How can I create a Security Role in Notification Server 7 for users that need to run just reports?

book

Article ID: 178283

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

 

Resolution

Question
How can I create a Security Role in Notification Server 7 for users that need to run just reports?

Answer

  1. Create a new Security Role:
    1. In the Symantec Management Console,
    2. in the menu, go to the Settings > Security > Roles
    3. In the left-hand pane, Right-click on Security Roles
    4. In the drop-down menu, select New > Security Role
    5. In the New Role dialog box:
      1. Enter the name of the new role
      2. Click OK
         
  2. Add members to the security role:
    1. In the Symantec Management Console,
    2. in the menu, go to the Settings > Security > Roles
    3. In the left-hand pane, click on the appropriate security role
    4. In the right-hand pane
      1. click on the Membership tab
      2. on the toolbar click the Add button
    5. In the Select Users and Groups dialog;
      1. find users or groups
      2. click ok
    6. Save Change
       
  3. Assign Privileges:

    Note: Since this Security Role will only be used to run reports, and most reports will run without any security privileges, then we won't any privileges now. There may be some reports fail if some privileges are not assigned.

  4. Assign permissions on the Console Items

    Note: If no console items are selected, the user will see an "Access Denied" message after entering their credentials. For additional possible log-on issues see: User Fails to log on to the Symantec Management Console (SMC) 7
     

    1. In the Symantec Management Console,
    2. In the menu, go to the Settings > Security > Permissions
       
    3. In the Security Role Manager screen:
    4. In the top section, click on the role drop-down field
    5. Select the appropriate Security Role
    6. In the left-hand pane,
      1. In the View drop-down field select: Console Menu
      2. In the toolbar, click the Edit pencil
    7. In the Item Selector dialog:
      1. Expand the Reports menu item
      2. Select: All Reports
      3. Click: Save Changes
         
  5. Assign permissions on report items

    Note: If no reports are selected, then the restricted user will see in the left-hand pane an "Access Denied" message, and they will not be able to select any reports.

    1. In the Symantec Management Console,
    2. In the menu, go to the Settings > Security > Permissions
       
    3. In the Security Role Manager screen:
    4. In the top section, click on the role drop-down field
    5. Select the appropriate Security Role
    6. In the left-hand pane,
      1. In the View drop-down field select: All Items
      2. In the toolbar click the Edit pencil
    7. In the Items Selector dialog:
      1. Expand the Reports sub-menu item
      2. select a folder with the reports of interest.
      3. Click: Save Changes
         
  6. Assign permissions on the resources:

    Note: if no resources are selected, then the user will be able to run reports but no information will be displayed in the report.

    1. In the Symantec Management Console,
    2. In the menu, go to the Settings > Security > Permissions
       
    3. In the Security Role Manager screen:
    4. In the top section, click on the role drop-down field
    5. Select the appropriate Security Role
    6. In the left-hand pane,
      1. In the View drop-down field select: Resources
      2. In the toolbar click the Edit pencil
    7. In the Items Selector dialog:
      1. Expand the Organizational Views sub-menu item
      2. select the organizational views (and/or organizational groups) to which the user should have access
      3. Click: Save Changes

Note: some reports might not run, or run correctly if the user lacks some additional permissions or privileges

 


Troubleshooting suggestions:

  • Try using the built-in report: "Computers with Agent installed"
  • Log on to the limited Security Role from a workstation, and not from the Notification Server itself
  • Log on to the limited Security Role from a workstation that you are NOT using to modify the Security Role
  • After you make a modification to the limited Security Role, then on the workstation that you are using to log on with the limited Security Role, close all Internet Explorer windows, and then log back in

If the user is able to run a report, but no results are returned, then you might modify the limited Security Role to also view individual Resources, along with Organizational Views and Groups.

  1. From the Console toolbar:

    1. Go to: Settings > Security > Permissions
  2. In the Security Role Manager:
    1. Set Role to the appropriate Security Role
    2. In the View drop-down field select: Item Menu
    3. In the toolbar at the top of the left-hand pane, click the Edit pencil
    4. In the Item Selector
      1. Check Organizational View
      2. Click Save Changes (in Item Selector)
    5. Give Read access only
  3. Log out and log back into the limit account
    1. The console menu should now contain "Manage" and "Reports"
    2. Click on Manage > All Resources
    3. view the Organizational Views, Organizational Groups, and resources

Confirm that:

  • you can see Organizational Views and Organizational Groups which the limited Security Role can access
  • the resources, which the limited Security Role can access, are in the correct Organizational Groups

If you are seeing permission errors in the Altiris logs, see: