Adding domain users or groups to Notification Server (NS) security roles
search cancel

Adding domain users or groups to Notification Server (NS) security roles


Article ID: 152911


Updated On:


IT Management Suite Client Management Suite


When you (the administrator) perform the following actions, you expect to be allowed to add the domain user or group under the Members tab:

  1. In Symantec Management Console, click Settings > Security > Account Management.
  2. Select the Roles node.
  3. Select any security role and attempt to add domain users or groups under the Members tab.

After performing these actions, however, you are unable to select any domain users or groups. You are only given the option to select Accounts or Roles.

Another Use Case:

  1. Customer has a Domain Group called 'Testing\Domain Users'
  2. This domain group has approx. 65 User accounts on it
  3. Customer wants to add the Domain Group into the Security Accounts and be able to give Admin Rights to the Domain Group and in that way let all those users have the same permissions without having to add user by user into the Console.

So, what we did is the following:

  1. Go to Settings>Security>Account Management
  2. Under Accounts, we added a new account and we named it 'Testing\Domain Users'
  3. Selected 'Testing\Domain Users' account and under the General tab, we clicked 'Add Credentials'>Windows and under 'username' we added 'Testing\Domain Users' and we added the Full Name 'Domain Users Group'
  4. Under the 'Member Of' tab, we added the role 'Symantec Administrators'
  5. Under Roles> Symantec Administrators, we can see that 'Testing\Domain Users' is listed

However, when he logs into the SMP Console using his user account (which is a member of the 'Testing\Domain Users'), the customer only sees the top menus but he get access denied in any of the left tree views.




This is expected behavior.

Role memberships are managed as resource associations between Roles and Trustees (Roles and Accounts). Only managed Roles or Accounts can be added as members of a security role.


To support the Symantec Management Platform scenario where you want to add a user or a domain group to a security role, perform the configuration steps below:

   1. Configure an Active Directory import rule to import the domain group.
        a) Go to SMP Console>Actions>Discover>Import Microsoft Active Directory
        b) Use or create a 'Role and Account' AD Import rule.
        c) Select the Domain Group (in this case it should be a Security Group for it in AD) and run the AD Import

      This creates a Symantec Management Platform Role/Account for the domain group/user. Members of the domain group are created as either Roles or Accounts.
   2. Add the new role created by step 1 to the appropriate Security Role.

        For example, if you want to add a domain group named "Testers" to the Symantec Management Platform role, do the following:

       1. Configure a 'Role and Account' AD Import rule to import the "Testers" domain group.

            This creates a new Role named Testers. The new role contains all of the members of the "Testers" domain group.
       2. Add the new "Testers" role to the Symantec Management Platform role, for example the Symantec Administrators role.
           a) In the SMP Console, go to Settings>Security>Account Management.
           b) Under the treeview>Account Management, click on 'Roles'
           c) Find the "Testers" Domain Group Role created from your 'Role and Account' AD Import rule
           d) Under the 'members' tab you should see all the users and other groups that are associated to that " Testers" Group role
           e) Under 'Members Of' tab, add the Security Role desired.