Solved: Match EMA Group permissions to IB and OOB endpoint operations

maksymr · ‎10-15-2024

Greetings,

Im working on EMA integration, and Im having some issues figuring out which Group permissions actually grant some of the EMA Rest API commands.

So, /api/latest/endpointGroups endpoint provides a following response:

"Permissions": {
"AllowWakeup": true,
"AllowSleep": true,
"AllowReset": true,
"AllowTcpCommunication": true,
"AllowAlert": true,
"AllowConsole": true,
"AllowKvm": true,
"AllowFileAccess": true,
"AllowWmi": true,
"AllowLocation": true,
"AllowP2P": true,
"AllowUserConsentKVM": true
}

And we're using these IB and OOB operations:

OOB:

/api/latest/endpointOOBOperations/Single/PowerOn
/api/latest/endpointOOBOperations/Single/Sleep/Light
/api/latest/endpointOOBOperations/Single/Sleep/Deep
/api/latest/endpointOOBOperations/Single/PowerCycle/OffSoft
/api/latest/endpointOOBOperations/Single/PowerOff/Hard
/api/latest/endpointOOBOperations/Single/Hibernate
/api/latest/endpointOOBOperations/Single/PowerCycle/OffSoft
/api/latest/endpointOOBOperations/Single/PowerCycle/OffHard
/api/latest/endpointOOBOperations/Single/MasterBusReset
/api/latest/endpointOOBOperations/Single/MasterBusReset/Graceful
/api/latest/endpointOOBOperations/Single/PowerOff/SoftGraceful
/api/latest/endpointOOBOperations/Single/PowerOff/HardGraceful
/api/latest/endpointOOBOperations/Single/PowerCycle/OffSoftGraceful
/api/latest/endpointOOBOperations/Single/PowerCycle/OffHardGraceful
/api/latest/endpointOOBOperations/Single/PowerCycle/BootToUsbrIso
/api/latest/endpointOOBOperations/Single/PowerCycle/BootToUsbrImg
/api/latest/endpointOOBOperations/Single/PowerCycle/BootToBios

IB:

/api/latest/endpointIBOperations/reboot
/api/latest/endpointIBOperations/sleep
/api/latest/endpointIBOperations/hibernate
/api/latest/endpointIBOperations/alert
/api/latest/endpointIBOperations/shutdown

Is there a way to match these commands to group permissions exactly? Some of them seem quite straightforward (like alert and sleep/hibernate), but not sure about the rest.

I would really appreciate some directions here,

Thank you!

vij1 · ‎10-17-2024

Hello Maksymr,

Greetings!

An endpoint group's policy refers to the IT configurations and rules applied to a specific logical grouping of endpoints within an organization.

These groups—such as those for departments like Accounting or Engineering—enable IT administrators to manage and enforce tailored security, access, and operational policies that align with each group's unique requirements.

By defining these endpoint groups, administrators can apply different configurations, security protocols, and access permissions to endpoints that share common characteristics or roles within the organization.

To clarify, the Sleep policy includes the Hibernate operation as well.

does this matching look correct- yes

Please let me know if you need further details.

Best regards,

Vijay N.

View solution in original post

vij1 · ‎10-15-2024

Hello Maxymr,

Please note that the scripts provided are intended as sample code. These snippets demonstrate various Intel EMA API calls and other related operations. They are primarily designed to serve as examples for your reference and should be customized to fit your own specific use cases.

We recommend using them as part of your own scripts by adding the necessary modifications based on your requirements.

If you have any further questions or need assistance, feel free to reach out.

Best regards,

Vijay N.

maksymr · ‎10-16-2024

Hello Vijay,

Yes, I understand this. I was referring to the real values that I receive from the API also:

{
  "AllowWakeup" : true,
  "AllowSleep" : true,
  "AllowReset" : true,
  "AllowTcpCommunication" : true,
  "AllowAlert" : false,
  "AllowConsole" : true,
  "AllowKvm" : false,
  "AllowFileAccess" : false,
  "AllowWmi" : false,
  "AllowLocation" : true,
  "AllowP2P" : true,
  "AllowUserConsentKVM" : false
}

This is a payload for this Endpoint Group:

So Im not sure if Sleep would also imply hibernation, and if reset/wakeup would qualify as reboot. Or are some of the commands are just granted by default? That's what I'd like to clarify, because for the IB alert operation, Alert permission must be granted for sure, but it's yet unclear whether it is the case or not for others.

I sure could experiment and switch permissions while trying IB/OOB operations at the same time and see if any error would be thrown, but I was hoping there's a single source of truth that I can rely on here

Thank you

vij1 · ‎10-16-2024

Hello Maksym,

Greetings!

The full description of all REST API commands, along with their required roles, can be found in the REST API for Intel® Endpoint Management Assistant V5. You can download the complete reference from the link below: Download REST API for Intel® EMA V5

To address your specific questions:

Sleep vs. Hibernate Commands:

Sleep and Hibernate are separate commands.
You can find more information about each here:
- Sleep: REST API for Intel® EMA V5(https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/V5swagger.html#operation/EndpointIBOperations_Sleep )
- Hibernate: REST API for Intel® EMA V5
- https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/V5swagger.html#operation/EndpointIBOperations_Sleep

2.Reset/Wakeup vs. Reboot:

Reset/Wakeup is not the same as Reboot.
https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/V5swagger.html#operation/EndpointOOBOperations_MultiplePowerOn
Further details can be found for each command:
- PowerOn/Wake: REST API for Intel® EMA V5
- Reboot: REST API for Intel® EMA V5
- https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/V5swagger.html#operation/EndpointIBOperations_Reboot

3.Permission Requirements:

Yes, specific permissions are required for certain commands and are not granted by default.
https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/V5swagger.html
You can refer to the API documentation to identify the required roles for each command. For example, the Alert command requires the following roles:
- Roles required: Tenant Administrator, Endpoint Group Creator, or Endpoint Group User.

Please refer to the API guide for more details on the roles needed for each operation.

Let me know if you need any further assistance.

Best regards,

Vijay N.

maksymr · ‎10-17-2024

Hello Vijay,

The EMA guide is helpful, but still it's a bit unclear on what group policies do I need to have enabled exactly:

And in group policies there are not aligned this way exactly:

So in section 6.4.3, for instance, it states Hibernate along with Sleep, Power off and restart, but there are policies for Sleep, Wakeup, Power off and Restart, but not hibernate. So Sleep policy is going to include Hibernate operation as well, is my assumption correct?

So, for the operations that Im going to use, can you please confirm if this is correct:

Operation	Group Policy	EMA API Response Property
IB: Alert	Messaging and alerts: Alert	AllowAlert
IB: Sleep	Power operations: Sleep	AllowSleep
IB: Hibernate	Power operations: Sleep	AllowSleep
IB: Reboot	Power operations: Turn off or restart	AllowReset
IB: Shutdown	Power operations: Turn off or restart	AllowReset
OOB: Single Sleep Light	Power operations: Turn off or restart	AllowSleep
OOB: Single Sleep Deep	Power operations: Turn off or restart	AllowSleep
OOB: Single Hibernate	Power operations: Turn off or restart	AllowSleep
OOB: Single Master Bus Reset	Power operations: Turn off or restart	AllowReset
OOB: Single Master Bus Reset Graceful	Power operations: Turn off or restart	AllowReset
OOB: Single Cycle Off Soft	Power operations: Turn off or restart	AllowReset
OOB: Single Power Off Hard	Power operations: Turn off or restart	AllowReset
OOB: Single Power Cycle Off Hard	Power operations: Turn off or restart	AllowReset
OOB: Single Power Off Soft Graceful	Power operations: Turn off or restart	AllowReset
OOB: Single Power Off Hard Graceful	Power operations: Turn off or restart	AllowReset
OOB: Single Power Cycle Off Hard Graceful	Power operations: Turn off or restart	AllowReset
OOB: Single Power Cycle Off Soft Graceful	Power operations: Turn off or restart	AllowReset
OOB: Single Power Cycle Boot To USBR ISO	Power operations: Turn off or restart	AllowReset
OOB: Single Power Cycle Boot To USBR IMG	Power operations: Turn off or restart	AllowReset
OOB: Single Power Cycle Boot To BIOS	Power operations: Turn off or restart	AllowReset

So keeping it this explicit, does this matching look correct?

Thank you!

vij1 · ‎10-17-2024

Hello Maksymr,

Greetings!

An endpoint group's policy refers to the IT configurations and rules applied to a specific logical grouping of endpoints within an organization.

These groups—such as those for departments like Accounting or Engineering—enable IT administrators to manage and enforce tailored security, access, and operational policies that align with each group's unique requirements.

By defining these endpoint groups, administrators can apply different configurations, security protocols, and access permissions to endpoints that share common characteristics or roles within the organization.

To clarify, the Sleep policy includes the Hibernate operation as well.

does this matching look correct- yes

Please let me know if you need further details.

Best regards,

Vijay N.

maksymr · ‎10-18-2024

Hello Vijay,

This clears it out, thank you!

I have another question about the EMA API, but I'll enter another topic for that, to keep things clean for others who'll face similar issues.

Best regards

vij1 · ‎10-18-2024

Hello Maksymr,

You're welcome! I'm glad I could help.

Feel free to reach out with any further questions regarding the EMA API. If further assistance is necessary, do not hesitate to reply.

Best regards,

Vijay N.