Issue
Solution
The current state of ESET MSP Administrator 2 and ESET Business Account
This document provides detailed information about an issue identified during the migration process from ESET MSP Administrator 2 and ESET Business Account to ESET PROTECT Hub. It offers insights into the underlying causes of this issue and its implications for users.
Previously, users experienced confusion regarding their access rights in ESET MSP Administrator 2 and ESET Business Account. For example, access rights set in ESET MSP Administrator 2 and ESET Business Account could be overridden by those set for cloud solutions, significantly impacting user permissions.
Access rights are configured as No access in ESET MSP Administrator 2 and ESET Business Account, while ESET cloud consoles (ESET PROTECT and ESET Cloud Office Security) access is set to Write. However, the Write access in ESET PROTECT takes precedence over No access in ESET MSP Administrator 2 and ESET Business Account. Consequently, users gain the ability to manage all customers, contrary to the intended restrictions.
To enhance user creation efficiency and simplify access management, we are unifying access rights across the entire ESET cloud consoles ecosystem. This includes configuring permissions within ESET PROTECT Hub and offering options like Write, Read
, No access, or Custom access for selected sites or customers. When a user selects a permission level such as Write in ESET PROTECT Hub, the corresponding permission level will be automatically assigned to ESET cloud consoles access if the user selects the Access permission. This rule applies universally across all cloud consoles.
Access rights compatibility
The issue addressed in this document stems from the lack of full compatibility between ESET MSP Administrator 2 or ESET Business Account and ESET PROTECT Hub regarding user access. This poses challenges for the migration of users and data from ESET MSP Administrator 2 or ESET Business Account into ESET PROTECT Hub, necessitating your assistance in data clean-up before migration. There are two options to address this issue:
-
Users align access rights themselves between ESET MSP Administrator 2 or ESET Business Account and cloud console permissions.
-
Automatically migrate access rights with a strong rule, where weaker permissions take precedence. This decision is driven by the commitment to preventing data breaches and ensures that no specific user ends up with stronger access in either ESET cloud consoles or ESET PROTECT Hub post-migration.
Example of the changed permissions after automatic migration of access rights:
Console |
ESET Business Account/ESET MSP Administrator
|
ESET PROTECT Hub | ||
Use case |
Access rights
|
Cloud Solution rights
|
Access rights – after migration | Cloud Solution rights – after migration |
ESET Business Account/ESET MSP Administrator access is stronger than access to cloud consoles | Write | Read | Read | Access (Read) |
ESET Business Account/ESET MSP Administrator access is weaker than access to cloud consoles | Read | Write | Read | Access (Read) |
ESET Business Account/ESET MSP Administrator access is set to no access, with elevated access for some customers with write/read access to cloud consoles | No access (only selected customer/site) | Write | Custom access (only selected customer/site) | Access (only selected customer/site) |
ESET cloud consoles access is set to Custom | Read | Custom | Read | Custom |
- The green cells indicate scenarios where no changes are made during the automated migration
- The red cells indicate scenarios where the automated migration changes user rights to weaker access levels
ESET MSP Administrator 2 or ESET Business Account access is stronger than access to cloud consoles
For a user with ESET Business Account or ESET MSP Administrator 2 access rights set to Write and Cloud Solution access set to Read, their access level will be adjusted to Read for ESET PROTECT Hub and Access for ESET cloud consoles.
ESET MSP Administrator 2 or ESET Business Account access is weaker than access to cloud consoles
The weaker permission takes precedence. Consequently, both ESET PROTECT Hub and ESET cloud consoles access will be set to Read, resulting in the user losing the Write privilege in ESET cloud consoles.
ESET MSP Administrator 2 or ESET Business Account access is set to no access, with elevated access for some customers with write/read access to cloud consoles
User access will be restricted to Write
for a specific customer in ESET PROTECT Hub, mirroring the access level in ESET cloud consoles. However, they will lose access to all other customers in ESET cloud consoles and retain access only to the specified one.
ESET cloud consoles access is set to Custom
This setup poses no issues for migration because Custom
access entails that users' access rights are configured independently within ESET cloud consoles. Users will not experience any changes in their access rights.