Limited administrator with read-only rights cannot remotely run commands on groups in the SEPM


Article ID: 156082


Updated On:


Endpoint Protection


Command failed to run when trying to update content from the Symantec Endpoint Protection Manager console (SEPM) using a limited administrator account with read-only rights.
This option was working in version 11.0.4 but does not in 12.1 RU1.

- When running a scan from the SEPM: Monitors / log tab / view "computer status" log, the following error message appears:


- When right clicking on the client to run a command, the option is greyed out:


Work as designed


- To resolve this, limited administrators require "Full access" rights in the "Manage groups" section instead of "Read Only"


- However, this means that giving limited administrators full access will also allow them to delete groups, subgroups or move clients.

- There is a product enhancement topic created regarding this issue on Symantec Forum, do not hesitate to vote:


Applies To

Impact all SEPM versions released after 11.0.4

- Actions followed to reproduce the issue:

1. Create a test account in the SEPM as "limited administrator"

2. Edit the administrator access rights as follow:

    * Limited access rights ticked:
          - "View reports" (all of them "*")
          - "Manage groups" and give "Read only" access to the specific group
          - "Remotely run commands" (rights are as follow: All of them except "restart client computers")
3. Log off and log on using the test administrator account
4. Click on Monitors / log tab / view "computer status" log
5. Select one of the client and click on run scan command
6. Select any type of scan and click on "OK": Error message "The command failed to run"
7. Verify in the client group if it is possible to right click on the client to run a command: No, option greyed out