Limited administrator with read-only rights cannot remotely run commands on groups in the SEPM

book

Article ID: 156082

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Command failed to run when trying to update content from the Symantec Endpoint Protection Manager console (SEPM) using a limited administrator account with read-only rights.

This option was working in version 11.0.4 but does not in 12.1 RU1.

- When running a scan from the SEPM: Monitors / log tab / view "computer status" log, the following error message appears:

- When right clicking on the client to run a command, the option is greyed out:

Cause

Work as designed

Resolution

- To resolve this, limited administrators require "Full access" rights in the "Manage groups" section instead of "Read Only"

- However, this means that giving limited administrators full access will also allow them to delete groups, subgroups or move clients.

- There is a product enhancement topic created regarding this issue on Symantec Forum, do not hesitate to vote:

www-secure.symantec.com/connect/idea/allow-limited-administrator-read-only-group-rights-remotely-run-commands

Applies To

Impact all SEPM versions released after 11.0.4

- Actions followed to reproduce the issue:

1. Create a test account in the SEPM as "limited administrator"

2. Edit the administrator access rights as follow:

* Limited access rights ticked:

- "View reports" (all of them "*")

- "Manage groups" and give "Read only" access to the specific group

- "Remotely run commands" (rights are as follow: All of them except "restart client computers")

3. Log off and log on using the test administrator account

4. Click on Monitors / log tab / view "computer status" log

5. Select one of the client and click on run scan command

6. Select any type of scan and click on "OK": Error message "The command failed to run"

7. Verify in the client group if it is possible to right click on the client to run a command: No, option greyed out