Managing security groups for SCCM

A security group is a group of users that inherit a set of permissions defined in a corresponding SCCM security role. You associate security groups in TrueSight Vulnerability Management with Active Directory groups that have been added as administrative users in SCCM. Administrative users in SCCM must be associated with one or more security roles.

This topic includes the following sections:

Required permissions

To log in and perform actions in TrueSight Vulnerability Management, a user must belong to an Active Directory group that meets the requirements listed below:

  • The Active Directory group must be imported into both SCCM and TrueSight Vulnerability Management
    See below for instructions on importing Active Directory groups into TrueSight Vulnerability Management.
  • The Active Directory group must be associated with at least one of the following security roles in SCCM:
    • Security Administrator
    • Read-only Analyst (used for the Data Refresh capability)
    • Operations Administrator
    • Full Administrator
  • The Active Directory group must belong to the Remote Management Users security group in Active Directory.
  • The Active Directory group must belong to the SMS Admins Configuration Manager group in SCCM.

     Click here to see instructions for creating an Active Directory group.
    1. On the Active Directory computer, from Administrative Tools, select Active Directory Users and Computers.
    2. From the Users folder, select New > Group.
    3. Provide information about the group and click OK.
    4. From the groups listed within the Users folder, select the group you just created and select Properties.
    5. Select the Member Of tab and add Remote Management Users.
    6. Click OK.

The set up process specifies an administrative role that corresponds to an Active Directory group with administrative privileges in SCCM. Users belonging to that Active Directory group are automatically mapped to a security group in TrueSight Vulnerability Management that functions as the endpoint administrator. Assuming the Active Directory group meets the requirements described above, users belonging to this administrative group can log in using their Active Directory credentials and perform administrative functions in TrueSight Vulnerability Management.  

Importing additional security roles to function as security groups

The endpoint administrator can import Active Directory groups that are defined in SCCM (that is, visible in the SCCM console) and associated with security roles (see above for required permissions). The importing process automatically converts the Active Directory groups into security groups in TrueSight Vulnerability Management. Users assigned to a security group in TrueSight Vulnerability Management have access to the same devices and software update groups to which the corresponding Active Directory group has access in SCCM.

When you create a security group by importing an Active Directory group, the security group is is given the same name as the Active Directory group being imported.  

After performing this procedure, you can still add new security groups in the future. 

Note

  • To perform this procedure, you must have at least read permission in SCCM for the Administrative Users and Security Roles objects (found under Administration > Security).
  • You cannot import the Administrator group that is built into Active Directory. As a result, members of this group cannot be endpoint administrators in TrueSight Vulnerability Management unless they are also members of another group with administrative privileges.
  1. As an endpoint administrator, click the drop-down menu by your user name (at top right). Then, select Administration.
    The Administration page opens.
  2. Click the Security Groups tab, if it is not already selected.
    A list of security groups opens.
  3. Click Import security groups .
    The Import Security Groups page opens. It lists Active Directory groups that you can import.
  4. Check the Active Directory groups you want to import. 
    Click select all to select all grooups in the list, or click clear to deselect all groups. 
    To search for groups by name, enter a text string in the search box and click Filter the role names . The list shows only groups with names that include the string you entered.
  5. Click Import.
    The selected groups are imported and mapped to security groups in TrueSight Vulnerability Management with the same name. Users associated with those Active Directory groups are now able to log on to TrueSight Vulnerability Management using their Active Directory credentials. 

Adding new security groups

In addition to importing groups, you can also create new security groups.

SecurityGroupsOverviewSA

To add a new security group

  1. As an endpoint administrator, click the drop-down menu by your user name (at top right). Then, select Administration
    The Administration page opens.
  2. Click the Security Groups tab, if it is not already selected.
    A list of existing security groups opens.
  3. Select the Add a new security group icon .
    The Create Security Group page opens.
  4. Enter the following information.

    OptionDescription
    Group NameName of the security group.
    Group DescriptionOptional descriptive text for the security group.
    SCCM ConnectorRead only:

    Specifies the SCCM Server to which this security group has access. 

    See Viewing and modifying information about the SCCM connection for more information.

    SCCM Role Name

    The Active Directory group that is defined in SCCM and associated with security roles, which determine the user authorizations that are assigned to this security group.

    Asset Groups

    The Asset Groups option lets you grant this security group access to asset groups that are defined in a vulnerability management system. 

    If you do not grant access to any asset groups, the security group is granted access to all assets.

    To make options available in the Asset Groups option, you must import an asset group file using TrueSight Vulnerability Management > Import.

    Click here for a description of the full process for assigning asset groups to security groups.

  5. Click Create Security Group.
    The security group is created. Users associated with the corresponding Active Directory group are now able to log on to TrueSight Vulnerability Management using their same Active Directory credentials.

    For some settings to take affect, you must log out and then log back in.

Modifying security groups

  1. As an endpoint administrator, click the drop-down menu by your user name (at top right). Then, select Administration
    The Administration page opens.
  2. Click the Security Groups tab, if it is not already selected.
    A list of existing security groups opens.
  3. On the row for a security group for SCCM, click Edit the current security group .
    The Update Group page opens.
  4. Modify the settings for the security group by changing any of the following options:
    OptionDescription
    Group NameName of the security group.
    Group DescriptionOptional descriptive text for the security group.
    SCCM ConnectorRead only:

    Specifies the SCCM Server to which this security group has access. 

    See Viewing and modifying information about the SCCM connection for more information.

    SCCM Role Name

    The Active Directory group that is defined in SCCM and associated with security roles, which determine the user authorizations that are assigned to this security group.

    Asset Groups

    The Asset Groups option lets you grant this security group access to asset groups that are defined in a vulnerability management system. 

    If you do not grant access to any asset groups, the security group is granted access to all assets.

    To make options available in the Asset Groups option, you must import an asset group file using TrueSight Vulnerability Management > Import.

    Click here for a description of the full process for assigning asset groups to security groups.

  5. Click Update Security Group.
    For some settings to take affect, you must log out and then log back in. 

Deleting security groups

Use this procedure to delete a security group. You cannot delete the primary administrative security group that is defined during the set up process.

  1. As an endpoint administrator, click the drop-down menu by your user name (at top right). Then, select Administration
    The Administration page opens.
  2. Click the Security Groups tab, if it is not already selected.
    A list of security groups opens.
  3. Select a security group and click Delete the current security group  .
    A dialog box asks you to confirm the deletion.

Was this page helpful? Yes No Submitting... Thank you

Comments