Adding Identity Provider Operators

You can create accounts for operators to access the console by using an existing Active Directory or LDAP account or Microsoft Entra ID.

When you select this option, an operator with the same name as the one specified in the Identity Provider directory, is added to the operators node in the Domain Panel on the BigFix console. These operators can then log in as usual, using one of the following notations:

username
username@domain
domain\username

The permissions assigned to that user in the Identity Provider directory are not inherited by the newly created operator. You must either assign the needed permissions to the operator or assign the operator to an existing role.
Note: You can integrate BigFix with SAML V2.0 to provide BigFix Identity Provider operators with:
  • Two-factor authentication with Common Access Cards (CAC), Personal Identity Verification (PIV) cards, or other factors, if required by the Identity Provider.
  • Web-based Single Sign-On authentication method from the identity provider login URL.
For more information, see Enabling SAML V2.0 authentication for identity provider operators.

To add an Identity Provider user, complete the following steps:

  1. Ensure that the needed Active Directory or LDAP directory or Microsoft Entra directory is added to the BigFix environment.
  2. Click the Tools > Add Identity Provider Operator menu item or right click in the work area and then select Add Identity Provider Operator. The following dialog appears.
    This window displays the identity provider User dialog.
  3. You can query and filter the users defined on the specified Identity Provider server using the Search field and the two radio buttons.
  4. When you find the user to add as Identity Provider operator, select it and click Add. The Console Operator panel opens.
    This window displays the Console Operator panel where you have to enter some operator permission details.
  5. From the Details tab assign operator permissions.

    You can decide to give the operator the ability to trigger restart and shutdown as Post-Action or to include them in BigFix Action Scripts. Depending on the configuration that you set for a specific operator for shutdown and restart, the radio button in the Post Action tab of the Take Action panel might be disabled for that operator. This configuration has no effect on actions with action script type other than BigFix Action Script.

    You can also set permissions to access the BigFix Console and REST API.

  6. The Administered Computers tab lists the computers managed by this operator.
  7. From the Assigned Role tab, select the roles that you want to assign or unassign this operator to.
  8. From the Sites tab, assign the sites that you want this operator to have access to or unassign them.
  9. From the Computer Assignments tab, specify the properties that must be matched by the computers that the operator can manage.
  10. To save the changes click Save Changes.
To convert an existing local or old LDAP operator to an Identity Provider operator, complete the following steps:
  1. From any list of local operators, right-click the operator you want to convert.
  2. From the context menu, select Convert to Identity Provider Operator.


  3. Locate the Identity Provider user you want to convert the operator to.


  4. Select the user name and click Convert.


Permissions Inheritance: The converted operator inherits all permissions assigned to the chosen Identity Provider user. However, there is an exception: permissions granted to the old operator based on their group membership are not inherited.

Example

This is an example of converting a user displayed in the screen captures above.

A user named "user1" belongs to a group "TestGroup" associated with the "TestRole" role granting permission "permission1".

To ensure that "BigFix User 1" (converted from "user1") has "permission1", "BigFix User 1" must belong to a new group "newTestGroup" associated with "TestRole."