WebUI Admin Guide Platform V9.5.3

IBM BigFix
Version 9.5
WebUI
Administrators Guide
IBM
IBM BigFix
Version 9.5
WebUI
Administrators Guide
IBM
Note
Before using this information and the product it supports, read the information in “Notices” on page 63.
This edition applies to version 9, release 5, modification level 0 of IBM BigFix and to all subsequent releases and
modifications until otherwise indicated in new editions.
© Copyright IBM Corporation 2016.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Chapter 1. Introduction . . . . . . . . 1 Working With Custom Tiles . . . . . . . . . 36
WebUI Audience . . . . . . . . . . . . . 1 Create a Key Numbers Tile . . . . . . . . 41
Create a Summary Tile . . . . . . . . . 42
Chapter 2. Deployment Requirements . . 3 Create a List Tile . . . . . . . . . . . 43
Create a Checks Tile . . . . . . . . . . 44
Requirements Overview . . . . . . . . . . 3
Create a Chart Tile . . . . . . . . . . . 45
Hardware Requirements . . . . . . . . . . 4
Disk Space . . . . . . . . . . . . . . . 4
Network Port Conflicts . . . . . . . . . . . 4 Chapter 7. Performance . . . . . . . 47
Microsoft Hotfix KB2577795 . . . . . . . . . 5 Operator Performance . . . . . . . . . . . 47
Slow Filters . . . . . . . . . . . . . 47
Chapter 3. WebUI Installation . . . . . 7 Concurrence . . . . . . . . . . . . . 47
Administrator Performance . . . . . . . . . 48
Install the WebUI Service (Platform V9.5.3 or later) . 7
Operator Shaping . . . . . . . . . . . 48
Requirements . . . . . . . . . . . . . 7
Environment Upgrades . . . . . . . . . 48
Installation Checklist . . . . . . . . . . 7
ETL Performance . . . . . . . . . . . 48
Remove the WebUI Service . . . . . . . . 9
Change Ports . . . . . . . . . . . . . 9
Renew WebUI Certificates . . . . . . . . . 9 Chapter 8. Log Locations . . . . . . . 49
Enable the WebUI (Platform V9.2.6 – V9.5.2) . . . . 9
Change Communication Ports . . . . . . . 12 Chapter 9. WebUI Server Settings . . . 51
SSL Certificates . . . . . . . . . . . . 13 Access WebUI Server Settings . . . . . . . . 51
Send Notifications . . . . . . . . . . . . 14 Server Settings Definitions . . . . . . . . . 52
Access the WebUI . . . . . . . . . . . . 14
Chapter 10. SAML 2.0 . . . . . . . . 57
Chapter 4. Provisioning Users. . . . . 17
Master Operator Permissions . . . . . . . . 17 Chapter 11. Supported Patch Sites . . . 59
Non-Master Operator Permissions . . . . . . . 17
Operators and Roles in IBM BigFix . . . . . 18
Permission Effects in the WebUI . . . . . . 18
Appendix. Support . . . . . . . . . 61
Apply WebUI Permissions . . . . . . . . . 20
Explicit and Effective Permissions . . . . . . 21 Notices . . . . . . . . . . . . . . 63
Setting WebUI Permissions . . . . . . . . 22 Trademarks . . . . . . . . . . . . . . 65
Interface Login Privileges. . . . . . . . . . 23 Terms and conditions for product documentation. . 66
Create Actions Privileges . . . . . . . . . . 24
Chapter 5. Managing Application

Updates . . . . . . . . . . . . . . 27
Chapter 6. Editing Dashboards . . . . 31

General Editing Techniques . . . . . . . . . 32
Working with Predefined Tiles . . . . . . . . 33
© Copyright IBM Corp. 2016 iii

iv IBM BigFix: WebUI Administrators Guide
Chapter 1. Introduction
Welcome to the IBM BigFix WebUI Administrators Guide. This document is
intended for IBM BigFix Master Operators who administer an IBM BigFix
deployment. If you are a non-Master Operator who does not have administration
rights, or if you are looking for information about using the WebUI, see the IBM
BigFix WebUI User's Guide.
The web-based BigFix WebUI harnesses the flexibility and power of IBM BigFix.
Using a browser, operators can log in to the WebUI and manage endpoints. The
WebUI augments the IBM BigFix Console but does not replace it. BigFix WebUI
components include Custom Content, Patch, Query, and Software Distribution. Use
of the WebUI might not be suitable for all deployments. Some customers use both
the WebUI and the Console to complete different BigFix tasks.
The BigFix WebUI is a component of the IBM BigFix Platform; no separate

executable file is required. All WebUI administration tasks are completed by using
the BigFix Console.
WebUI Audience
The WebUI is not intended for all IBM BigFix deployments, and is not currently as
scalable as a traditional IBM BigFix deployment. Currently, the WebUI has the
following upper use limits:
v 30 concurrent users.
v 60,000 managed endpoints.
While nothing prevents the use of the WebUI in larger deployments, there might
be significant impact to performance. For more information, see Chapter 7,
“Performance,” on page 47.
© Copyright IBM Corp. 2016 1

2 IBM BigFix: WebUI Administrators Guide
Chapter 2. Deployment Requirements
Prepare your production environment for BigFix WebUI; before you deploy it
certain requirements must be met. When your environment is ready the WebUI can
be enabled.
The WebUI is a component of a standard IBM BigFix deployment. Therefore, the

primary step in WebUI enablement is the installation of the IBM BigFix platform.
For detailed information on installing IBM BigFix, see the IBM BigFix Installation
Guide.
Requirements Overview
The BigFix WebUI is a component of a standard IBM BigFix installation from
version 9.2.6 onward. Environments that run version 9.2.6 or later contain the
software components that are required to enable the WebUI. The required
hardware, software, and environment settings are summarized here, more detailed
descriptions follow:
v IBM BigFix 9.2.6 or later. For detailed production environment requirements and
installation procedures, see the IBM BigFix Installation Guide. If you are already
running a previous version of IBM BigFix, upgrading to 9.2.6 is sufficient.
v The WebUI is accessed through a number of supported internet browsers:
– Internet Explorer 10 or later,
– Microsoft Edge,
– Firefox, updated to the latest version.
– Safari, updated to the latest version.
– Chrome, updated to the latest version.
v Minimum screen resolution of 1024x768.
v Minimum disk space of 50 GB.
v A network port must be open for WebUI communication; the default port is 80
and 443 for HTTP and HTTPS. For more information, see “Network Port
Conflicts” on page 4.
v Microsoft Hotfix KB2577795 applied to Windows Server 2008 R2, if applicable.
v Signed SSL Certificates (optional) ensure secure communication with your
WebUI deployment. For more information, see “SSL Certificates” on page 13.
System requirements for using the Executive Dashboard and dashboard editing
tools:
v BigFix version 9.2.6 and later.
v The WebUI enabled in your environment.
System requirements for using BigFix Query:

v BigFix version 9.5 Patch 2.
v The WebUI enabled in your environment.
v Web Reports enabled in your environment.
v A licence for IBM BigFix Lifecycle, or IBM BigFix Security and Compliance.
v To process BigFix Query requests, targeted clients must have:

– The ability to receive UDP notifications.
– BigFix v 9.5 Patch 2 or later installed.
v BigFix v 9.5 Patch 2 or later must be installed on all targeted clients and
intermediate relays.
Hardware Requirements
The WebUI operates as part of a standard IBM BigFix deployment. However,
additional hardware resources are required to power the WebUI.
Baseline hardware requirements for an IBM BigFix deployment are described in the
IBM BigFix Installation Guide. The WebUI requires more CPU and memory, and
the amount varies depending on the number of concurrent users:
Table 1. Additional Resources for WebUI
Function Additional CPUs Additional Memory in GB
WebUI Baseline +1 +4
Per 10 Concurrent Users +3 +2
(Linux)
Per 10 Concurrent Users +6 +4
(Windows)
For example, a Linux environment designed for 30 concurrent WebUI users

requires 10 CPUs and 10 GBs of memory in addition to the baseline requirements.
Disk Space
The amount of disk space that is required on your server is highly dependent on
your deployment size. For deployments up to 60,000 managed endpoints, the
recommended free disk space is 50 GB. Solid state drives are highly recommended.
Traditional magnetic drives can be used, but performance is greatly degraded due
to the heavy reliance on ETL procedures.
Network Port Conflicts

IBM BigFix WebUI is set to communicate on ports 80 and 443, for HTTP and
HTTPS, by default. However, these network ports can be set to any value during
WebUI enablement. It is critical that the chosen ports remain open and not
reserved for other applications within your environment.
A possible conflict can arise between WebUI and the Web Reports component of
IBM BigFix. Web Reports defaults to port 80 in IBM BigFix version 9.2.4.X and
earlier. As of release 9.2.5 Web Reports defaults to port 8080 to avoid conflict with
WebUI. When upgrading an existing deployment to 9.2.5 or later, the port used for
Web Reports is not changed. Therefore, it is possible to run a fully updated
deployment while still encountering a port conflict.
During WebUI installation any port conflict with Web Reports is detected and the
option to change the Web Reports port is provided. For more information, see
“Enable the WebUI (Platform V9.2.6 – V9.5.2)” on page 9 and “Change
Communication Ports” on page 12.

Microsoft Hotfix KB2577795
Windows Server 2008 R2 contains a bug related to kernel socket leaks. If your
primary server is on this operating system the bug must be patched to avoid
long-term issues related to WebUI. This hotfix must be applied to Windows Server
2008 R2 or the WebUI cannot be enabled. The only way to apply this Microsoft
Hotfix is through direct download from Microsoft. To read more about the hotfix
and download it, see https://support.microsoft.com/en-us/kb/2577795.
If you have enabled WebUI on an IBM BigFix server running Windows Server 2008
R2, you must patch that computer with Microsoft Hotfix KB2577795. If KB2577795
is not applied you might see socket errors after some time has passed.
After the WebUI has been enabled, you can quickly check your server's
compliance:
1. From the IBM BigFix Console, navigate to BigFix Management > BES
Component Management > WebUI, or locate Fixlet 2251 by your preferred
means.
2. If Fixlet 2251 is relevant, you have a computer that matches all of these criteria:
v WebUI is enabled,
v The operating system is Windows Server 2008 R2, and
v KB2577795 is NOT applied.
3. If Fixlet 2251 is relevant, the issue is not resolved. If Fixlet 2251 is not relevant,
your WebUI deployment is properly patched.
Note: Because the WebUI enablement Fixlet requires the hotfix to be applied to
relevant servers, it is unlikely that the hotfix Fixlet will be relevant. This can occur,
however, if the WebUI was manually enabled, which is not recommended.
Chapter 2. Deployment Requirements 5

Chapter 3. WebUI Installation
Starting with BigFix Platform version 9.5.3, the WebUI is a separate service that can
be started, stopped, and restarted independently of the BigFix Server. It can now
be installed on the BigFix server or on a remote machine.
Note: WebUI services installed by earlier versions of the BigFix Platform do not
work on V9.5.3. Customers upgrading to V9.5.3 from an earlier version must
reinstall the WebUI with the V9.5.3-specific installation Fixlet. Following
installation, your pre-V9.5.3 data will be available when the first ETL process
completes.
Use the installation procedure that meets your requirements:

v To run the WebUI on Platform V9.5.3, for example, to install the WebUI service
on a remote machine, use the procedure “Install the WebUI Service (Platform
V9.5.3 or later).”
v To use the WebUI on BigFix Platform versions 9.2.6 – 9.5.2, use “Enable the
WebUI (Platform V9.2.6 – V9.5.2)” on page 9.
v To use the WebUI in SAML-Only mode, use “Enabling the WebUI in
SAML-Only Mode” on page 57.
Install the WebUI Service (Platform V9.5.3 or later)

Use this procedure to install the WebUI on Platform V9.5.3. Starting with V9.5.3 the
WebUI is a separate service that can be started, stopped, and restarted
independently of the BigFix Server. Installing on a remote endpoint can free up
storage and processing resources on the BigFix Server.
Requirements
To install the WebUI service:
v Customers upgrading to V9.5.3 from an earlier version of the Platform must run
the V9.5.3-specific WebUI installation Fixlet.
v If you are installing the WebUI service on a remote server, the operating system
on the BigFix server and the remote server must be the same. Either:
– Windows Server 2008 (64 bit) or later, or
– Red Hat Linux 6 or 7 (64 bit).
v If you are installing the WebUI service on a remote machine, that machine must
be running theV9.5.3 BigFix Agent before you deploy the installation Fixlet.
Using a BigFix relay as the remote server is recommended.
Installation Checklist
Before you run the V9.5.3 installation Fixlet, Install IBM BigFix WebUI Service
(Version 9.5.3):
v Have the host name or IP address of the target WebUI server ready.
v The default installation directories are:
– On Windows machines:

C:\Program Files (x86)\BigFix Enterprise\BES WebUI
– On Red Hat Linux machines:
/var/opt/BESWebUI and /opt/BESWebUI
v If you are not using the defaults, have the target drive and directory ready.
– On Windows systems, the specified targets are created automatically.
– On Red Hat Linux systems:
1. Create the target drive and directory.
2. Symlink the default directory to the target directory.
v Verify that the WebUI ports you want to use are available on the target machine.
– The default HTTP redirect port is 80.
– The default HTTPS port is 443.
v If you are not using the defaults, have the database directory name ready.
Specify it using the absolute path.
– The default database directory for Windows machines is:
C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI\ETL
– The default database directory for Red Hat Linux machines is:
/var/opt/BESWebUI/WebUI/ETL
When you are ready, deploy the Fixlet Install IBM BigFix WebUI Service (Version
9.5.3).
Notes:
v If the Fixlet fails, revoke the certificates that it generates and sends to the target
machine.
v The installation Fixlet does not remove anything from the BigFix server. Node
executable files, log files, and site directories will remain, though node processes
will no longer be running. If you are installing on the BigFix Server, it will move
the webui.db and the WebUI sites directory.
v Start, stop, and restart the WebUI process on a remote machine using
services.msc on Windows, or through the terminal in Red Hat Linux. If stopped,
the Fixlet 2562 - BES WebUI Service not Started can also be used to start the
WebUI.

Remove the WebUI Service
Customers on BigFix platform version 9.5.3 or later can run Fixlet 2557 - Remove
WebUI Service to remove the WebUI from the BigFix Server or a remote machine.
The server instance, including client settings, the ETL directory, and the working
WebUI directory will be removed.
Change Ports
On BigFix Platform V9.5.3 and above use the Fixlet Change Ports for WebUI
Service and Web Reports to change the communication ports on either the BigFix
server or a remote machine. Use the Fixlet description to enter the port numbers
you want to use.
Renew WebUI Certificates

On BigFix platform V9.5.3 or later use Fixlet 2558 – Rotate WebUI Certificate, to
generate new certificates.
To revoke a certificate, use the BESAdmin tool on the root server.

BESAdmin.exe /revokewebuicredentials /sitePvkLocation:<pvklocation> /sitePvkPassword:<pvkpassword>
For more information about the BESAdmin tool see: http://www.ibm.com/

support/knowledgecenter/SS63NW_9.2.0/com.ibm.tem.doc_9.2/Platform/Adm/
c_additional_besadmin_onwindows.html
Enable the WebUI (Platform V9.2.6 – V9.5.2)

Use this procedure to run the WebUI on Platform versions 9.2.6 - 9.5.2. In these
versions, the WebUI is an embedded Platform component. Starting with v9.5.3 the
WebUI is a separate service that can be started, stopped, and restarted
independently of the BigFix Server.
Use the enablement Fixlets to turn on the WebUI. The Fixlets check for potential
WebUI and Web Report port conflicts and provide an easy way to change them if
necessary. Extra security can be implemented in the form of SSL certificates
To enable the WebUI and select its communication port:

1. In the BigFix console, navigate to BigFix Management > BES Component
Management > WebUI. Three WebUI enablement Fixlets are available:
v Fixlet 2250 - Change Ports for WebUI and Web Reports
v Fixlet 2251 - Hotfix for KB2577795...
v Fixlet 2252 - Enable WebUI
Chapter 3. WebUI Installation 9

1. Select Fixlet 2252 and view the Description tab of the Fixlet. Here you can
select the HTTP and HTTPS ports that are assigned to the WebUI. The defaults
are ports 80, and 443.

1. Run Fixlet 2252 by selecting Take Action and choosing your primary IBM
BigFix Server as its target.
Fixlet 2252 checks for a port conflict with Web Reports, if Web Reports is present.
If a conflict is found an error message displays, and the Fixlet stops.
Note: You cannot determine the target of Fixlet 2252 until you select it. Therefore,
if you have multiple IBM BigFix Servers in your environment, Fixlet 2252 may not
report a port conflict when one does exist with one of your individual IBM BigFix
Servers. If so, Fixlet 2250 will fail, and you will need to select a different port, as
described in the following step. This situation can be resolved later, as described in

“Change Communication Ports.” In addition, it is important to remember other
applications in your deployment, unrelated to IBM BigFix, can cause a conflict.
Note: The WebUI enablement Fixlet checks for the presence of Microsoft Hotfix
KB2577795 if your server runs Windows Server 2008 R2. For more information, see
“Microsoft Hotfix KB2577795” on page 5. If your WebUI deployment is properly
patched the Fixlet will not be relevant.
1. If a port conflict with Web Reports is detected, run Fixlet 2252 again and
choose a different port for WebUI. Even if you plan to change either the Web
Reports or WebUI ports, you must choose a non-conflicting port to enable the
WebUI. For more information, see “Change Communication Ports.”
2. After the Fixlet has completed by restarting the BesRootServer, WebUI is
enabled. To confirm, navigate to All Content > WebUI Apps. If the WebUI
Apps menu item is not present, enablement has failed and Fixlet 2252 should
be run again. There may be a small delay between enablement and the menu
item displaying depending on your deployment.
Change Communication Ports

BigFix Management Fixlet 2250 allows the communication ports for WebUI and
Web Reports to be changed.
If either WebUI or Web Reports is enabled in your environment, you might want
to change their communication port. As of IBM BigFix release 9.2.5, Web Reports
defaults to port 8080 while the default port for WebUI is 80 for HTTP and 443 for
HTTPS. However, in previous versions of IBM BigFix, Web Reports defaulted to
port 80. If left unchanged, this might create a conflict during WebUI enablement. .
This issue is resolved during WebUI enablement as described in “Enable the
WebUI (Platform V9.2.6 – V9.5.2)” on page 9.
After the WebUI is enabled, the ports that are defined for WebUI and Web Reports
can be changed using Fixlet 2250.

Use Fixlet 2250 as needed in your deployment. Use the Fixlet description to enter
the wanted port numbers. If Web Reports is not present on your primary root
server, the option to change its ports is not provided. This Fixlet restarts the
BesRootServer to apply port changes.
SSL Certificates
Secure Sockets Layer certificates enable secure communication with your IBM
BigFix WebUI deployment.
SSL certificates, signed by a licensed certificate authority, can be uploaded to your

IBM BigFix Server. This provides secure communication and is highly
recommended, however signed certificates are not a requirement. If signed
certificates are not used communication within your deployment will be insecure
unless other measures are taken, such as limiting to local access or VPN access.
Signed SSL certificates can be obtained from an authorized certificate authority.
To deploy SSL certificates:

1. Copy the ssl.crt and ssl.pvk files provided by your CA to the following location
on your IBM BigFix server:
v Windows Deployment
\\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\
v Linux Deployment
//var/opt/BESServer/WebUI/
2. Restart the BESRootServer service.

Send Notifications
Use the BigFix Send Notifications service to trigger an email alert when a
deployment fails (on a specified number of devices), or completes (on all targets).
In the WebUI, Send Notification options are specified when configuring a
deployment. To use this feature in the WebUI Send Notifications must be enabled
in your deployment, and operators must have the Custom Content and Can Create
Actions permissions set to "Yes."
For instructions on enabling the email notification service in your deployment, see
the IBM BigFix Configuration Guide. For read about setting operator permissions,
see “Apply WebUI Permissions” on page 20, and “Create Actions Privileges” on
page 24.
Access the WebUI

After the WebUI is enabled it will initialize and perform its first ETL. This process
might take several minutes, but it can take up to 3 hours: it is highly dependent
upon your deployment size. The WebUI is not accessible until initialization is
complete.
To access the WebUI from a web browser, navigate to:
<http_or_https>://<IP_or_FQDN>:<port_if_not_80/443>
If the WebUI has initialized and is ready for use you are presented with the login
prompt:
If the initialization takes a long time in your deployment, it might be possible to

resolve the WebUI URL before you can log in. In this case you are presented with
the following message:

Chapter 4. Provisioning Users
BigFix administrators and master operators set the permissions that govern
(non-master) operators' access to the WebUI.
WebUI permissions are implemented as an extra layer on top of the traditional

BigFix permissions managed through the BigFix console. WebUI operator
provisioning tasks start with defining Operators and Roles in the console, as you
normally do for a conventional IBM BigFix deployment. For detailed information
on permissions, see the BigFix Console Operator's Guide. It is helpful to have some
understanding of how basic BigFix permissions operate before proceeding with
WebUI permissions.
The workflow for provisioning Operators for the WebUI follows:

1. Define, or use existing permissions for Operators and Roles in the BigFix
Console to fit the needs of your deployment. By default, all Operators and
Roles have access to all WebUI components and are only limited by their
underlying, non-WebUI, permissions.
2. Use the WebUI-specific permissions layer to limit or customize any Operator's
or Role’s access to WebUI components.
3. Choose to disable any Operator or Role access to the WebUI so they cannot log
in to the WebUI at all.
Master Operator Permissions

Master Operators have complete access to all elements of the WebUI. In the course
of setting permissions it is possible to seemingly deny a Master Operator’s access
to one or more WebUI elements within the IBM BigFix Console, but such settings
have no effect. If a user is defined as a Master Operator, they always have full
permission to all aspects of the WebUI.
Non-Master Operator Permissions

All BigFix operators and roles are given full WebUI permissions, by default.
Operators can have access to elements in the IBM BigFix Console without having
access to those elements in the WebUI. For example, an Operator might be given
access to Patch content in the BigFix console and denied access to patch content in
the WebUI.
Giving an Operator’s access to a particular WebUI element allows the Operator to

see elements related to that content in the WebUI, but does not allow them to
interact with that content if they do not have that permission outside of WebUI.
For example, if an operator does not have access to Patch content in the BigFix
Console, they will not have access to Patch content in the WebUI. The only
exception to this is that any Operator can view actions that have been taken
regardless of content type. This allows Operators to see a complete picture, but
does not give them the ability to act on that content.

Operators and Roles in IBM BigFix
IBM BigFix allows permissions to be set for individual Operators as well as by
Roles, which can encompass many Operators.
For detailed information about the concepts of Operator and Role, see the BigFix
Console Operator's Guide. However, it is important to note that Operator and Role
permissions are additive. That is, IBM BigFix will always favor increased
permissions. For example, if an Operator is denied a particular permission but that
same Operator is part of a Role that is granted that permission, the Operator will
gain the permission. The reverse is true, if an Operator is granted a permission,
but is denied it, as part of a Role they are a member of, they will still retain the
permission.
This concept is discussed within the context of the UI in “Explicit and Effective
Permissions” on page 21.
Permission Effects in the WebUI

Permissions granted to Operators affect their ability to view WebUI elements and
conduct activities in the WebUI.
For the most part, the effects of permissions are clear: an Operator who is not
granted Patch permissions will not have access to the Patch workflow in the
WebUI. However, there are a few nuances that should be discussed.
The WebUI Overview incorporates information from many elements of your

deployment. Permissions have a direct impact on the information relayed to any
given Operator on the Overview. For example, patch related counts are not
displayed to an Operator without Patch access.
It is important to note that all Operators see deployment related data regardless of
content type. It is limiting if an Operator views an endpoint but cannot see that a
patch was deployed to that endpoint, even if that Operator does not have Patch
permissions. However, that Operator will not have the ability to take Patch actions
or alter that deployment.
Operators see all deployments regardless of source. The WebUI offers a window
into your deployment and it is not self-contained. Actions initiated from the
traditional IBM BigFix Console, external sites, or the REST API will be reflected in
the WebUI.
The WebUI allows email messages, associated with performed actions, to be sent.
The ability to send these notifications requires this feature be enabled within the
IBM BigFix console, as described in “Send Notifications” on page 14. Because these
notifications are enacted through custom content, Operators must have Custom
Content and Can Create Actions permissions to see the associated workflow within
the WebUI, allowing them to use this functionality.
Finally, it is possible for an Operator to login to the WebUI without having

permissions for any WebUI applications: custom, patch, or swd. This situation
should be avoided, but if it occurs, the Operator will see the following message
only after logging in:
Access to WebUI applications forbidden.

For more information on how this can occur, see “Setting WebUI Permissions” on
page 22 and “Interface Login Privileges” on page 23.
Permissions for Executive Dashboard and Dashboard Editing

Tools
All BigFix users can see the BigFix Overview and Executive Overview dashboards,
but only master operators can edit them. Master operators see the Edit Dashboard
button at the top of their dashboards, non-master operators do not.
Master operators see all dashboard elements and data. Users who do not have
permission to use a WebUI component do not see data that is related to that
component on their dashboard. For example, a non-master operator who does not
have access to the Software component do not see information that is related to
software packages. Operators that are limited to a specific set of devices see device
totals that reflect their device assignments. For example, their dashboard totals will
be different than totals for master operators, and might include zeros.
Permissions for BigFix Query

All Master Operators have access to BigFix Query. The All Content > WebUI
Appspermissions control access to the Query and other WebUI components. Like
the other WebUI components, access to the Query application defaults to “Yes” for
all operators. The All Content > WebUI Apps > Enable for all operators check
box is checked by default, so the effective permission for all WebUI components is
“Allowed (Globally)”.
To change an individual operator’s Query permissions settings, clear the Enable

for all operators check box. Then, change permissions for individual users and
roles. Note that the WebUI Apps Effective permission are “None” only if all of the
WebUI Apps > Query permissions are “None” for Operators, Roles, and All
Content. If any of them are set to “Allowed”, the Effective Permission is
“Allowed”
Operators who do not have access do not see Query in the Content menu, and
cannot access the Query landing page through the URL. Operators with access see
the Query button on the Overview and Device document pages.
Can Submit Queries
An operator’s Can Submit Queries setting does not control access to the WebUI
Query component, All Content > WebUI Apps permissions does. An operator’s
Can Submit Queries permission controls whether their requests can be submitted
to the REST API that supports queries. Since processes other than the Query app
also submit such requests, a REST-specific setting for operators is used.
v When Can Submit Queries is set to “Yes” an operator who submits a query
receive results.
v When Can Submit Queries is set to “No” an operator who submits a query
does not receive results, but the error message, “The logged in user is not
allowed to submit queries”.
For more information about configuring BigFix Query’s optional settings and using
its REST API’s, see “Getting client information using BigFix Query” in the BigFix
Platform Configuration Guide. Administrators might be interested in learning how
to set query time-out limits for Master Operators and Non-Master Operators.
Chapter 4. Provisioning Users 19

Apply WebUI Permissions
All Operators and Roles have full access to the WebUI by default, but it is possible
to customize access by Operator or Role.
Currently, the WebUI is composed of three components: “custom”, “patch”, and

“swd”. Permissions for each component can be granted or denied independently.
Permissions can be set in three places within the IBM BigFix Console:
v All Content > WebUI Apps
v All Content > Operators
v All Content > Roles
While the implementation is slightly different from a UI perspective, setting

permissions in any of these locations is reflected in all other locations. When
WebUI is enabled, you will find a new WebUI Apps tab in the Operator and Roles
windows.
You are free to edit permission in any location you desire, however to avoid
redundancy, we will primarily consider the All Content > WebUI Apps location in
the Console.

Select a WebUI component from the list of WebUI Apps, such as Patch, or SWD.
Permissions are defined in relation to each component. Once selected, the
Operators tab displays a list of operators, and the Role tab displays a list of roles.
Explicit and Effective Permissions

Permissions are set for specific Operators, but other sources of permissions can
alter an Operator’s effective permissions.
In the Operator Permissions tab there are two sets of permissions listed: Explicit
Permissions and Effective Permissions. Explicit permissions are those permissions
that are granted directly to that Operator. Prior to WebUI, these are the
permissions set per Operator in All Content > Operators. Explicit permissions are
the base permissions for any given Operator. They do not exist for Roles and are
therefore not listed as a column in the Role Permissions tab.
Effective Permissions reflect permissions granted by either the Operator’s explicit

permission or permissions granted by either the Operator’s Role or the global

checkbox Enable for all operators. Effective permissions are additive; if an
Operator is granted permission to a component by any means, it is reflected in
Effective Permissions.
In summary, Explicit Permissions are permissions a Master Operator has directly

defined for an Operator. Effective Permissions reflect an Operator’s explicit
permissions, Role permissions, and global permissions in an additive manner. In
the end, Effective Permissions reflect an Operators current permission level for
each WebUI component.
Setting WebUI Permissions

Once the core concepts of permissions are understood, setting Operator
permissions is a simple task.
To set permissions by Operator, Role, or apply a global permission set, perform the
following steps:
1. From All Content > WebUI Apps, select the WebUI component whose
permissions you wish to alter:
v Custom
v Patch
v SWD
1. In the Operator Permissions tab, check the Enable for All Operators checkbox
to toggle permissions for all Operators. This affects all Operators’ effective
permissions and leaves their explicit permissions as is.

1. Select the desired Operator and use the Allow or None buttons to set the
explicit permissions for that Operator. This is the same as setting the Operator’s
explicit permissions in the All Content > Operators site.
1. Use the Role Permissions tab to change effective permissions for any Roles.
Selecting a defined Role and using the Allow and None buttons sets the Role’s
permissions in an identical manner as using the All Content > Roles site.
1. Use the Save Changes button to save your permission settings.
Interface Login Privileges

Related to permissions, Operators and Roles can be granted or denied login rights
to the WebUI.

Regardless of permissions granted to an Operator explicitly or effectively, the
ability to login to the WebUI can be set. This option simply rejects a user’s login
credentials barring them from accessing the WebUI in any way. Such a user is
given a prompt directing them to their administrator when they attempt to login to
the WebUI.
To deny WebUI login, perform the following steps:

1. Navigate to All Content > Operators (or All Content > Roles).
2. Select the appropriate Operator or Role.
3. Navigate to the Details tab and scroll down.
4. From the Interface Login Privileges pane set the Can Use WebUI dropdown
menu.
Setting this value for an Operator sets the explicit value. The effective value is also
displayed, which is only altered by the same setting in a Role that the Operator is
a member of. As in all permissions, this permission is additive between Operators
and Roles they are members of.
If setting this value within a Role, you are setting the effective value for any
associated Operators.
Note: The WebUI Interface Login Privileges affect the ability to login to the WebUI
only. They do not affect an Operator’s ability to login to the traditional Console. Separate
settings allow control over Console and REST API usage.
Create Actions Privileges

Similar to Interface Login Privileges, the ability to create actions can be denied an
Operator or Role.

This permission affects action creation in a traditional IBM BigFix deployment, but
it also affects the WebUI. As its name implies, denying this permission means an
Operator cannot take actions, but it does not affect their ability to view taken
actions. Essentially such an Operator becomes a “read-only” Operator. Within the
WebUI, they are denied the ability to deploy, etc.
To set create action permissions, perform the following steps:

1. Navigate to All Content > Operators (or All Content > Roles).
2. Select the appropriate Operator or Role.
3. Navigate to the Details tab and scroll down.
4. From the Permissions pane set the Can Create Actions dropdown menu.
Setting this value for an Operator sets the explicit value. The effective value is also
displayed, which is only altered by the same setting in a Role that the Operator is
a member of. As in all permissions, this permission is additive between Operators
and Roles they are members of.
If setting this value within a Role, you are setting the effective value for any
associated Operators.

Chapter 5. Managing Application Updates
Use the Application Update Manager to view and apply available updates to
WebUI applications. Use the AutoUpdate feature to automatically gather and apply
new versions of WebUI applications as they become available. When AutoUpdate
is On, use the AutoUpdateDelay setting to control the timing of automatic updates.
Set them to install immediately, or delay auto updates for up to 30 days. Reasons
to delay might include:
v Scheduling an update for off-peak hours.
v Providing time to update a procedure that will change as a result of new
features.
v Trying a new version of an application on a test deployment before updating a
production system.
v Staying on a specific WebUI version for a period of time.
AutoUpdate defaults to On at WebUI installation, and AutoUpdateDelay defaults

to 0 days. To update WebUI applications manually, turn the AutoUpdate feature to
Off. Use the Update Manager to install an update at any time, whether
AutoUpdate is running or not. WebUI services remain available during updates.
The Application Update Manager
Use the Update Manager to view and apply available updates, and to see which
versions are currently running. Click the Settings icon on the navigation bar to
open the Update Manager. Only Master Operators see this icon.
To install an update:
1. Click Select to display a confirmation dialog that shows the version you will be
running following the update.
2. Click Update Now to complete the operation, or Cancel to return to the
Update Manager.

Note that while you can update an application to a newer version, you cannot roll
back to an earlier version.
When you run an update, the release you selected and all the updates preceding it
are applied. In other words, selecting an update installs all the updates up to, but
not beyond, the indicated point in time. The number following the release date
shows the number of updates included in that release.
Internal dependency checks prevent you from updating an application that

depends on a version of another application that is not yet available. For example,
you cannot install a version of the WebUI Patch application that depends on
features in the Common Application that have not yet been released.
The application version number is shown for each update, and reflects the
application site. For example, the Patch application resides in the WebUI Patch site,
the Custom Content application resides in the WebUI Custom site, and so on. The
WebUI application itself, which includes the Common application, the ETL
application, and the Login application, resides in the Common site. The Update
Manager application resides in the Application Administration site.
Notes
v If AutoUpdate is On and the delay period is set to zero, the number of available
updates in the Update Manager will also be zero, because new updates are
automatically applied.
v If AutoUpdate is On and the delay period set to 30 days, the number of
available updates will extend back 30 days, because updates older than 30 days
have been applied.
v If AutoUpdate is Off, the number of available updates will extend back in time
for an indefinite period.
AutoUpdate and AutoUpdateDelay
Use the BigFix Console to adjust the AutoUpdate and AutoUpdateDelay settings
on the computer where the WebUI service is installed.
Note: The first time that you change the AutoUpdate and AutoUpdateDelay
defaults following installation of the WebUI, you will be adding the client settings
specified below, not updating them. To add a setting for the first time, in Step 3 of

the procedure select Add Computer Setting, rather than Edit Computer Settings,
and enter the required setting name and value. Make subsequent adjustments to
the AutoUpdate and AutoUpdateDelay settings using the Edit Computer Setting
option.
1. On the BigFix Console, select Computers.
2. Right-click the WebUI server (either the BigFix server, or a remote machine).
3. Select Edit Computer Settings.
4. Select the setting that you want to change.
v For AutoUpdate, select _WebUIAppEnv_APP_UPDATE_ENABLE_AUTO. When set to
1, WebUI applications automatically update to the most recent versions in the
Pending Sites cache. When set to 0, AutoUpdate is Off.
v For AutoUpdateDelay, select_WebUIAppEnv_APP_UPDATE_DELAY_DAYS. Enter the
number of days to wait between updates. The Delay range is 0 - 30 days; the
default is 0 days.
Chapter 5. Managing Application Updates 29

Chapter 6. Editing Dashboards
Use the WebUI’s new editing tools to customize the WebUI Overview and
Executive Overview dashboards. Extract and present BigFix data in an array of
formats to summarize key information from across your enterprise.
Drag tiles to arrange them, and preview dashboard designs as you build. Draw
from a library of pre-defined tiles, or design your own.
Pre-defined tiles include Environment Overview, Patch Compliance, Patch Severity,

New Releases, and Deployments in the last 30 Days.
While the WebUI’s default overview tiles are useful to many users, the custom tiles
enable you to place critical information specific to your own deployment on the
WebUI and Executive overviews. Use the five custom tile types to design and
build your own tiles: Key Numbers, Summaries, Lists, Checks, and Charts.

All users can see and use the WebUI dashboards, but only Master Operators can
edit them. Changes made to either dashboard become the default design for that
overview for all users. Dashboard elements and data are adjusted to reflect the
BigFix permission levels and assignments of Non-Master Operators.
Four screens are involved in editing and building tiles:

v Edit Dashboard - Arrange, delete, and add tiles.
v Select Tile - Select pre-defined tiles and custom tile templates.
v Build Tile - Select top-level data objects, arrange tile elements, and preview
designs.
v Define Filters - Refine tile data and perform complex joins.
General Editing Techniques

To edit a dashboard, click the Edit Dashboard button.
Use the Edit Dashboard page to:

v Add and delete tiles.
v Reposition tiles on the page.
v Turn the Tile Performance Monitor message on and off.
The WebUI's Tile Performance Monitor displays a message across dashboard tiles
that load slowly. (“The filters used in this tile took over 10 seconds to load...”). Use
the Performance Monitor switch to turn off the message, or turn it back on.
To delete a tile, click the X in the upper right corner.
To reposition a tile, drag it to a new location.
To add a tile:
1. Click the Add Tile button. Place up to six tiles on a dashboard. To add a tile to
a dashboard that already has six, delete one first.
2. Select a tile from one of the tile libraries.
v To add a custom tile, click the Add Custom Tiles bar. For instructions on
building custom tiles, see “Working With Custom Tiles” on page 36.
v To add a predefined tile, click the Add From Tile Library bar. Select a tile
and drag it to the required location. For a description of each tile and its
elements, see “Working with Predefined Tiles.”
Working with Predefined Tiles

The tiles on the WebUI's default dashboards can be used in any combination.
To add a predefined tile to a dashboard:

1. Click the Edit Dashboard button.
2. On the Edit Dashboard page, click Add Tile.
3. On the Select Tile page, click Add From Tile Library.
4. Click a tile to add it. The new tile is placed on the page below any existing
tiles.
5. Drag tiles to arrange them on the page.
6. Click the Save button in the upper right corner of the page or Cancel to exit
without making changes.
Chapter 6. Editing Dashboards 33

Note: In larger deployments, the Patch Compliance tile can be slow to load. If
your deployment has over 10,000 endpoints, you might experience dashboard
delays in loading data with this tile. Administrators building dashboards may
want to refrain from using this tile.

Working With Custom Tiles
Use the Build Tile and Define Filters screens to create five types of custom tiles.
The basic process for creating custom tiles is described here, and instructions for
creating each type follow.
v Key Number
v Summary
v List
v Check
v Chart
Select a custom tile from the Edit Dashboard page to display the Build Tile page.
1. Entering a title for the tile. The Preview area on the right side of the page
shows the tile-in-progress.
2. Select a BigFix object from the Build Tile drop-down list:
v Devices
v Deployments
v Packages (Software)
v Patches
v Tasks (Custom Content)
3. Click Add Item to display the Define Filters page.

4. Use the Define Filters screen to select object-specific conditions and values.
v To display a value for every instance of a top-level object (ALL devices), click
the Add button, next to Back, at the lower left corner of the page.
v To further refine the filter, for example, to return Devices with critical
patches, click Add Condition and Add Value.
The process of building filters is described below.

Working with conditions (object properties) and their values on a tile is analogous
to working with filters on WebUI list screens. In the diagram below, the image on
the left shows a patch list filtered to show critical patches. On the right, the same
operation is shown on the Define Filter page. Patch is the top-level object. Severity
is the condition (object property), and Critical is the Severity value.
The next example illustrates the use of multiple filters. On the left: critical patches
with 10 or more vulnerable devices on Windows machines. On the right: the same
operation in a tile filter.
On a tile, you can display data based on more than one high-level object by using
a complex filter. (List filters don't perform this type of operation.) Complex filters
appear at the end of an object's Condition list.

The complex filters for each object:
v Devices: Deployments, Applicable Tasks, Applicable Packages, Relevant Patches.
v Deployments: Targeted Devices, Source Tasks, Source Packages, Source Patches.
v Packages (Software): Deployments, Targeted Devices.
v Patches: Deployments, Vulnerable Devices.
v Tasks (Custom Content): Deployments, Targeted Devices.
In a complex filter the condition box is nested inside the top-level object.
A basic understanding of how complex filters are processed will help you use
them effectively.
1. A query is performed on each top-level object: some combination of Devices,
Patches, Software Packages, Tasks, and Deployments. Every instance of each
condition specified is found.
2. A set intersection on the results of both queries is created using an identifier
common to both, and the results are returned to you. For example, a complex
filter that involves devices, creates a list of Device IDs that meet the conditions
specified for each object. The set of Device IDs common to both lists is
returned.
Examples of efficient complex filters include:

v How many Windows 7 machines are vulnerable to the critical patches released
by Microsoft in the last 5 days?

v How many actions has the operator “Dexter” taken against devices in the device
group “Watson” in the last 10 days?
v How many Adobe software package installations failed between May 1, 2016
and May 31, 2016?"
Tile Editing Tips
v On the Build Tile page, drag a line item to change its order in the Items list.
Click the X to delete it.
v Click the pencil icon to edit a line item. Continue refining a tile and its filters
until you click Done. At that point, they can no longer be edited.
v The Define Filters page prevents you from accidentally selecting the same
condition twice (they are inactive in subsequent drop-down lists).
v Tile results that are derived from complex filters are not clickable (hyper-linked
to related data).
v Filters that are concise and limited in scope run more efficiently. Broad, general
filters that return large data sets take longer and use more resources.
Performance is not static, and various factors can influence it, including
hardware changes, changes in the number of endpoints, and the amount of data
an operator has access to.
v If a complex filter returns unexpected results, check for:
– An empty set. If one of the filters returns 0 (for example, because you did not
specify a condition), any intersection with that set will also return 0.
– A very large set. If one of the filters returns every instance in the set, for
example, all devices that have an applicable patch, the results will contain all
instances. While accurate, they might be so broad as to be meaningless.

Create a Key Numbers Tile
To create a key numbers tile:

1. From the Overview page, select Edit Dashboard > Add Tile > Add Custom
Tiles.
2. Select List.
3. Enter a name for your tile.
4. Select an item (BigFix object) from the drop-down list, and click Add Item.
5. Enter a description for this line item on the tile.
6. Specify data conditions and values (filter criteria).
a. Click Add Condition.
1) Select a condition from the drop-down list.
2) Select a condition value. Click Add Value again to further refine your
conditions.
3) Use the Add Condition and Add Value buttons to specify more
conditions as required.
b. To include every instance of an object (for example, ALL Software
Packages), proceed to Step 7.
7. Click Add to add this line item to your tile and return to the Build Tile page.
Or click Back to exit without saving.
8. Repeat Steps 4 – 7 to create up to five more line items for the tile. Check the
Preview pane to see how your tile looks as you build. Drag and drop line items
to rearrange them, or click the X to delete a line item.
9. Click Done. On the Edit Dashboard page, move the new tile to the place you
want it on the dashboard.

Create a Summary Tile
To create a summary tile:

Tiles.
2. Select Summary.
5. Enter a description for this line item on the tile.
conditions.
7. Click Add to add this line item to your tile and return to the Build Tile page.
Or click Back to exit without saving.
8. Repeat Steps 4 – 7 to create up to five more line items for the tile. Check the
Preview pane to see how your tile looks as you build. Drag and drop line
items to rearrange them, or click the X to delete a line item.
9. Define a summary for the tile. Using the drop-down lists, select two line items
to express one as a percentage of the other. For example, a percentage of all
devices with patches that are critical. Enter a description for your summary.

Create a List Tile
To create a list tile:

Tiles.
2. Select List.
5. Enter a description for the list.
conditions.
7. In the field Sort the list by, select a sort option.
8. Click Add to add the list to your tile and return to the Build Tile page. Or
click Back to exit without saving.
9. Repeat Steps 4 – 8 to create more lists for this tile as required. To preview a
tile with multiple lists, use the button in the Preview pane to select the list
you want to see. A similar control is used to select between multiple lists in
the completed tile.

Create a Checks Tile
Use this tile to track device compliance for specific patches and custom content
(tasks and baselines). Percentages for each bar are calculated by dividing the
number of unique non-relevant devices by the total number of devices. The tile
total is calculated by dividing the number of unique non-relevant devices by the
total number of devices for all line items on the tile. For example, in the sample
tile pictured, 20% of all devices are compliant with Fixlets A, B, and C.
To create a checks tile:

Tiles.
2. Select Checks.
4. Select “Patches” or “Custom Items” from the drop-down list, and click Add
Item.
5. Enter a label for this line item on the tile.
6. Select a compliance threshold value for this item. Expressed as a percentage,
compliance rates equal to or above the threshold are shown on the tile in blue.
Compliance rates below the threshold value are shown on the tile in red. The
default is 80 percent.
7. Hover the mouse over a patch or task name to display the Select button. Click
Select to add a compliance line item to the tile. To find a specific patch, task, or
baseline, enter its name in the Search box. Click a name in the list to open its
document in a separate browser window.
8. Repeat Steps 4 – 7 to add up to 5 more compliance line items to the tile. Check
the Preview pane to see check tile design as you work. On the Build Tile page,
drag compliance line items to arrange them, or click the X to delete a line item.

Create a Chart Tile
When you work with bar charts on the Define Filters page, start by gathering the
data for your chart by using the Add Condition and Add Value buttons. Then, use
the fields in the Set Bars pane to visually represent the components of that data.
The Create chart bars based on field prevents you from inadvertently duplicating
the conditions used in the filter by disabling them in the drop-down list.
To create a bar chart:

Tiles.
2. Select Chart.
4. Select an item (BigFix object) from the drop-down list, and click Set Bars.
5. Specify the data conditions and values (filter criteria) for the chart.
conditions.
6. In the Set Bars pane, select a category for your chart from the Create chart
bars based on drop-down list. For example, categories for patches include
“Severity”, “Operating System”, “Issue Date”, “Category”, and “Name or ID”.
7. Click the Add Bar button to create bars for the values in that category. For
example, in a chart that shows patch severity, make bars for “Critical”,
“Important”, “Moderate”, “Low”, and “Unknown”. Type the bar's name in the
field to the right of its value to label it. To delete a bar, click the X.
v Bar names must be unique.
v To specify a date range, click in the bar field to display a calendar and
select start and end dates.
v When you enter values for “Issued By”, type the operator's BigFix user
name.

8. Click Add to add the chart to the tile and return to the Build Tile page. Or
click Back to exit without saving.
9. On the Build Tile page, drag the bars to rearrange them, or click the X to
delete a bar. Check the Preview pane to see your changes.
10. In the field below the tile title, type a description of the chart's X axis.

Chapter 7. Performance
IBM BigFix is renowned for its scalability. While remaining extremely scalable, due
to increased overhead, the WebUI was some performance considerations.
The WebUI is realized through a secondary WebUI specific database. Most

performance impacts revolve around the ETL functions between the IBM BigFix
server and the WebUI server.
Operator Performance
Operators functioning within the WebUI may encounter performance issues. Due
to the inherent design of the WebUI, Operators’ ability to affect performance is
limited.
If an Operator runs a query that that takes 5 seconds or longer, a message

acknowledging the delay and pointing operators to possible solutions is displayed.
All relevant information pertaining to this error is encapsulated in this
Administration Guide.
The following causes of slow performance can be addressed by administrators by

shaping Operator access, endpoints managed, and schedules.
Slow Filters
Filtering options can cause query delays. The following filters currently create the
most overhead and avoiding them might help alleviate the issue:
v Deployments List > Failure Rate
v Patch > Sort by Name
v Patch > Sort by Release Date
Concurrence
A source of slow WebUI performance can be concurrence, or the number of
Operators accessing the WebUI at the same time.
If an Operator is experiencing slow performance, returning to the WebUI when

there are fewer concurrent users might help. If this issue is ongoing, addressing the
problem using Operator and Role shaping can be helpful. For more information,
see “Operator Shaping” on page 48.

Administrator Performance
Master Operators can take specific steps to help alleviate WebUI performance
issues. These include environment upgrades as well as modifying Operators’
permissions.
Operator Shaping
One way to limit the load on the WebUI at any given moment is to shape your
Operators ability to interact with endpoints.
Defining Operators and Roles to specific content and/or subsets of endpoints can
greatly reduce query overhead. If a given Operator is only concerned with a subset
of endpoints, such as Windows endpoints, best practice is to define their role
accordingly. Removing unnecessary content can greatly reduce the load on the
server.
Environment Upgrades
Several key environment considerations can greatly increase WebUI performance.
Increasing the CPU cores of your server machine to support WebUI is both a
requirement and an option to help alleviate performance issues. However, the
nature of the WebUI favors faster cores over more cores. If your CPUs are clock
limited, increasing the clock speed will have an enormous performance impact.
Upgrading your deployment to faster clocked cores will have a significantly bigger
impact than increasing the number of cores.
The other environment consideration is your server OS. Currently, there is a

significant increase in performance when using a Linux server as opposed to a
Windows server. The performance increase can be up to double on identical
hardware. We strongly recommend using a Linux server in your deployment.
ETL Performance
The single biggest performance factor is the ETL process between the IBM BigFix
server and the WebUI server.
Currently the ETL is not multithreaded and is performed on a single CPU core. It
is expected behavior to see CPU usage spikes when the ETL is running. Upgrading
your CPU clock speed can help alleviate this performance bottle cap.
It is possible to modify the timing of the ETL. It is possible that performance

increases can be made by altering this schedule. For more information, see
Chapter 9, “WebUI Server Settings,” on page 51.

Chapter 8. Log Locations
All WebUI logs are stored in one default location.
Logs are stored on the WebUI Server in the following locations:
Windows Deployment
\\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\Logs\
Linux Deployment
//var/opt/BESServer/WebUI/Logs/
It is possible to change the location where logs are written as well as alter the
verbosity of the log files. These options can be performed by creating or editing
several server settings as described in Chapter 9, “WebUI Server Settings,” on page
51. Note that these settings should not be altered under most circumstances and
should be reserved for very specific situations.

Chapter 9. WebUI Server Settings
A series of server settings that control advanced aspects of the WebUI can be
created or modified on your WebUI Server.
These settings are for advanced users only and chiefly exist to help troubleshoot
issues or tweak behaviors to optimize performance for your specific deployment.
As a rule, these settings should not be changed unless specifically required; some
of these settings can drastically affect the behavior and performance of your
deployment.
The BesRootServer service must be restarted to apply any of these settings.
Access WebUI Server Settings

The WebUI Server Settings are accessed through the IBM BigFix Console as a
function of your WebUI server.
Locate your WebUI Server by navigating to All Content > Computers. Select your
server computer and right click. Select Edit Computer Settings to display the Edit
Settings dialogue box.
For detailed instructions on adding or editing server settings, see the IBM BigFix
Console Operator's Guide. Server settings are written in the following format:
<server_setting_name>=<value>
Click Add or Edit to create or edit a new server setting. Note that all server
settings begin with an underscore.
The BesRootServer service must be restarted to apply any of these settings.

Server Settings Definitions
The WebUI Server Settings are defined below along with a brief description of
their impact. Any default settings are noted. If a setting has no default, the
parameter itself may not appear in the IBM BigFix Console, unless you create it.
Note: The BesRootServer service must be restarted to apply these server settings.
_WebUI_AppServer_IsEnabled
Enables and disables the WebUI. The default is 0. Value 1 enables the WebUI. This
parameter is set by Fixlet 2252 as part of WebUI enablement as described in
“Enable the WebUI (Platform V9.2.6 – V9.5.2)” on page 9.
_WebUI_Logging_Filter
The value of this parameter is a regular expression that filters events to be logged.
The default is:
bf*error,bf:bfetl:debug,bf:bfapp:debug,bf:appmonitor:debug
To enable verbose logging for all IBM BigFix events use:
bf*
To log all debug events including third party applications use simply:
_WebUI_Logging_LogPath

This value defines the full file path of the service app log. It also defines the
directory in which all other logs will be written. The default value is:
<server_dir>/WebUI/logs/service-app.log
If the value is changed to <server_dir>/bananas/fruit.log for example, the

service app log will be named fruit.log. However, all other logs will retain their
default names, but they will be written in <service_dir>/bananas/
Note that it is not possible to define the names of any logs except the service app
log.
_WebUI_Logging_LogMaxSize
This defines the maximum size of each log file in bytes. The default is 5,242,880 or
5 MB (5*1024*1024). When a log file exceeds the limit set here, a second log file is
created. This continues until 10 log files have been created, at which point, the first
log file is overridden. Therefore the maximum log file size for each log is ten times
the value defined here.
Note that depending on usage, log files for each WebUI Application may be
written at very different rates. This parameter defines the size of all log files.
_WebUI_HTTPS_Port
This parameter defines the port used for HTTPS. The default is 443. This
parameter is written by Fixlet 2252 during WebUI Enablement. Fixlet 2250: can be
used to change this value at any time. For more information, see “Enable the
WebUI (Platform V9.2.6 – V9.5.2)” on page 9 and “Change Communication Ports”
on page 12.
_WebUI_Redirect_Port
This parameter defines the HTTP port used by WebUI if port 80 is not used. This
setting does not exist by default.
If a port other than 80 is required, this parameter must be defined in conjunction

with _WebUI_Redirect_Enable.
When Fixlets 2252 and 2250 define a port other than 80, this parameter is defined
and enabled. For more information, see “Enable the WebUI (Platform V9.2.6 –
V9.5.2)” on page 9 and “Change Communication Ports” on page 12.
_WebUI_Redirect_Enable
This setting allows the WebUI to use a HTTP port other than 80. This setting does
not exist by default.
If a port other than 80 is required, the value must be set to 1. This parameter
works in conjunction with _WebUI_Redirect_Port.
When Fixlets 2252 and 2250 define a port other than 80, this parameter is defined
and enabled. For more information, see “Enable the WebUI (Platform V9.2.6 –
V9.5.2)” on page 9 and “Change Communication Ports” on page 12.
_WebUI_ETL_DelaySeconds
Chapter 9. WebUI Server Settings 53

This defines the frequency in seconds of ETLs between the primary IBM BigFix
database and the WebUI database. The default value is 600 or 10 minutes.
Lowering this value increases WebUI feedback times but may significantly impact
server performance.
_BESRelay_WebUISiteGather_IntervalMinutes
This setting defines how often the WebUI Server gathers sites published by IBM.
As the title suggests, this variable is an integer representing minutes between site
updates. The default is 5.
_BESRelay_WebUISiteGather_Schedule
This setting sets repeating times where the WebUI Server gathers sites published
by IBM. This setting overrides the following setting
_BESRelay_WebUISiteGather_IntervalMinutes. However, when enabling this
setting, it is best practice to change the interval minutes to the default of 5, if you
have changed it previously.
Enter comma separated values in the following case sensitive format:
<Day>:<hh:mm> where <Day> = Mon, Tue, Wed, Thu, Fri, Sat, or Sun
<hh:mm> is in 24 hour clock format.
For example the following value will schedule site updates every Sunday at 9am,
Saturday at noon, and Friday at 10:30 PM.
_BESRelay_WebUISiteGather_Schedule=Sun09:00,Sat12:00,Fri22:30
_WebUI_HTTPS_StrictTransportSecurity
This setting prevents browsers from connecting to the WebUI using HTTP in favor
of HTTPS. The default value is 0. Set this to 1 to enable this security feature.
_WebUIAppEnv_ETL_DIR
Use this setting to change the default location of the WebUI database file,
webui.db. Enter a full file path. The default locations for webui.db are:
Windows Deployment
\\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\ETL\
Linux Deployment
//var/opt/BESServer/WebUI/ETL/
_WebUIAppEnv_ENABLE_WEBUI_METRICS
This setting can be enabled with a value of 1. It turns on more robust ETL logging.
This setting is of value to WebUI developers and has very little value for
administrators under most circumstances.
_WebUIAppEnv_ETL_STATISTICS_THRESHOLD

The ETL analyzes itself periodically in order to optimize its performance. The data
it uses is represented as a series of tables and this setting dictates how many rows
within these tables must change before optimization occurs. The default value is
1000.
This setting works in conjunction with

_WebUIAppEnv_ETL_STATISTICS_THRESHOLD_TIME.
_WebUIAppEnv_ETL_STATISTICS_THRESHOLD_TIME
This setting defines the times the ETL will analyze any tables that meet the
threshold set in _WebUIAppEnv_ETL_STATISTICS_THRESHOLD. The default
value is 03:00 indicating that analyzation runs each day at 3 AM.
Enter comma separated values in the following case sensitive format using 24 hour
time:
hh:mm
For example the following value will schedule analyzation of relevant tables at
4:00AM and 2:00PM every day:
04:00,14:00
Note: The BesRootServer service must be restarted to apply this setting.
_WebUIAppEnv_APP_RESTART_DELAY_SECONDS
This setting defines the number of seconds the App Monitor will wait before
attempting to restart any applications that have stopped for any reason.
Chapter 9. WebUI Server Settings 55

Chapter 10. SAML 2.0
IBM BigFix supports SAML 2.0. SAML authentication is an application login
mechanism that uses a configured SAML Identity Provider (IdP) to authenticate
users.
While SAML is a feature of the IBM BigFix platform, SAML is implemented

through theWebUI. You can use the WebUI without setting up SAML, and use
SAML without using the WebUI applications. However, the WebUI must be
enabled in your deployment to take advantage of SAML.
To activate SAML authentication without enabling the full set of WebUI

components, or the WebUI's ETL process, start the WebUI in SAML-Only mode.
For more information about SAML and BigFix, see Enabling SAML V2.0
Authentication for LDAP Operators in the BigFix Platform Configuration Guide.
Enabling the WebUI in SAML-Only Mode

Starting the WebUI in SAML-Only mode allows you to activate SAML
authentication without enabling the full set of WebUI applications or the WebUI
ETL process. The ETL process can quickly consume system resources in large
deployments. In SAML-Only mode, only those processes that are required to
enable SAML authentication for BigFix WebUI, BigFix Web Reports, and the BigFix
Console are created. All other WebUI functions (other than the SAML
Administration page) are unavailable.
Note: If you want to use SAML with the full compliment of WebUI applications
and functions do not use SAML-Only mode. Instead, use the standard enablement
procedures: WebUI Enablement in this guide, and Enabling SAML V2.0
Authentication for LDAP Operators in the Platform Configuration Guide.
To start the WebUI in SAML-Only mode, use the environment variable

_WebUiAppEnv_SAML_ONLY and the SAML Administration page to configure SAML
settings. When the variable _WebUiAppEnv_SAML_ONLY is present and set to 1,
SAML-Only mode is enabled. When _WebUiAppEnv_SAML_ONLY is not present or set
to 0, SAML-Only mode is not enabled. You must be a BigFix Master Operator to
run this procedure.
1. Open the BigFix Console and go to Computers. Click your WebUI server name
and open the Edit Server Settings tab. (See Chapter 9, “WebUI Server Settings,”
on page 51 for instructions.)
2. Add the environmental variable: _WebUIAppEnv_SAML_ONLY to the Custom
Settings list.
a. From Edit Settings, click Add to open the Add Custom Setting dialog.
b. In the Setting Name field type: _WebUIAppEnv_SAML_ONLY
c. In the Setting Value field type: 1
d. Click OK.
Note: If the variable _WebUIAppEnv_SAML_ONLY is already present but set to 0

(disabled), change its value to 1.
a. Select _WebUIAppEnv_SAML_ONLY from the Custom Settings list, and click Edit.
b. In the Setting Value field, type 1

c. Click OK.
3. Verify that the variable _WebUI_AppServer_IsEnabled is present and has a value
of 1.
a. If _WebUI_AppServer_IsEnabled is missing from the Custom Settings list,
repeat Step 2, typing _WebUI_AppServer_IsEnabled in the Setting Name
field.
b. If _WebUI_AppServer_IsEnabled is present, but set to 0:
1) Select it from the Custom Settings list, and click Edit.
2) In the Setting Value field, type 1
3) Click OK.
4. Restart the BES Root Server service. When the restart is complete, you will see
4 node processes start.
5. Log in to the WebUI. Type your WebUI URL into a browser window to display
the /login page. Once your credentials have authenticated, the SAML
Administration page (/ui/administrator) displays.
6. On the SAML Administration page, enter your SAML configuration settings,
and click Enable.
Note: To enable SAML authentication for Web Reports, Web Reports must be
enabled for SSL. (This is required whether WebUI is in standard or SAML-Only
mode.) For instructions, see How to Configure BigFix to Integrate With SAML
2.0 in the Platform Configuration Guide.
7. Restart the BES Root Server and the Web Reports services to complete the
process. SAML authentication is now enabled for Web Reports, BigFix Console
and WebUI, running in SAML-Only mode.
To disable SAML-Only mode, for example, to reestablish all WebUI functions,

change the value of the environment variable _WebUIAppEnv_SAML_ONLY from 1 to 0.
Notes
v In SAML-Only mode, appending /login to your WebUI URL displays the
standard WebUI login form.
v Logging in to the WebUI (using either SAML or the /login page) redirects users
to the SAML Administration page. On this page Master Operators can configure
SAML settings. Non Master Operators will see the “403 (Forbidden)” message,
and will not be able to view or edit the SAML configuration.
v If a user attempts to manually access the / URL after logging in, they will see a
blank WebUI dashboard. Only the Home and Log Out controls will be active.
Logging out redirects the user to the Reauthenticate page, regardless of the
method they used to log in. All other navigable WebUI URLs (except / and the
SAML Administration page) return an “Access Forbidden” message.

Chapter 11. Supported Patch Sites
A subset of BigFix patch sites is supported in the WebUI. The supported patch
sites are:
v Windows
v Red Hat Linux
v Mac OS X
v CentOS
v Debian
v Oracle Linux
v SUSE Linux Enterprise
v Ubuntu
v Updates for Windows Applications:
– Adobe Acrobat
– Adobe Flash Player
– Adobe Reader
– Adobe Shockwave
– Google Chrome
– ImgBurn
– Mozilla Firefox
– Notepad++
– Nullsoft
– Oracle
– Real Networks
– Skype
– Winamp
– Winzip
Future releases will include more patch sites.

Appendix. Support
For more information about this product, see the following resources:
v IBM Knowledge Center
v IBM BigFix Support Center
v IBM BigFix Support Portal
v IBM BigFix Knowledge Base
v IBM BigFix Customer Support Technical Information Newsletter
v IBM BigFix Wiki
v IBM BigFix Forum

Notices
This information was developed for products and services offered in the US. This
material might be available from IBM in other languages. However, you may be
required to own a copy of the product or product version in that language in order
to access it.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing

IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
For license inquiries regarding double-byte character set (DBCS) information,

contact the IBM Intellectual Property Department in your country or send
inquiries, in writing, to:
Intellectual Property Licensing

Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.

Any references in this information to non-IBM websites are provided for
convenience only and do not in any manner serve as an endorsement of those
websites. The materials at those websites are not part of the materials for this IBM
product and use of those websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Director of Licensing

IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
US
Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
The performance data discussed herein is presented as derived under specific

operating conditions. Actual results may vary.
Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Statements regarding IBM's future direction or intent are subject to change or

withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject to
change before the products described become available.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to actual people or business enterprises is entirely
coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which

illustrate programming techniques on various operating platforms. You may copy,

modify, and distribute these sample programs in any form without payment to
IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating
platform for which the sample programs are written. These examples have not
been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or
imply reliability, serviceability, or function of these programs. The sample
programs are provided "AS IS", without warranty of any kind. IBM shall not be
liable for any damages arising out of your use of the sample programs.
© (your company name) (year).

Portions of this code are derived from IBM Corp. Sample Programs.
© Copyright IBM Corp. _enter the year or years_.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the web at www.ibm.com/legal/
copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered
trademarks or trademarks of Adobe Systems Incorporated in the United States,
other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and

Telecommunications Agency which is now part of the Office of Government
Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or
registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or

both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of The

Minister for the Cabinet Office, and is registered in the U.S. Patent and Trademark
Office.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Java™ and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the

United States, other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are
trademarks of HP, IBM® Corp. and Quantum in the U.S. and other countries.
Notices 65
Terms and conditions for product documentation
Permissions for the use of these publications are granted subject to the following
terms and conditions.
Applicability
These terms and conditions are in addition to any terms of use for the IBM
website.
Personal use
You may reproduce these publications for your personal, noncommercial use
provided that all proprietary notices are preserved. You may not distribute, display
or make derivative work of these publications, or any portion thereof, without the
express consent of IBM.
Commercial use
You may reproduce, distribute and display these publications solely within your
enterprise provided that all proprietary notices are preserved. You may not make
derivative works of these publications, or reproduce, distribute or display these
publications or any portion thereof outside your enterprise, without the express
consent of IBM.
Rights
Except as expressly granted in this permission, no other permissions, licenses or

rights are granted, either express or implied, to the publications or any
information, data, software or other intellectual property contained therein.
IBM reserves the right to withdraw the permissions granted herein whenever, in its
discretion, the use of the publications is detrimental to its interest or, as
determined by IBM, the above instructions are not being properly followed.
You may not download, export or re-export this information except in full
compliance with all applicable laws and regulations, including all United States
export laws and regulations.
IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE

PUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING
BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY,
NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.

Notices 67
IBM®
Printed in USA

WebUI Admin Guide Platform V9.5.3

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

WebUI Admin Guide Platform V9.5.3

Caricato da

Copyright:

Formati disponibili

IBM BigFix

Chapter 5. Managing Application

Chapter 6. Editing Dashboards . . . . 31

© Copyright IBM Corp. 2016 iii

The BigFix WebUI is a component of the IBM BigFix Platform; no separate

© Copyright IBM Corp. 2016 1

The WebUI is a component of a standard IBM BigFix deployment. Therefore, the

System requirements for using BigFix Query:

© Copyright IBM Corp. 2016 3

For example, a Linux environment designed for 30 concurrent WebUI users

Network Port Conflicts

4 IBM BigFix: WebUI Administrators Guide

Chapter 2. Deployment Requirements 5

Use the installation procedure that meets your requirements:

Install the WebUI Service (Platform V9.5.3 or later)

Using a BigFix relay as the remote server is recommended.

© Copyright IBM Corp. 2016 7

8 IBM BigFix: WebUI Administrators Guide

Renew WebUI Certificates

To revoke a certificate, use the BESAdmin tool on the root server.

For more information about the BESAdmin tool see: http://www.ibm.com/

Enable the WebUI (Platform V9.2.6 – V9.5.2)

To enable the WebUI and select its communication port:

Chapter 3. WebUI Installation 9

10 IBM BigFix: WebUI Administrators Guide

Chapter 3. WebUI Installation 11

Change Communication Ports

12 IBM BigFix: WebUI Administrators Guide

SSL certificates, signed by a licensed certificate authority, can be uploaded to your

To deploy SSL certificates:

Chapter 3. WebUI Installation 13

Access the WebUI

To access the WebUI from a web browser, navigate to:

If the initialization takes a long time in your deployment, it might be possible to

14 IBM BigFix: WebUI Administrators Guide

WebUI permissions are implemented as an extra layer on top of the traditional

The workflow for provisioning Operators for the WebUI follows:

Master Operator Permissions

Non-Master Operator Permissions

Giving an Operator’s access to a particular WebUI element allows the Operator to

© Copyright IBM Corp. 2016 17

Permission Effects in the WebUI

The WebUI Overview incorporates information from many elements of your

Finally, it is possible for an Operator to login to the WebUI without having

Access to WebUI applications forbidden.

18 IBM BigFix: WebUI Administrators Guide

Permissions for Executive Dashboard and Dashboard Editing

Permissions for BigFix Query

To change an individual operator’s Query permissions settings, clear the Enable

Can Submit Queries

Chapter 4. Provisioning Users 19

Currently, the WebUI is composed of three components: “custom”, “patch”, and

While the implementation is slightly different from a UI perspective, setting

20 IBM BigFix: WebUI Administrators Guide

Explicit and Effective Permissions

Effective Permissions reflect permissions granted by either the Operator’s explicit

Chapter 4. Provisioning Users 21

In summary, Explicit Permissions are permissions a Master Operator has directly

Setting WebUI Permissions

22 IBM BigFix: WebUI Administrators Guide

1. Use the Save Changes button to save your permission settings.

Interface Login Privileges

Chapter 4. Provisioning Users 23

To deny WebUI login, perform the following steps: