When trying to create or edit an asset such as a computer, the error "Server Error in 'Altiris/AssetContractCommon' Application" occurs. Or, other errors may occur, such as when trying to save an asset, for example, "<data class> cannot be null." This prevents the asset from being able to be created or edited.

Server Error in 'Altiris/AssetContractCommon' Application.

ITMS 7.x, 8.x

Insufficient permissions for data classes in the custom security role.

Note: This article is primarily applicable to when the user is in a custom security role and this issue occurs. If this occurs in an out of box security role, instead refer to the following article:

Error "Server Error in 'Altiris/AssetContractCommon' Application" occurs when trying to create or edit an asset such as a Computer
KB 157173

About custom security roles

It can be very complicated and problematic to create a working custom security role for users to have limited access to edit assets. This is because when setting up a custom security role, appropriate permissions must be granted to the data classes that are expected to be in the resources to be used by the user's in the custom security role. The user must understand how to create and manage a custom security role therefore, which can be a very time consuming, complex process. Important Note: It is beyond the scope of this article and Symantec Technical Support to explain in detail or troubleshoot a customer's custom security role in-depth as this is considered a Consulting request. Symantec Technical Support furthermore does not have any extensive documentation on how to create custom security roles, especially those that are designed for specific purposes in mind. It may therefore be unlikely to be able to pinpoint what permissions need to be changed to fix the issue, without the user going through trial-and-error by turning permissions on and off, experimenting with their custom security role as necessary.

Additional concerns are:
 

• Ensure that both CMDB and Asset data class permissions are accounted for. A Computer, for example, will contain both types.
• If custom data classes or resources are used, this further adds to the complexity of what is needed to be set in the custom security role.
• If other Altiris products are later added, these may add new data classes to the resource, thereby later causing the user to then not be able to create or edit them. The user that sets up the custom security role may then need to go back in and make further modifications, as the custom security role will not be able to automatically adapt to grant permissions dynamically.

Best practices in creating a new custom security role

It is strongly recommended to find an out of box security role that is close to what the user wants, clone it, and then reduce its permissions so that it ends up being what the user wants. It is far more difficult to create a new custom security role from scratch, which will very likely end up seeing the issue described in this article. For example, clone the CMDB Manager's security role, then, change its permissions to meet the restrictions that are desired to be given to the users in that custom security role. 

A compromise is to simply add the user to both the CMDB Manager and Asset Manager security roles, which should give permissions to do most tasks. Or if creating a custom security role becomes too problematic, the user may need to consider simply placing the user in the Symantec Administrator's role to ensure they have the permissions necessary.

Troubleshooting a custom security role

• Verify if the issue does not occur when using an out of box security role, specifically, the Symantec Administrator. If it does, refer to KB  TECH198042.
• If possible, use a cloned security role. If this is not possible, don't start off with too restrictive of permissions at the beginning.
• Once a custom security role is able to create or edit assets, then continue fine-tuning the permissions as desired. If the create/edit ability stops, determine what was changed and then change it back as necessary.
• Permissions must be granted for all areas that the user will be needing to edit for an asset. This may be able to be determined by looking at the current data classes and associations that are part of the resource. For example, click on Settings > All Settings > Service and Asset Management > Resources and Data Class Settings > Resource Types > Asset Types > IT > Computer. If Backup Exec is installed, this will include additional non-standard Computer data classes here. If the user then didn't permit these when setting up the custom security role, the users in it will be unable to create or edit the resource because they do not have BE permissions.
• While in the Security Role Manager for the custom security role, ensure that standard permissions are given, such as Create/Read/Edit for the resource type and its data classes. These may be disabled especially when having made the custom security role from scratch.
• Symantec Technical Support can also provide limited troubleshooting. The customer can export their custom security role and send it to Technical Support for evaluation. If Technical Support is unable to ascertain what to change, the customer is recommended to next contact Consulting Services for assistance with further troubleshooting.