Sentinel Agent Manager uses Windows groups and database roles to restrict access to product functionality. The Sentinel Agent Manager setup program creates the Windows groups and database roles, and then adds the service account and installation account to appropriate groups and roles.
NOTE:Members of the local Administrators group on a central computer have permission to use all Sentinel Agent Manager user interfaces on the computer, regardless of their OnePointOp group memberships.
At the end of installation, you can launch the Sentinel Agent Manager Access Configuration utility to add global groups you want to give access to the Sentinel Agent Manager user interfaces. The Access Configuration utility allows you to control Sentinel Agent Manager permissions by managing membership in OnePointOp groups. Access Configuration enforces the use of global groups in OnePointOp groups and creates appropriate database logins. Later, when you want to change who has access to the user interfaces, you can modify the global group membership.
NOTE:The Sentinel Agent Manager Access Configuration utility does not manage membership in global groups. Use Active Directory Users and Computers to manage account memberships within the global domain groups that are members of the OnePointOp groups.
For more information about the Sentinel Agent Manager Access Configuration utility, see the NetIQ Agent Manager User Guide. To use the Sentinel Agent Manager Access Configuration utility, you must be a member of the local Administrators group on the central computer and the Microsoft SQL Server sysadmin role on the database server.
Sentinel Agent Manager provides the following Windows local groups to which you can add Windows global or universal groups following Sentinel Agent Manager installation.
NOTE:Sentinel Agent Manager does not support using nested Active Directory groups within OnePointOp groups.
OnePointOp System is a very powerful administrator group that the installation process populates with the Agent Manager service account. Modify the membership in the OnePointOp System group only when you change Agent Manager service accounts.
User accounts in the OnePointOp ConfgAdms group can modify the computers where Sentinel Agent Manager installs agents, as well as configure settings in the Configuration Wizard.
WARNING:Maintain tight control over members of the OnePointOp System and OnePointOp ConfgAdms groups. Members of these groups can define rules that can make widespread changes throughout your enterprise.
To use the Development Console, your user account must be a member of the OnePointOp ConfgAdms group. Your account must also be a member of the EeaDasLocator role in the OnePoint database.
Following installation, you use the Sentinel Agent Manager Access Configuration utility to populate Sentinel Agent Manager OnePointOp groups and database roles with global groups that contain the users to whom you want to grant Sentinel Agent Manager access permissions.
Create your global groups and populate them with users before installing Sentinel Agent Manager. You can use Active Directory Users and Computers to create and populate your global groups. When you run the Sentinel Agent Manager Access Configuration utility, the utility adds the global groups to the appropriate OnePointOp groups and creates the necessary database logon permissions.