Permission issues or errors using Altiris
search cancel

Permission issues or errors using Altiris


Article ID: 153008


Updated On:


IT Management Suite


Trying to use a specific area in the Altiris Console, such as viewing or editing assets, results in the inability to do so, or errors.




Because various issues could potentially result in this generic behavior, the scope of this article is to discuss security roles. These are located in the following locations, depending on the version of the Notification Server being used:

  • Notification Server 6: Click on the Configuration tab/View menu > Configuration (depending on if you are using the 6.0 or 6.5 Console) > Server Settings > Notification Server Settings > Security Roles.
  • Symantec Management Platform 7 (Notification Server 7): Click on the Settings button > Security > Roles.

Corrupted user records in security roles

Verify if there are any corrupted user records present in the security role folders. This is performed by manually looking in each listed security role. Corrupted users will appear as either a duplicate name, or "Domain_Name\" with no user name associated with it, numeric names, or other names that are determined to not be real user names. All users should appear as "Domain_Name\User" or  as "Domain_Name\Group_Name".

Altiris users and security roles are actually users and groups from Windows. Corrupted users will appear as a SID there, instead of a user or group name. This can occur when users are disabled or deleted in AD without first removing them from their group memberships. Other issues (unknown) may also cause this to occur.

The solution to this is to delete the corrupted user or group in Windows > Users or Groups. Refresh the affected Altiris security role, which should then show that the duplicate or "Domain_Name\" user record is now removed (if not, remove it). Then, re-add the user or group to the security role.

This can occur most often in the administrator role, but can be in any. Ensure that each security role is verified to not have any corrupted users.

Custom security roles

A user that is in a custom security role, if not set up correctly, may see all manner of permissions-related issues. This can often manifest itself as the inability to see or edit assets, but other users can. If the affected user is in a custom security role, verify if this is the issue by temporarily adding them to the Altiris Administrator role. If so, then the custom role will need to have additional permissions set.

Unfortunately, Symantec Technical Support does not offer a list of what permissions to set, where, for specific roles, such as for making a limited asset security role. Best practices for this are:

  • Do not modify out of box security roles. This can negatively affect the ability to use Altiris. Doing so may require that the affected solutions are uninstalled and reinstalled to recover the misconfigured out of box security role. Instead, clone the role and them make any desired changes.
  • Find a role that is close to what you are looking to do. Then, permissions can be removed to reduce what the role does.
  • It is very complex to create a security role that will enable limited access but with edit permissions for assets. The reason why is because assets include multiple solutions (Notification Server core, Inventory Solution CMDB/Asset Solutions, etc.), and therefore include multiple data classes to set permissions for. What will then happen is that the user in a custom security role may be able to see or edit certain asset types, but not others. This is because not all of these were covered. For such situations, it may be simplest to add the user to out of box roles. A good suggestion for this is to add the user as part of the Asset Managers, CMDB Managers, and Altiris Supervisor roles. This will provide limited functionality for viewing/editing assets, and is often what customers are more or less looking to do.

Note: After making any changes, close any active Helpdesk console browser, then re-open to verify if the issue has been resolved. A short wait may also be needed, and/or an IIS reset.

Related Articles

Worker console only displays Recents command

New Incidents link missing from Worker Console

Error "The command that you have attempted to run in inactive" when trying to create new incidents