Jamf Nation Community

donmontalvo · ‎06-02-2014

Unfortunately that gives users who now have [EDIT] site admin [/EDIT] access to that also have access to "Database Table Status" which is bad.

Here is why...the dialog box users get when they hit "Database Table Status" button:

"This is an intensive process and could make JSS unresponsive. Are you sure you wish to run Database Table Status?"

For obvious reasons I didn't ask the [EDIT] site admin [/EDIT] to hit OK at that dialog box. ;)

--
https://donmontalvo.com

donmontalvo · ‎06-04-2014

...bump...in case anyone else is seeing this?

--
https://donmontalvo.com

ImAMacGuy · ‎06-04-2014

why not just create a custom group?

donmontalvo · ‎06-05-2014

@jwojda][/url sorry my overview was not very clear...site administrators shouldn't be able to run health checks on the JSS database. If you set up a site and then assign an admin to the site (full rights), then go in as that site admin, you'll see you can hit the Database Table Status button, which would impact the entire JSS environment, including other sites.

I updated the original post for clarity.

--
https://donmontalvo.com

donmontalvo · ‎07-21-2014

Am I the only person concerned that a Site Admin has the ability to run health checks on the JSS? :)

--
https://donmontalvo.com

mm2270 · ‎07-21-2014

Apparently so, but I'm confused as to why. I would agree with you that a Site admin should not have that privilege, at least not by default. A Full jSS Admin, yes, but not a Site admin. That's a server level function, not something directly related to their own Site.
So either it should not be an option, or needs to be an off by default option that can later be enabled, just in case there are some folks crazy enough to want to grant their Site admins that ability.

donmontalvo · ‎07-21-2014

@mm2270 Of course the controls are granular, just not sure why it's on by default for a Site Admin. JAMF are aware it's an issue. Admins can handle it like you outlined, or maybe enable the feature on Friday if planning to be on vacation the following week.

<tongue in cheek>

--
https://donmontalvo.com

were_wulff · ‎07-21-2014

@donmontalvo

Well, I just gave this a quick whirl on one of my test JSSes and, yep, it does that.

Didn’t find an existing defect for it, though depending on how it might have been titled, it’s possible I missed it (sometimes our searches can be a little bit particular) so I’m not entirely sure if it’s intended behavior or not.

I did file a defect for the behavior (D-007242), and we’ll see if development comes back to me and tells me it’s intended or not. If it's a duplicate of one I missed in my search, they'll close it out with a note referencing the already existing defect.

From what I can gather, everything on the JSS Information Page falls under the “View JSS Information” privilege, which site admins get by default. That particular privilege checkbox doesn’t seem to have any more modular options to it; you can either access everything under JSS Information or you can access nothing at all.

If it is intended behavior, it may go the route of 'make a feature request' to see about getting it changed.

Amanda Wulff
JAMF Software Support

donmontalvo · ‎07-21-2014

Awesome, thanks!

--
https://donmontalvo.com

Jamf Nation Community

JSS 9.31: "View JSS Information" on by default