Prior to ITMS 8.1 RU4:
SMP Console times out when trying to add computers to a filter via a CSV file.
With ITMS 8.1 RU7:
Customer will create a new filter by going to Manage > Filters. They will usually do this filter creation using the Symantec Administrator role.
They have a cloned copy of the Symantec Administrator role, along with level 1 worker role, where members will use a .txt file or .CSV file to import computers into that filter:
This started to happen after their upgrade to 8.1 RU7, even with the fixes already added under ITMS 8.1 RU4 for the same issue. This only happens with any other security roles that are not the Symantec Administrators (even when those users have full access to computers resources).
Sometimes you may see an error like this after waiting for the page to load with the imported machines:
HTTP Request failed:
/Altiris/NS/Admin/Collections/NSResourceCollection.aspx?Guid=a2ed6075-c7c7-48b7-abd6-b71c5acbcd39&TreeGuid=1ce604a6-c897-493f-a090-0039563990be&ItemGuid=a2ed6075-c7c7-48b7-abd6-b71c5acbcd39&ParentGuid=00000000-0000-0000-0000-000000000000&Url=http%3a%2f%2SMP01.domain.org%2faltiris%2fconsole%2ftree.aspx%3fTreeGuid%3d1ce604a6-c897-493f-a090-0039563990be%26%26ConsoleGuid%3d1b22db4e-a898-443f-9b99-855b1653d3f5&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&CallbackPageId=d3b7819bb17f4b03945dad401a5c5011
Request timed out.
[System.Web.HttpException @ ]
Exception logged from:
at Altiris.NS.UI.AltirisWebApplication.ReportApplicationError(System.Web.HttpContext)
at Altiris.NS.UI.AltirisWebApplication.Application_Error(Object, EventArgs)
at System.Web.HttpApplication.RaiseOnError()
at System.Web.HttpApplication.RecordError(Exception)
at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)
User [MyDomain\Svc_Altpdws], Auth [MyDoamin\AltUser10], AppDomain [/LM/W3SVC/1/ROOT/Altiris/NS-3-132016168419455250]
HTTP [POST]: http://SMPServer.domain.org/Altiris/NS/Admin/Collections/NSResourceCollection.aspx?Guid=a2ed6075-c7c7-48b7-abd6-b71c5acbcd39&TreeGuid=1ce604a6-c897-493f-a090-0039563990be&ItemGuid=a2ed6075-c7c7-48b7-abd6-b71c5acbcd39&ParentGuid=00000000-0000-0000-0000-000000000000&Url=http://altws.nyumc.org/altiris/console/tree.aspx?TreeGuid=1ce604a6-c897-493f-a090-0039563990be&&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&CallbackPageId=d3b7819bb17f4b03945dad401a5c5011
ip: [10.140.77.127]; languages: [en-US]; content-length: [100647];
response: [200 OK]; x-smp-nsversion: [8.1.4528.0];
-----------------------------------------------------------------------------------------------------
Date: 5/6/2019 7:46:57 AM, Tick Count: 529289250 (6.03:01:29.2500000), Size: 2.32 KB
Process: w3wp (253088), Thread ID: 185, Module: w3wp.exe
Priority: 1, Source: WebApplication
ITMS 8.1 RU3
ITMS 8.1 RU7
ITMS 8.5 GA, RU1, RU2
Know issue. There is an optimization problem with "spGetPushAgentStatus" stored procedure.
Prior to ITMS 8.1 RU4:
The original issue with "spGetPushAgentStatus" stored procedure was addressed with fixes added to ITMS 8.1 RU4. See DOC10690 under "Fixed Issues for Notification Server" section.
With ITMS 8.1 RU7:
Even with the improved "spGetPushAgentStatus" stored procedure, there was an issue with how the Security Privileges and Rights are done when the user is part of a non-Symantec Administrator Security Role. This issue has been addressed with changes done under ITMS 8.5 with the introduction of a function called "fnAC_HasFullScopeAccess".
Please us the attached two files to add the proposed workaround:
The modified "spGetPushAgentStatus_Updated.sql" has the following section modified to utilize the new "fnAC_HasFullScopeAccess" from ITMS 8.5:
JOIN (
SELECT DISTINCT ResourceGuid
FROM ScopeMembership
WHERE
--Added this check to see if the users has rights to all computers before we check them one at a time
(select dbo.fnAC_HasFullScopeAccess ('493435F7-3B17-4C4C-B07F-C23E7AB7781F', @Trustees)) = 1
--End
OR ScopeCollectionGuid IN
(
SELECT ss.EntityGuid
FROM sec_EntitySource ss
JOIN sec_EntityTrustee st ON st.EntityGuid = ss.SourceGuid
JOIN @TrusteeGuids tt ON tt.Guid = st.TrusteeGuid
WHERE st.Permission >= 0x2000000000000000
)
Also run the attached "fnAC_HasFullScopeAccess.sql" to add the new function into your database.
With ITMS 8.5 GA, RU1 and RU2:
This issue has been addressed with ITMS 8.5 RU3 release.
In the meantime, here is a workaround that you can use. See attached "spGetPushAgentStatus_8_5_Updated.sql". Only suggested being used for 8.5 GA, RU1 and RU2 releases.