Unsupported content This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.

Managing security groups for SCCM

A security group is a group of users that inherit a set of permissions defined in a corresponding SCCM security role. You associate security groups in TrueSight Vulnerability Management with Active Directory groups that have been added as administrative users in SCCM. Administrative users in SCCM must be associated with one or more security roles.

This topic includes the following sections:

Required permissions

To log in and perform actions in TrueSight Vulnerability Management, a user must belong to an Active Directory group that meets the requirements listed below:

  • The Active Directory group must be imported into both SCCM and 

    TrueSight Vulnerability Management


    See below for instructions on importing Active Directory groups into TrueSight Vulnerability Management.

  • The Active Directory group must be associated with at least one of the following security roles in SCCM:
    • Security Administrator
    • Read-only Analyst (used for the Data Refresh capability)
    • Operations Administrator
    • Full Administrator
  • The Active Directory group must belong to the Remote Management Users security group in Active Directory.

  • The Active Directory group must belong to the SMS Admins Configuration Manager group in SCCM.

    Click here to see instructions for creating an Active Directory group.
    1. On the Active Directory computer, from Administrative Tools, select Active Directory Users and Computers.
    2. From the Users folder, select New > Group.
    3. Provide information about the group and click OK.
    4. From the groups listed within the Users folder, select the group you just created and select Properties.
    5. Select the Member Of tab and add Remote Management Users.
    6. Click OK.

The set up process specifies an administrative role that corresponds to an Active Directory group with administrative privileges in SCCM. Users belonging to that Active Directory group are automatically mapped to a security group in TrueSight Vulnerability Management that functions as the endpoint administrator. Assuming the Active Directory group meets the requirements described above, users belonging to this administrative group can log in using their Active Directory credentials and perform administrative functions in TrueSight Vulnerability Management.  

Importing additional security roles to function as security groups

The endpoint administrator can import Active Directory groups that are defined in SCCM (that is, visible in the SCCM console) and associated with security roles (see above for required permissions). The importing process automatically converts the Active Directory groups into security groups in TrueSight Vulnerability Management. Users assigned to a security group in TrueSight Vulnerability Management have access to the same devices and software update groups to which the corresponding Active Directory group has access in SCCM.

When you create a security group by importing an Active Directory group, the security group is is given the same name as the Active Directory group being imported.  

After performing this procedure, you can still add new security groups in the future. 

Note

  • To perform this procedure, you must have at least read permission in SCCM for the Administrative Users and Security Roles objects (found under Administration > Security).
  • You cannot import the Administrator group that is built into Active Directory. As a result, members of this group cannot be endpoint administrators in TrueSight Vulnerability Management unless they are also members of another group with administrative privileges.
  1. As an endpoint administrator, click the drop-down menu by your user name (at top right). Then, select Administration.
    The Administration page opens.
  2. Click the Security Groups tab, if it is not already selected.
    A list of security groups opens.
  3. Click Import security groups ImportSecurityGroupsIcon.gif.
    The Import Security Groups page opens. It lists Active Directory groups that you can import.
    ImportSCCMSecurityGroups.gif
  4. Check the Active Directory groups you want to import. 
    Click select all to select all grooups in the list, or click clear to deselect all groups. 
    To search for groups by name, enter a text string in the search box and click Filter the role names FilterIcon.gif. The list shows only groups with names that include the string you entered.
  5. Click Import.
    The selected groups are imported and mapped to security groups in TrueSight Vulnerability Management with the same name. Users associated with those Active Directory groups are now able to log on to TrueSight Vulnerability Management using their Active Directory credentials. 

Adding new security groups

In addition to importing groups, you can also create new security groups.

SecurityGroupsOverviewSA.png

To add a new security group

  1. As an endpoint administrator, click the drop-down menu by your user name (at top right). Then, select Administration
     The Administration page opens.
  2. Click the Security Groups tab, if it is not already selected.
    A list of existing security groups opens.
  3. Select the Add a new security group icon AddNewIcon.gif.
    The Create Security Group page opens.

  4. Enter the following information.

    Option

    Description

    Group Name

    Name of the security group.

    Group Description

    Optional descriptive text for the security group.

    SCCM Connector

    Read only

    Specifies the SCCM Server to which this security group has access. 

    See Viewing-and-modifying-information-about-the-SCCM-connection for more information.

    SCCM Role Name

    The Active Directory group that is defined in SCCM and associated with security roles, which determine the user authorizations that are assigned to this security group.

    Asset Groups

    The Asset Groups option lets you grant this security group access to asset groups that are defined in a vulnerability management system. 

    If you do not grant access to any asset groups, the security group is granted access to all assets.

    To make options available in the Asset Groups option, you must import an asset group file using TrueSight Vulnerability Management > Import.

    Click here for a description of the full process for assigning asset groups to security groups.

    SecurityGroupSCCM.gif

  5. Click Create Security Group.
     The security group is created. Users associated with the corresponding Active Directory group are now able to log on to TrueSight Vulnerability Management using their same Active Directory credentials.
    For some settings to take affect, you must log out and then log back in.

Modifying security groups

  1. As an endpoint administrator, click the drop-down menu by your user name (at top right). Then, select Administration
    The Administration page opens.
  2. Click the Security Groups tab, if it is not already selected.
    A list of existing security groups opens.
  3. On the row for a security group for SCCM, click Edit the current security group EditIcon.gif.
    The Update Group page opens.
  4. Modify the settings for the security group by changing any of the following options:
    Option
    Description
    Group Name
    Name of the security group.
    Group Description
    Optional descriptive text for the security group.
    SCCM Connector
    Read only: Specifies the SCCM Server to which this security group has access. See Viewing-and-modifying-information-about-the-SCCM-connection for more information.
    SCCM Role Name
    The Active Directory group that is defined in SCCM and associated with security roles, which determine the user authorizations that are assigned to this security group.
    Asset Groups
    The Asset Groups option lets you grant this security group access to asset groups that are defined in a vulnerability management system. If you do not grant access to any asset groups, the security group is granted access to all assets.To make options available in the Asset Groups option, you must import an asset group file using TrueSight Vulnerability Management > Import.Click here for a description of the full process for assigning asset groups to security groups.
  5. Click Update Security Group.
    For some settings to take affect, you must log out and then log back in. 

Deleting security groups

Use this procedure to delete a security group. You cannot delete the primary administrative security group that is defined during the set up process.

  1. As an endpoint administrator, click the drop-down menu by your user name (at top right). Then, select Administration
    The Administration page opens.
  2. Click the Security Groups tab, if it is not already selected.
    A list of security groups opens.
  3. Select a security group and click Delete the current security group DeleteIcon.gif .
    A dialog box asks you to confirm the deletion.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*