This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Installed new Enterprise Console, now it denies me access

I have installed version 4 of Enterprise Console and Sophos Endpoint security and control 9, I successfully scanned the network, organised client PC's into groups and created policies for these groups

Now when I try to open EC I get the message;

"User  <domain>\administrator

Is not assigned to any sub-estates, you must be a member of at least one sub-estate to run the console"

What exactly is a sub-estate and how do I set one up?

:156


This thread was automatically locked due to age.
Parents
  • Hi

    It's odd that you were initially able to open Enterprise Console: were you logged in as a different account then from now?

    If you haven't setup Role Based Administration (RBA) yet (you may not plan or need to), specifically the sub-estates section, then by default you just have the "Default" sub-estate of which all Enterprise Console groups reside within. 

    Sub-estates can be used to partition up your groups in Enterprise Console such that a particular Windows user or group has access to just a subsection of SEC groups.

    As a simple example you might have two top level groups In Enterprise Console called Americas and Europe, each containing many child groups.   You could then create two sub-estates called Americas and Europe of which each only contains all the groups of those two regions.  You are then able to assign Windows users or security groups access to these sub-estates.  This enables the administrators in charge of Sophos. or “Sophos Full Administrators” if you will, to delegate access rights to others. 

    In previous versions you either had access to Enterprise Console and all groups or you did not.  This was defined by being a member of “Sophos Console Administrators” Windows security group, as this gave you access to the Sophos Management Service and in turn Enterprise Console.

    In Enterprise Console 4 however you still need to be a member of “Sophos Console Administrators” to gain access to the Sophos Management Service but to see all groups (by default the “Default” sub-estate), you also need to be a member of “Sophos Full Administrators”.  You also need to be a "Sophos Full Administrator" by default to be able to configure RBA.

    I hope that helps to clarify the sub-estate part of RBA and may help with your problem.  The other part to RBA is the ability to assign different rights to Roles within Enterprise Console should you wish to control what users can configure.

    All that being said, if your account is a member of both "Sophos Console Administrators" and "Sophos Full Administrators" and you have logged back off and back on again to refresh your token and still you have the same problem, then something more interesting might be going on.  In order to determine what that might be, you can carry out the following diagnostics:

    1. Close Enterprise Console.
    2. Stop the "Sophos Management Service" service.
    3. Add the following registry keys to the management server:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Trace\{48502EEA-4629-4dd6-9D67-CBB1A80C29A4}]
    @="TraceRBA"
    "ErrorLevel"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Trace\{9D624120-2E7B-47a2-BD4D-BDEB7E5388D3}]
    @="TraceConsole"
    "ErrorLevel"=dword:00000003

    Please adjust accordingly for a 64-bit OS.

    4. Start the "Sophos Management Service"
    5. Download and start DebugView, available from: http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx
    6. Launch Enterprise Console.

    DebugView should populate with verbose logging of the significant components which can be saved as a log file and should help to determine the problem for Sophos support or if you are able to provide access to the log on this forum.

    Note: Please remember to remove the above keys once complete and you will also need to restart the Sophos Management Service.

    I hope this helps.

    Thanks

    :242
Reply
  • Hi

    It's odd that you were initially able to open Enterprise Console: were you logged in as a different account then from now?

    If you haven't setup Role Based Administration (RBA) yet (you may not plan or need to), specifically the sub-estates section, then by default you just have the "Default" sub-estate of which all Enterprise Console groups reside within. 

    Sub-estates can be used to partition up your groups in Enterprise Console such that a particular Windows user or group has access to just a subsection of SEC groups.

    As a simple example you might have two top level groups In Enterprise Console called Americas and Europe, each containing many child groups.   You could then create two sub-estates called Americas and Europe of which each only contains all the groups of those two regions.  You are then able to assign Windows users or security groups access to these sub-estates.  This enables the administrators in charge of Sophos. or “Sophos Full Administrators” if you will, to delegate access rights to others. 

    In previous versions you either had access to Enterprise Console and all groups or you did not.  This was defined by being a member of “Sophos Console Administrators” Windows security group, as this gave you access to the Sophos Management Service and in turn Enterprise Console.

    In Enterprise Console 4 however you still need to be a member of “Sophos Console Administrators” to gain access to the Sophos Management Service but to see all groups (by default the “Default” sub-estate), you also need to be a member of “Sophos Full Administrators”.  You also need to be a "Sophos Full Administrator" by default to be able to configure RBA.

    I hope that helps to clarify the sub-estate part of RBA and may help with your problem.  The other part to RBA is the ability to assign different rights to Roles within Enterprise Console should you wish to control what users can configure.

    All that being said, if your account is a member of both "Sophos Console Administrators" and "Sophos Full Administrators" and you have logged back off and back on again to refresh your token and still you have the same problem, then something more interesting might be going on.  In order to determine what that might be, you can carry out the following diagnostics:

    1. Close Enterprise Console.
    2. Stop the "Sophos Management Service" service.
    3. Add the following registry keys to the management server:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Trace\{48502EEA-4629-4dd6-9D67-CBB1A80C29A4}]
    @="TraceRBA"
    "ErrorLevel"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Trace\{9D624120-2E7B-47a2-BD4D-BDEB7E5388D3}]
    @="TraceConsole"
    "ErrorLevel"=dword:00000003

    Please adjust accordingly for a 64-bit OS.

    4. Start the "Sophos Management Service"
    5. Download and start DebugView, available from: http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx
    6. Launch Enterprise Console.

    DebugView should populate with verbose logging of the significant components which can be saved as a log file and should help to determine the problem for Sophos support or if you are able to provide access to the log on this forum.

    Note: Please remember to remove the above keys once complete and you will also need to restart the Sophos Management Service.

    I hope this helps.

    Thanks

    :242
Children
No Data