Organizational Groups (locations) have been added to the Symantec Management Platform (Manage > Organizational Views and Groups). Permissions have been set, but users are still able to edit assets that they should not have access to. For example:
This is working as designed. Security role permissions are additive. Giving users the Privilege to create Organizational Groups gives them full permissions to anything they place in that Organization Group. By giving the Organizational View locations Read access without further restricting specific permissions grants users under these to further perform their own modifications of permissions and have edit abilities.
If the purpose of restricting Organizational Groups is to restrict their user's access to edit assets only to their location, it is recommended to use the following best practices to configure this instead of setting edit or view permissions for the users in an Organizational Group. Note: It is recommended that these aspects be controlled by a Symantec Administrator and not be granted to all users.
Part 1: Restrict security roles from using the Create Organizational Groups privilege. To ensure that restricted users do not have unexpected permissions, it is recommended to prevent them from being able to create Organizational Groups. The following instructions describe how to do this.
Part 2: Define locations to only include specific users. Configure locations to include only those users who are part of them. This further enables restriction of assets.
Edit each location and assign subnets to it. This will define which computers and therefore which users belong to the location.
Alternatively, the core Automation Policy "Assign computers discovered in the last day to Organizational Group" can be used instead of assigning subnets to locations. This requires more work, however, in setting up.
Part 3: Configure the CMDB task "Update Organizational Hierarchy". When new locations, cost centers, or departments are added into the database, the items do not automatically appear in the Organizational Views and Groups list until the organizational hierarchy gets updated. This CMDB task performs this. Additional information about using Update Organizational Hierarchy can be found in the CMDB 7.1 SP2 User Guide, page 17:
Altiris CMDB Solution 7.1 SP2 from Symantec User Guide
Part 4: Create any special filters for the restricted organizational groups to use
Special filters may be needed to be created to help accommodate the restricted organizational groups. This is performed under Manage > Filters. Note: Filters will automatically show the limited list of assets to the users in the restricted organizations groups.
Part 5: How to use tasks, reports, etc. as the now restricted users
Granting Organizational Groups Read permission allows its users to still have Create permissions
Symantec Management Platform 7.1 SP2 User Guide