Default roles
By default, Patch Manager includes the server local Administrators group in the following security roles:
In Active Directory environments, users in the Domain Admins group are default members of the local Administrator group for all domain members. If you do not want to grant membership to these two Patch Manager security roles to all Domain Admins, modify your Patch Manager security role membership as required.
EminentWare User role
This role grants access to the Patch Manager Administrator Console. To use the console, users must be a member of the EminentWare User role and at least one security role.
EminentWare Enterprise Administrator role
This role grants full access to all Patch Manager functionality. This is the only security role authorized to manage memberships in security roles from within the Patch Manager Administrator Console.
Microsoft® Windows® users outside of this security role could potentially alter memberships by using the MMC Authorization Manager snap-in or altering the EminentWare.BusinessObjects.xml
file.
Patch Manager uses the AuthZ credential management features native to Windows operating systems. If your deployment includes users who are not in the EminentWare Enterprise Administrators security role with access to the MMC Authorization Manager snap-in, you should revoke that access if possible.
Patch Manager stores all authorizations in the following location:
%PROGRAMFILES%\SolarWinds\Patch Manager\Server\EminentWare.BusinessObjects.xml
If a local administrator on the Patch Manager server is not a member of the EminentWare Enterprise Administrators security role, block access to this file—preferably the entire \Server
folder, if possible.