search cancel

Patch Admin permissions fail to allow change in Software Update Policy Target

book

Article ID: 163253

calendar_today

Updated On:

Products

Patch Management Solution Client Management Suite IT Management Suite

Issue/Introduction

The Service Account (Application Identity) was added to the Patch Administrators group. 

Added User to the Patch Management Administrators (PA) Role, and gave that PA User full rights to all Policies and the necessary Filters in the Security Role Manager on the Console > Settings > Security > Permissions for the PA Role:

PA User logged on; implemented the Target on the Windows Patch Remediation Settings on the Console > Settings > All Settings > Software > Patch Management > Windows Settings, for this is the managed Target in which all Software Update Policies will be built with upon creation.

Service Account (Application Identity) logged onto the Console; created Software Update Policy, confirmed the Software Update Policy was created without errors, and noted the Target became owned by the Service Account upon creation.

Found the PA User is unable to modify the selected Target as the 'x' is not present and the Filters are grayed out and unable to be edited on any Software Update Policy created by the Service Account:

Cause

The Target was initially implemented on the Windows Patch Remediation Settings Policy by the PA User; however, the Service Account created the Software Update Policy and took ownership of that Target with a higher set of permissions for that specific policy. 

Confirmed the only reason the PA User was able to click on the Target / Edit to view the Edit Selected Group popup is because the Service Account was added to the Patch Administrators group, for if that had not been performed; the PA User wouldn't be able to click on the Target as it would be grayed out as follows:

Resolution

Working as designed: The Patch Administrator Role lacks the ability to view / edit Targets owned by the Service Account.

Review one of the following possible workarounds:

  1. Give the PA User identical permissions as Service Account to allow them to manage the same Targets on that level:
    • Go to the Console > Settings > Security > Permissions > Account Management > Roles:
      • ​​Symantec Administrators > Members > Add Member; search and add the PA Username
    • Caution: This will give the Patch Administrator User the ability to view/interact with items the same as the Symantec Administrator.


       
  2. Set the Target on the Windows Patch Remediation Settings policy with the PA User to a Test Filter or Test Client: 
    • This will allow the Service Account to create the Software Update Policy and the PA User can simply add the required Target to that single test machine to deploy the Software Update Policy created by the Service Account to Clients managed by the PA User.
       
  3. Ensure the PA User creates ALL of the Software Update Policies:
    • ​This will allow the PA User to modify whatever is needed and the Service Account being part of the Patch Administrators role is able to view and edit as needed.

Attachments