give an individual “view only” permission to the application
blocking feature of HIPS, you would select the View Settings radio button for the Host
Intrusion Prevention 7.0.0: Application Blocking component of the Host Intrusion
Prevention 7.0 permission set section.
By granting this permission, the user would be able to:
1.View the HIPS: Application Blocking policies only.
2.View the Host IPS tab under Reporting and view only the Application Blocking
Client Rules.
Note: If a user wants to see the assignments of HIPS Application Blocking policy for a
particular node in the ePO directory tree, then you need to provide the following permissions
for respective permission sections. The following permissions are also required to view the Host
IPS tab under Reporting:
1.Systems: View System Tree tab.
2.System Tree access: Select the required Groups/My Organization on which you want
to provide access to the user.
View and Change Settings
If View and Change Settings is assigned for any of the above four features of HIPS, then the
user will be able to view and edit the policies, client rules, and events related to HIPS in ePO
Console. This allows the user to modify or change any settings in the HIPS policy.
Technical Brief
For example, if you want to create a user who has View and Change Settings permissions
for the firewall feature of HIPS, you would select the View and Change Settings radio
button for the Host Intrusion Prevention 7.0.0: Firewall component of the Host Intrusion
Prevention 7.0 section under Permissions Sets.
By granting this permission, the user would be able to:
1.Edit, rename, duplicate, delete, and export the custom policies related to firewall
feature of HIPS.
2.View and duplicate the default policies of the firewall.
3.View the Host IPS tab under the reporting section, and view or edit the Firewall
Client Rules only.
Note: In order to view the Host IPS tab under the reporting section, the following
permissions should be assigned as well.
1.Systems: View System Tree tab.
2.System Tree Access permission.
HIPS Permissions Assigned in ePO Default Permission Sets
ePO 4.0 ships with four default permission sets that provide permissions to ePO functionality.
The default permissions sets that are available for HIPS are:
1. Executive Reviewer: Provides view-only permissions to public dashboards, events,
contacts, and public queries, and the ability to view information related to the entire system tree.
HIPS Permissions
• Does not have any kind of access to the HIPS extension
• Users assigned with this permission set cannot access any features of HIPS
2. Global Reviewer: Provides view-only access globally across functionality, products, and the
system tree, except for extensions, multi-server roll-up data, registered servers, and software.
HIPS Permissions
• Users assigned with this permission set can see the HIPS-related events under the
Host IPS tab present in the Reporting section
• Users can select these events to perform actions like Mark Hidden, Unhidden,
Read, and Unread, and Show Related Systems
• Users can view (not edit) the HIPS-related server task (provided the HIPS extension
is installed)
• Users can view the HIPS content package in the ePO Repository
• Users can view (but not edit) the HIPS-related policies and its assignments
3. Group Admin: Provides view and change permissions across ePO features. Users that
are assigned this permission set each require at least one more permission set that grants
access to needed products and groups of the system tree.
HIPS Permissions
• Users assigned with this permission set can see the HIPS-related events under the
Host IPS tab present in the Reporting section
• Users can select those events to perform actions like Mark Hidden, Unhidden,
Read, and Unread, and Show Related Systems
• Users can view the HIPS content package in the ePO Repository
Technical Brief
• Users can modify HIPS-related policies and client tasks for the groups or nodes for
which he has permissions
• Users can view (but not edit) the HIPS-related server task (provided the HIPS
extension is installed)
• Users can create a new notification specifically for HIPS-related events
4. Group Reviewer: Provides view-only permissions across ePO features. Users that are
assigned this permission set each require at least one more permission set that grants access to
needed products and groups of the system tree.
HIPS Permissions
• Users assigned with this permission set can view only the HIPS-related server task
(provided the HIPS extension is installed)
Assigning Permissions to HIPS-Related ePO Features
There are various other HIPS-related ePO features to which an individual can assign
permissions. The following table shows a list of all the HIPS-related ePO features. To access
these features, the user needs to have permissions assigned to the sections shown in the
third column of the table. Based on what kind of permission you assign to these Additional
Permission Sections, the user would be able to access the HIPS-related ePO features.
HIPS-Related ePO
Features
Additional
Permissions
Required For?
Is It Mandatory?
HIPS dashboards
Dashboards
Yes
HIPS queries
Queries
Yes
HIPS client tasks
Systems
Yes
System tree access
HIPS server tasks
Server tasks
Yes
HIPS packages in
Repository
Software
Yes
Let’s try to understand this with some real world examples:
Scenario 1: A non-global admin user who has write access to a group called “APAC” in the
directory tree. He has permissions only on two products, HIPS and McAfee Agent. This user
should be able to view server tasks related to HIPS. Also this user should be able to use public
dashboards and queries related to HIPS. This user should not have access to the repository.
Lastly, this user should not be able to delete HIPS extension.
Technical Brief
A permission set that provides the user the access described above would look similar to
the following:
Resultant Permission Set:
Name and users:
APAC HIPS Admin
Dashboards:
Use public dashboards
Extensions:
No permissions
HIPS:
View and change settings for all the four features of HIPS under this permission section
McAfee Agent:
View and change settings
Queries:
Use public queries
Server tasks:
View server tasks; view server task log
Software:
No permissions
Systems:
“View Systems Tree” tab checked.
System tree access:
Can access the following nodes and portions of the system tree: APAC
For rest of the permission sections, no permissions should be assigned.
Note: APAC is the name of the group created under My Organization in the ePO system tree.
Scenario 2: A help-desk admin who is able to change HIPS general settings to assign timebased passwords to a group of systems in an organization.
Resultant Permission Set:
Name and users:
APAC Help Desk User
Audit log:
View audit log
Dashboard:
Use public dashboard; create and edit personal dashboard
Event log:
View events
Queries:
Use public queries; create and edit personal queries
Extension:
No permissions
Data Sheet
HIPS:
View and change settings on HIPS: General
McAfee Agent:
View and change settings
Software:
View packages and repository
Systems:
"View System Tree” tab; edit system tree, groups,
and systems
System tree access:
Can access the following nodes and portions of the system tree: APAC
Note: APAC is the name of the group created under My Organization in the ePO system tree.
If you create a new user and assign him this permission set, he should be able to access the
group called “APAC” under My Organization of the ePO system tree and change the HIPS:
General Policies. Since he can edit the HIPS: General Policies, this user now can assign timebased passwords to systems and sub-groups under “APAC.” Also, with other permissions
assigned, this user can be treated as a help desk user who would typically be a site admin for a
subset of systems in an organization.
In this way, permissions sets can be used to assign permissions at product level or at the
feature level of any point product. This flexibility in assigning permissions lets you to create
users who can do very specific tasks on specific products and systems within the ePO Console.
McAfee, ePolicy Orchestrator, ePO,
and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red in
connection with security is distinctive of McAfee brand products. Any other non-McAfee related products, registered and/
or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners.
© 2008 McAfee, Inc. All rights reserved.
18-na-cor-hipsuptb-001-0808