[KB8011] Create a branch office structure in ESET PROTECT (8.x – 10.x)

Issue

Required user permissions

This article assumes that you have the appropriate access rights and permissions to perform the tasks below.

If you use the default Administrator user or are unable to perform the tasks below (the option is unavailable), create a second administrator user with all access rights.

  • Create a branch office structure using Static groups to share objects among multiple users
  • Create multiple high and low-level ESET PROTECT On-Prem administrators that require varying levels of access to ensure redundancy
  • In this example, certain objects are available to all administrators, while other objects are only accessible to high-level administrators

Solution

In this example, the following conditions exist:

  • Two top-level administrators, Admin1 and Admin2 (with home group ALL)
  • Two branch offices, Tokyo Office and Sydney Office
  • Two local admins in each local office, Tokyo_Admin_1 and Tokyo_Admin_2)
  • Shared objects (policies) for admins on all levels
  • Objects (policies) accessible only by top-level administrators
  • Shared objects (client tasks) in the branch
  • Objects accessible only by a single local admin and the Administrator
  • Licenses distributed by top-level admins to each branch admin
  • Shared installers among all admins

The Administrator must determine the branch structure that best suits the organization. This example shows how to build the following structure:

Figure 1-1
Click the image to view larger in new window

The tree structure in Figure 1-1 depicts the arrangement of static groups for this example. Complete each section to set up the structure.


Create static groups

  1. Öffnen Sie die ESET PROTECT Web-Konsole in Ihrem Webbrowser und logen Sie sich ein.

  2. Click Computers.

  3. Click the gear icon next to the All group and select New Static Group.

    Figure 2-1
    Click the image to view larger in new window
  4. In the Name field, type the name of the static group. Optionally, you can type a description. Click Finish to create the group.

    Figure 2-2
    Click the image to view larger in new window
  5. Repeat steps 1-4 for all static groups needed for your structure. This example will use the static group model shown in Figure 1-1. We also created Sydney Office, Shared objects and Home groups with four subgroups - two Tokyo_Admin and two Sydney_Admin.

Create permission sets

Each user must be assigned at least one permission set. In this example, we create these unique permission sets:

  • For top-level administrators
  • For branch-level administrators of each branch
  • For each home group of each branch
  • Shared for all branch administrators

Figure 3-1 below illustrates permission assignments in this example.

Figure 3-1
Click the image to view larger in new window

Create permissions for top-level administrators

To create a permission set to provide administrator access for Admin1 and Admin2, follow the steps below:

  1. Öffnen Sie die ESET PROTECT Web-Konsole in Ihrem Webbrowser und logen Sie sich ein.

  2. Click More Permission Sets → New.

    Figure 3-2
    Click the image to view larger in new window
  3. In the Name field, type the name of the permission set. Optionally, you can type a description.

    Figure 3-3
    Click the image to view larger in new window
  4. Click Static GroupsSelect.

    Figure 3-4
    Click the image to view larger in new window
  5. Select the check box next to the static group for this permission set. In this example, the Admin_ps permission set will apply to the All group. Click OK.

    Figure 3-5
    Click the image to view larger in new window
  6. Click FunctionalityGrant All Functionality Full Access to give full access to users assigned this permission set. To assign a more specific set of permissions, select the corresponding check boxes to include the rights in a permissions set. Click Finish to save the current permission set.

    Figure 3-6
    Click the image to view larger in new window

Create permissions for branch-level administrators

To create permission sets for branch level administrators, repeat steps from chapter Permissions for top-level administrators:

  1. Öffnen Sie die ESET PROTECT Web-Konsole in Ihrem Webbrowser und logen Sie sich ein.

  2. Click More Permission Sets → New.

  3. In the Name field, type the name of the permission set. Optionally, you can type a description.

  4. Click Static GroupsSelect.

  5. Select the check box next to the static group for this permission set. In this example, the Admin_ps permission set will apply to the All group. Click OK.

  6. Click FunctionalityGrant All Functionality Full Access and deselect permissions as described in the table below. Click Finish to save the current permission set.

Use the following parameters:

Name Tokyo_ps
Description Permission set for Tokyo branch administrators
Static Groups Tokyo Office
Functionality Click Grant All Functionality Full Access and deselect Server Settings (both Read and Write)

And another one for the other branch level administrator:

Name Sydney_ps
Description Permission set for Sydney branch administrators
Static Groups Sydney Office
Functionality Click Grant All Functionality Full Access and deselect Server Settings (both Read and Write)

Create permissions for home groups

To create permission sets for each branch level administrator's home group, repeat the steps from the chapter Permissions for top-level administrators:

  1. Öffnen Sie die ESET PROTECT Web-Konsole in Ihrem Webbrowser und logen Sie sich ein.

  2. Click More Permission Sets → New.

  3. In the Name field, type the name of the permission set. Optionally, you can type a description.

  4. Click Static GroupsSelect.

  5. Select the check box next to the static group for this permission set. In this example, the Admin_ps permission set will apply to the All group. Click OK.

  6. Click FunctionalityGrant All Functionality Full Access and deselect permissions as described in the table below. Click Finish to save the current permission set.

Use the following parameters:

Name Tokyo_1_home_ps
Description Permission set for Tokyo_Admin1
Static Groups Tokyo_Admin_1
Functionality Click Grant All Functionality Full Access and deselect Server Settings (both Read and Write)

 

Name Tokyo_2_home_ps
Description Permission set for Tokyo_Admin2
Static Groups Tokyo_Admin_2
Functionality Click Grant All Functionality Full Access and deselect Server Settings (both Read and Write)

 

Name Sydney_1_home_ps
Description Permission set for Sydney_Admin1
Static Groups Sydney_Admin_1
Functionality Click Grant All Functionality Full Access and deselect Server Settings (both Read and Write)

 

Name Sydney_2_home_ps
Description Permission set for Sydney_Admin2
Static Groups Sydney_Admin_2
Functionality Click Grant All Functionality Full Access and deselect Server Settings (both Read and Write)

Create permissions for sharing objects

To create permission sets for sharing objects, repeat the steps from the chapter Permissions for top-level administrators:

  1. Öffnen Sie die ESET PROTECT Web-Konsole in Ihrem Webbrowser und logen Sie sich ein.

  2. Click More Permission Sets → New.

  3. In the Name field, type the name of the permission set. Optionally, you can type a description.

  4. Click Static GroupsSelect.

  5. Select the check box next to the static group for this permission set. In this example, the Admin_ps permission set will apply to the All group. Click OK.

  6. Click FunctionalityGrant All Functionality Full Access and deselect permissions as described in the table below. Click Finish to save the current permission set.

Use the following parameters:

Name Shared_ps
Description Permission set for shared objects
Static Groups Shared objects
Functionality Click Grant All Functionality Full Access and deselect Server Settings (both Read and Write)

After successfully creating all permission sets your permission sets list will look like this:

Figure 3-7
Click the image to view larger in new window

Create users

  1. Öffnen Sie die ESET PROTECT Web-Konsole in Ihrem Webbrowser und logen Sie sich ein.
    Log in as an administrator.

  2. Click MoreUsersAdd NewNew Native User.

    Figure 4-1
    Click the image to view larger in new window
  3. In the User field, type the username Admin1. Optionally, you can add a description. Click Select.

    Figure 4-2
    Click the image to view larger in new window
  4. Select the All group as the home group for this user and then click OK.

    Figure 4-3
    Click the image to view larger in new window
  5. In the Password field, type a secure password and type the same password in the field below to confirm. You have the option to define additional settings for this account.

    Figure 4-4
    Click the image to view larger in new window
  6. Click Permission Sets. In the left menu select the permission set that will be assigned to this user (Admin_ps in this case). Click Finish to save the user.

    Figure 4-5
    Click the image to view larger in new window
  7. Repeat steps 1-5 to create other users with the following parameters:

Name Admin2
Description Top level administrator 2
Home Group All
Permission sets Admin_ps

 

Name Tokyo_Admin1
Description Tokyo office administrator 1
Home Group Tokyo_Admin_1
Permission sets Tokyo_ps, Shared_ps, Tokyo_1_home_ps

 

Name Tokyo_Admin2
Description Tokyo office administrator 2
Home Group Tokyo_Admin_2
Permission sets Tokyo_ps, Shared_ps, Tokyo_2_home_ps

 

Name Sydney_Admin1
Description Sydney office administrator 1
Home Group Sydney_Admin_1
Permission sets Sydney_ps, Shared_ps, Sydney_1_home_ps

 

Name Sydney_Admin2
Description Sydney office administrator 2
Home Group Sydney_Admin_2
Permission sets Sydney_ps, Shared_ps, Sydney_2_home_ps

Distribute licenses

You can only import licenses to users with the home group All. In this example, the Admin1 and Admin2 users have the All home group, so you can import licenses to them and they can distribute licenses to other users. Follow the steps below to import licenses to these users and then assign licenses to other users.

  1. Öffnen Sie die ESET PROTECT Web-Konsole in Ihrem Webbrowser und logen Sie sich ein.

  2. Click Actions Add Licenses.

  3. Click  More License Management.

    Figure 5-1
    Click the image to view larger in new window
  4. Add license by one of the following:

    • Select ESET Business Account or ESET MSP Administrator Login and log in with your credentials.
    • Select License Key and type in or copy/paste your license key.
    • Select Offline License File and upload your license file.

    Click Add Licenses to finish the process and save the license.

    Figure 5-2
    Click the image to view larger in new window
  5. After the license is successfully saved, a confirmation notice will be displayed. Click OK.

    Figure 5-3
    Click the image to view larger in new window
  6. In the License Management menu click the newly added license, click Access Group, and then click Move.

    Figure 5-4
    Click the image to view larger in new window
  7. Select the group where the license will be moved. (In this case, the home group of Sydney_Admin1.) Click OK to move the license. Now the license is available only to top-level administrators (with home group All) and to the user in the selected home group.

    Figure 5-5
    Click the image to view larger in new window
  8. Repeat these steps to import and move licenses within different access groups.


Create a shared policy

When a policy is created it is automatically contained in the home group of the user who created it. You can move existing policies to other groups where your user has Write permissions (for Policies).

In this example, create a policy for Windows Endpoints and move it to Shared objects, where all users can use it for their computers.

  1. Öffnen Sie die ESET PROTECT Web-Konsole in Ihrem Webbrowser und logen Sie sich ein.
    Log in as an administrator (Admin1 or Admin2).

  2. Click PoliciesNew Policy.

    Figure 6-1
    Click the image to view larger in new window
  3. In the Name field, type the name of the permission set. Optionally, you can type a description.

    Figure 6-2
    Click the image to view larger in new window
  4. Click the Settings section. Select the appropriate product from the drop-down menu.

  5. Set up the policy according to your needs and then click Finish to save the policy. The policy can now be moved to other access groups where it will be available for other users. In this example, we will move it to Shared objects.

    Figure 6-3
    Click the image to view larger in new window
  6. In the policies menu, expand Custom Policies and find the policy you created earlier.

  7. Select the check box next to the policy you want to move and click Actions → Access Group → Move.

    Figure 6-4
    Click the image to view larger in new window
  8. Select the destination group (Shared objects) and click OK. The policy will be moved to the shared group and all users with the appropriate permissions set (Shared_ps) will be able to use it on computers/devices.

    Figure 6-5
    Click the image to view larger in new window

Create policies shared among top-level administrators

To create a policy that will only be available only to top-level administrators, create a policy in the group All to make it available only to top-level administrators (other users in our setup do not have access to the group All).


Create client task shared in the branch

Create a client task that will be shared in the Tokyo office branch. It will be accessible to Tokyo administrators and top-level administrators.

  1. Log in as Tokyo_Admin1 (administrator of the desired branch).

  2. Click Tasks New Client Task.

    Figure 7-1
    Click the image to view larger in new window
  3. Type the name and description of the task. Select the Task Category and Task.

    Figure 7-2
    Click the image to view larger in new window
  4. Click Settings and set up the task.

  5. Review the task in the Summary section and click Finish to save the task.

    Figure 7-3
    Click the image to view larger in new window
  6. When asked if you want to add a trigger now, click Close.

    Figure 7-4
    Click the image to view larger in new window
  7. The task will automatically be created in the home group of the current user (Tokyo_Admin1 has the home group Tokyo_Admin_1). To make the task shared in the branch, move it to the shared static group, Shared objects, in this example. Select the check box next to the task you want to move and click Actions → Access Group → Move.

    Figure 7-5
    Click the image to view larger in new window
  8. In the new window select the group which is shared in the branch and click OK. The task will be moved to the shared group for the branch, allowing all branch administrators to use it.

    Figure 7-6
    Click the image to view larger in new window

Create a policy accessible only to a single branch administrator

This procedure is similar to the shared policy; only a few details are modified.

  1. Log in as a branch administrator (eg. Tokyo_Admin1).

  2. Click PoliciesNew Policy.

  3. Type a name and description of the policy.

  4. Click the Settings section. Select the appropriate product from the drop-down menu. Set up the policy according to your needs.

  5. Click Finish to save the policy.

The policy will be saved in the home group of the current user, which means it will only be accessible to this user and top-level administrators. This branch administrator can apply this policy to all computers and devices to which they have access.


Create installers shared among all level admins

Any user with sufficient permissions over their home group, the target group and certificates can create an installer that is shared between all level admins.

  1. Click Quick LinksOther Deployment Options.

    Figure 8-1
    Click the image to view larger in new window
  2. Select Create All-in-one Installer and click Create Installer.

    Figure 8-2
    Click the image to view larger in new window
  3. Deselect the check box Participate in product improvement program if you do not agree to send crash reports and telemetry data to ESET.

  4. Select the contents of the installer package you want to create.

    Figure 8-3
    Click the image to view larger in new window
  5. Click Security Product, from the Language drop-down menu select the language for this installer and select the check box I accept the terms of the application End User License Agreement and acknowledge the Privacy Policy.

    Figure 8-4
    Click the image to view larger in new window
  6. Click Certificate. In the Peer Certificate options, you can select to use a custom certificate from a .pfx file, or a certificate from ESET PROTECT On-Prem. Choose the certificate to be used for the installer and if needed, type the Certificate passphrase.

    Figure 8-5
    Click the image to view larger in new window
  7. Click Advanced. Type in the Name and Description of the installer.

  8. In the Parent group section, click Select and choose where the newly installed clients will be stored. For a shared installer, you should use a shared group where all users of the installer have access (Shared objects in this example).

  9. If you want to use AV Remover, select the check box in the section Enable ESET AV Remover.

  10. Optionally, under Configuration type you can select whether the policy should be applied to clients following installation.

  11. Make sure the Server Hostname is correct (the IP address of your ESET PROTECT Server).

  12. Click Finish to create the installer.

    Figure 8-6
    Click the image to view larger in new window
  13. Do not download the installer now. Click Close.

    Figure 8-7
    Click the image to view larger in new window
  14. Click Installers.

  15. Select the new installer. Click ActionsAccess GroupMove.

    Figure 8-8
    Click the image to view larger in new window
  16. Select a static group where all desired users have access (in this case the Shared objects) and click OK.

    Figure 8-9
    Click the image to view larger in new window
  17. The installer will be moved to the shared group and will be available for all users with permissions over this group.

Zusätzliche Hilfestellung